OX Trust Center - Security, privacy & trust
These are the core of the OX approach. We firmly believe that privacy is a fundamental right for all users of communication services, and we are committed to adhering to the highest standards of privacy and security for both our products and customers.
Delivering secure products that support privacy
We maintain an established information security management system, supported by secure coding practices, independent product audits, penetration testing and bug bounty programs to anchor security in the development of our solutions.
Our products do not collect information that users don't want to share and we do not sell any data to third parties
Four Commandments of trusted internet services
Open-Xchange solutions are developed according to the Four Commandments of Trusted Internet Services:
A service must be available from many providers
The service must (also) be available as software
It must be possible to move user data from one solution to the other
The software should be available as source code to everyone
Stringent industry standards
OX products and services are based on industry best practice - designed to meet the most stringent privacy and security standards
We give our customers the tools they need to meet their compliance and reporting requirements, and data ownership, security, transparency and accountability are all fundamental parts of our contracts
Open-Xchange is ISO/IEC 27001:2022 certified with TUV Rheinland of North America
Privacy & Compliance
Trust is an essential part of all our relationships, whether you're a customer, partner or supplier. Transparency is also part of OX's DNA, and we work hard to establish and maintain trust. As a result:
Customers – not OX – own their data
Open-Xchange will not sell your personal data to third parties, and never processes personal data from our services for any other purposes than those agreed on
Security ratings and evidence
We’re happy to provide transparent insight into our security program and would be glad to grant you full access to our security profile, just get in touch to get started.
Found a vulnerability?
We are more than happy to work with you on resolving it swiftly. To prevent a potential vulnerability being abused by criminals, we ask you to report such findings to us confidentially and not share them publicly before their remediation.
We will coordinate a resolution and disclosure and grant attribution to the researcher if desired.
Customers can find more details about the process here: Remediation and disclosure process.
Bug bounty program
You can use our public bug-bounty program at yeswehack. There are separate programs for our App Suite, Dovecot and PowerDNS products. This is the only way we can compensate you for a finding.
Direct contact
If you do not want to sign up for the bug-bounty program or found a vulnerability that is not in scope, please use https://vdp.open-xchange.com/ to report the vulnerability to us.