Your security, our priority

Thousands of companies around the world benefit from the Nintex Workflow Platform and Document Generation applications. Nintex is committed to maintaining the security and reliability of all our products.

Privacy and compliance

Nintex protects our customers’ personal information. Our Privacy Policy sets a high standard for how Nintex manages the personal details and other information that may be collected by Nintex’s various websites. The Nintex website and Nintex Community comply with the U.S.- E.U. Safe Harbor Framework and the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland.

SOC 2 report

Nintex is committed to maintaining the security of our products. Our System and Organization Controls (SOC) 2 report provides assurances that we have controls in place to protect your data. Nintex has a SOC 2 Type 2, and SOC 3 reports for our Nintex Workflow Cloud services, Nintex Promapp®, and Nintex Drawloop DocGen®.

To request a confidential copy of Nintex’s SOC 2 Type 1 or Type 2 reports, please email

Download the SOC3 reports:


Nintex Document Generation has received Moderate certification in the Federal Risk and Authorization Management Program (FedRAMP). The U.S. government-wide program provides a standard approach for assessing, authorizing and continuous monitoring of cloud products and services. The certification allows government agencies to realize the benefits of Nintex Document Generation for Salesforce.

People and access

Nintex customers that access the Nintex Workflow Platform have user accounts that are controlled and managed based on the applicable product platform architecture. Nintex for Office 365 accounts are managed via access controls in customers’ Office 365 platforms. Nintex Document Generation accounts are managed via access controls in customers’ Salesforce platforms. Nintex SharePoint accounts are managed in customers’ on-premises SharePoint installations. Nintex Workflow Cloud accounts are managed in Auth0. Nintex Promapp® accounts are managed in a custom-built authentication system that customers may choose to federate with their own Identity Provider.

Nintex personnel
Our global Production Operations team maintains a user account for the purposes of maintenance and support. Team members will access customer environments only to monitor application health or perform system maintenance. Secure VPN and two-factor authentication are required for team members to access environments remotely.

Facilities and hosting
Access to data center facilities and other physical security controls for our cloud-based offerings are tightly regulated according to standards outlined for Microsoft Azure or Project Hosts. Nintex Document Generation, Nintex Workflow for Office 365, Nintex Forms for Office 365, Nintex Connectors and Nintex Mobile are hosted on Microsoft Azure. The Nintex Document Generation for Salesforce FedRAMP platform is hosted on Project Hosts. Nintex Workflow Cloud and Nintex Promapp® are hosted on Microsoft Azure.

Our SharePoint offerings, including Nintex Workflow for SharePoint, Nintex Forms for SharePoint and Nintex Mobile, store information on individual devices or servers within the customer’s infrastructure. The customer manages all access controls for these assets.

Data and content

Nintex maintains high-level security of the Nintex Workflow platform. All of our security controls and risk analysis focus on protecting customer data and content. Nintex has implemented Data Security and Software Development guidelines to standardize our product development and data handling processes and procedures. These guidelines include protections for OWASP Top 10 security flaws, recommendations for avoiding cloud security threats, and secure software development lifecycle processes. We review and, if necessary, update, these guidelines regularly to reflect the current threat landscape and known vulnerabilities.

Customers retain ownership of – and responsibility for – the data and other content they input in the design and publication of Nintex workflows and Nintex forms. Additional information regarding these obligations is available on our Legal page.


Data access
Nintex Platform users can only access data within their customer tenant or organization-hosted solution. The Nintex Workflow platform segregates customer tenant data and processes according to multi-tenant data architecture best practices, which in some software elements includes separate data stores per tenant.

Data in transit
Nintex solutions use the TLS protocol for data and communications security whenever possible.

Research reporting

Nintex appreciates responsible reporting of potential security vulnerabilities. If you’ve identified a potential security vulnerability in the Nintex Workflow platform, please report this potential vulnerability as soon as possible to Nintex Security. We will work with you to verify and mitigate the vulnerability. In such instances, we request that you comply with the following guidelines.

Reporting guidelines

  • Make a good faith effort to avoid data destruction, misappropriation of content, privacy violations, and interruption or degradation of our services.
  • Notify Nintex promptly and provide all available information regarding the potential vulnerability.
  • Provide Nintex a reasonable period of time in which to review and, if necessary, mitigate the vulnerability prior to making any public disclosure regarding the vulnerability.


Nintex K2 Software privacy and compliance

ISO 27001:2013

ISO 27001:2013 is a well-known set of international standards relating to the secure management of information, particularly in a cloud-based environment. The Nintex K2 Cloud Platform has been independently verified to meet all ISO 27001:2013 standards for cloud security and information management.

SOC 2 report

SSAE 16 Service Organization Control 2 (SOC2), reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy performed by the AICPA as a third-party audit. A SOC2 Type II report is not a state in time audit but a full review of performance to defined policies and processes looking backward over the past year. It provides a detailed review, by an independent audit firm, of Nintex K2 Cloud’s security, availability, and confidentiality controls. Nintex K2 Cloud also operates within SOC2 attested Azure datacenters to ensure that all services are independently evaluated and the proper controls are utilized.

SOC 3 report

The SOC 3 Report, just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on the description of the system). The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on its website upon successful completion.