Loading...
Last Updated: 2026-05-28 Flexera's Corporate Security Controls are distinct from Production Security Controls. Corporate Security Controls focus on safeguarding Flexera's internal systems, data, and operations not customer environments and data.
Flexera maintains a separation of concerns between Corporate and Production Security Operations to minimize the impact of an incident in either domain.
Flexera maintains a full set of global security policies aligned with ISO27001:2022 domains. The security policies are approved by management and communicated to the relevant target audience using the company's Intranet.
Flexera's policies are reviewed annually for consistency with the organization's risk mitigation strategy and updated as necessary for changes in the strategy and the underlying processes and infrastructure. Employees acknowledge compliance with the security policies relevant to their roles and job descriptions.
Flexera maintains an organization‑wide risk management program to identify, assess, and mitigate information security risks. Regular risk assessments are conducted using a documented methodology, and identified risks are reviewed, prioritized, and addressed through appropriate mitigation actions.
Security risks are reassessed when significant system, process, or data usage changes occur. Residual risks are evaluated by leadership, and insurance coverage aligned to these risks is reviewed annually, supporting Flexera’s ongoing security and operational resilience.
Security assessments are carried out for new vendors of IT services as part of the procurement process. The security assessments cover the security posture of the vendor and the security aspects of the product/service to be purchased, incl. the security of any integrations. A security risk rating is defined, and high-risk vendors undergo annual security assessments.
Security requirements are included in third party agreements/contracts.
Flexera maintains HR security practices to ensure personnel with access to systems, facilities, and data are appropriately vetted, aware of their responsibilities, and supported by ongoing training.
Employees and contractors receive security awareness training during onboarding, with periodic refreshers, and acknowledge Information Security Standards and confidentiality obligations. Background checks are carried out in accordance with applicable laws and are determined by the specific requirements of each role.
Access is provisioned according to least‑privilege principles and job responsibilities, reviewed upon role changes, and promptly revoked upon separation.
Documented onboarding and offboarding procedures, access reviews, and training attestations help reduce insider risk and protect customer and company information.
Flexera is committed to fostering a strong security culture across the organization. All employees receive comprehensive security awareness training during onboarding to ensure they understand their responsibilities in protecting company and customer information. This training covers essential security practices, including data handling, password security, phishing awareness, and reporting security incidents.
Flexera maintains employee engagement, awareness, and initiative in protecting systems, data, and customer trust by providing ongoing education and reinforcement. The annual refresher awareness sessions reinforce key concepts, highlight evolving threats, and ensure employees remain informed about current security policies and best practices.
Flexera also delivers targeted training based on job roles to ensure personnel with elevated access or specialized responsibilities understand the security controls relevant to their functions.
Flexera has defined and implemented controls related to physical and environmental security for both corporate offices and data centres. Controls are in place for perimeter security and physical monitoring, access control for employees and visitors, clean desk policy, etc.
All data centres utilized by Flexera comply with the requirements for location, facility structure, access control, intrusion protection, environmental controls, cable security and equipment maintenance.
Flexera applies a structured information classification program to ensure that data is appropriately identified and protected based on its sensitivity. Information is categorized according to the potential impact of unauthorized access or disclosure, and each classification level includes defined handling requirements.
Customer Classified Information receives heightened protection through restricted access, secure storage, and encryption during electronic transmission.
Employees are trained to handle classified information responsibly and in accordance with Flexera’s policies. Flexera regularly reviews its classification practices to ensure alignment with business needs and industry standards.
Flexera maintains an inventory of its hardware and software assets to support effective security and operational oversight. This inventory documents key asset attributes, including identification, ownership, usage, location, and configuration.
Flexera documents baseline system and security configurations for its technology assets to ensure consistency and security. Approved configuration changes for hardware and software components are recorded to support traceability and secure system operations.
Asset information and configuration documentation are maintained to help ensure technology assets are appropriately managed throughout their lifecycle and aligned with Flexera’s security and operational standards.
Flexera implements strict access control measures to ensure that only authorized individuals can access systems, data, and network resources. These controls safeguard Customer Classified Information and enforce secure user behavior across all environments.
Access to Flexera facilities, secure areas, systems, and networks is granted only to authorized employees, contractors, and users with a legitimate business need. All access requires positive identification and authentication before use.
Access privileges follow the principle of least privilege, granting only what is necessary for job duties. Users must authenticate again when performing elevated or administrative actions.
Passwords, PINs, and authentication data are encrypted, delivered confidentially, and changed at first use. Default, temporary, and reset passwords are unique and must be modified upon first login.
Accounts suspected or confirmed as compromised are disabled within 24 hours. Access for terminated users is removed promptly, and shared credentials are rotated within 72 hours. User access privileges are reviewed regularly and during role or title changes.
Users are trained on secure password practices and the importance of protecting login credentials. Users must not leave devices or systems unattended while logged in.
Only authorized individuals may access Flexera’s internal network. All remote and wireless access sessions use secure, encrypted network protocols. Remote access requires multi‑factor authentication (MFA) via password + one‑time security code.
Diagnostic or support access does not grant administrative privileges without explicit approval. User systems may not bridge or route traffic between networks.
Authentication is required for all systems and in-scope applications. Authorization is tied to the user's role and approved privileges.
Passwords meet strong requirements (minimum length, complexity, rotation every 90 days, and 24 password reuse prevention). Accounts are locked after repeated failed attempts and must be unlocked securely. Passwords are never displayed in readable form and must be changed if compromise is suspected.
User devices are physically protected and require authentication. Mobile devices encrypt confidential information in transit. Flexera can remotely wipe lost or compromised devices to protect Customer Classified Information.
Access to Flexera’s cloud environments follows the same strict controls as user and system access management, ensuring consistent security across on-premises and cloud systems.
Flexera uses a layered approach to network security to protect its systems, data, and customer environments. Network management controls are in place to monitor, manage, and safeguard traffic across corporate and production environments.
Enterprise‑grade firewalls are used to control traffic between internal and external networks, enforcing rules based on business requirements and blocking unauthorized access by default. End‑user devices are further protected by host‑based firewalls configured to restrict inbound connections and prevent unauthorized changes.
Flexera employs intrusion detection and prevention capabilities to identify and mitigate malicious activity. These controls are continuously active, regularly updated, and monitored by security personnel to enable timely investigation and response to potential threats.
Changes to the network environment, such as new external connections or sites, undergo formal risk assessment prior to implementation to ensure alignment with security standards and business needs.
These controls ensure a secure, monitored network and protect customer data and services.
Information security aspects are considered in case of any changes to the organization, business processes and IT systems to prevent these changes from affecting adversely the information security level.
Controls are defined to ensure changes are implemented in a controlled and structured manner to avoid any business disruptions. Some of the key steps in the change management process include change authorization, testing prior to implementation of change, notifying the relevant stakeholders prior to change, post-installation validation and rollback plans.
Flexera maintains comprehensive logging and monitoring controls designed to safeguard systems and Customer Classified Information. Audit logging is enabled across key system including network devices, servers, in‑scope applications, and security platforms to capture important security‑related events.
Log data includes essential details such as the user or system that triggered the event, a description of the activity, timestamps, system identifiers, and relevant authorization information. These logs are protected against unauthorized modification or deletion and are retained for a minimum of ninety (90) days in accordance with Flexera’s security policies.
Flexera routinely reviews audit logs and automated security alerts to identify unusual activity or potential threats. Alerts generated by intrusion detection/prevention systems and other security monitoring tools are investigated and managed through Flexera’s established incident monitoring and response processes. These practices help ensure timely detection of security issues and support the ongoing protection of customer data and Flexera’s operational environment.
Flexera maintains backup and recovery controls to ensure the availability and integrity of customer and business data. Data backups are performed to support system resilience and enable timely recovery in the event of system outages, security incidents, or operational disruptions.
Backups are taken prior to system upgrades or maintenance activities to ensure data can be restored if needed. Customer information that is required to be encrypted at rest remains encrypted throughout the backup process, preserving data confidentiality during storage and recovery operations.
Backup data is stored in geographically separate and physically secure locations to protect against localized failures or disasters.
These controls are designed to support business continuity objectives while maintaining compliance with Flexera’s information security standards and data protection commitments.
Flexera has a comprehensive framework for security incident management. The framework covers all stages in the incident management process including events to report, reporting mechanisms, detection and investigation, analysis, activation and evidence collection, containment and remediation, recovery and post-incident review.
Flexera has defined and documented Privacy and Incident Response Plan, Cloud Security Incident Response Plan and Crisis Communication Plan. We also collaborate with respected external experts to ensure our investigations and responses are conducted as effectively as possible.
Flexera conducts a formal test of the incident response plan on an annual basis.
Controls are defined and implemented to ensure continuity of operations following a business disruption. Business disruptive events include, but are not limited to, serious incidents, threats, emergencies, natural disasters and man-made disasters such as weather, climate, cyberattack, malware, technology outage, pandemic, earthquake, physical, etc.
Business Impact Analysis is conducted minimum annually and upon major changes in infrastructure and services.
Business Continuity Plans are documented and tested on an annual basis.
A backup strategy is defined, documented and implemented for corporate and production environments. Backup restores are tested on a regular basis and controls are in place to protect backups against unauthorized access and tampering.
A cryptographic strategy is defined and implemented. The following aspects are considered:
Sensitive information is encrypted in transit and at rest. Cryptographic keys are generated within a cryptographic module with at least a FIPS 140-2 compliance.
Data transfer across public networks, including the Internet is encrypted with IPSec or the current version of TLS between hosts. Data transfer in email message body (i.e. non-bulk) uses TLS transport layer encryption between email gateways where possible. Data storage on mobile devices and laptops employs whole disk encryption or volume encryption.