Information Security

No

DevExpress does not engineer commercial software apps. DevExpress does not offer paid cloud services. As such, DevExpress does not store/manage third-party information (said differently, DevExpress does not store information on your customers/end-users).

DevExpress engineers/licenses software UI components/development libraries. DevExpress licenses source code (the DevExpress End User License Agreement governs use and redistribution of DevExpress intellectual property). Developers/development teams are entirely responsible for the use of DevExpress source code and how DevExpress source code is integrated into a software project.

DevExpress UI components/development libraries (source code) are rigorously tested. DevExpress employs secure development lifecycle practices and enforces software supply-chain security controls.

DevExpress enforces information security policies aligned with internationally recognized security frameworks/best practices, and continuously improves its security procedures based on risk assessment and business context. For an overview of DevExpress software development security procedures, please refer to the following:

Security - What You Need to Know | DevExpress Documentation

Yes

DevExpress stores the following personally identifiable information in its encrypted customer database:

• Purchase-related information (company name, address, etc).
• License-related information (who is authorized to develop solutions/products using our intellectual property – this includes the names/contact information of software developers authorized to use our license).
• Correspondence related to our products/use of our products (this can be in the form of email or support-related traffic stored in an encrypted database).
• IP/Geo-location/Login information – to track login activity and enforce geographic access restrictions in accordance with applicable laws, sanctions regimes, and internal security policies.

For additional information on the terms/conditions that govern use of DevExpress web properties/online services, please refer to the following:

Website Terms of Use - DevExpress | Privacy Policy - DevExpress

Yes

Yes

Yes

Yes, at least annually.

Yes, incident response procedures are periodically tested and reviewed.

Yes

Yes

DevExpress Access Control protocols are designed to protect organizational information assets by fully regulating how users, systems, and third parties gain access to data and facilities. DevExpress Access Control protocols ensure that access is granted appropriately, monitored continuously, and revoked promptly when no longer required, thereby safeguarding confidentiality, integrity, and availability across our enterprise.

DevExpress Access Control protocols ensure that only authorized individuals can access specific systems, applications, and physical locations. These protocols support regulatory compliance, reduce security risk, and enforce consistent, organization‑wide standards for identity, authentication, and authorization. Key principles underlying our Access Control protocols are:

• Least Privilege: Users receive only the minimum access needed for their roles.
• Need‑to‑Know: Sensitive information is restricted to individuals with a legitimate business requirement.
• Separation of Duties: High‑risk activities are divided across roles to prevent misuse or fraud.
• Accountability: All access is uniquely attributable to an individual and fully auditable.

Logical access is enforced through authentication mechanisms, role‑based and attribute‑based access models, and secure password/MFA requirements. Physical access to facilities and restricted areas is controlled through biometrics and surveillance systems.

Yes

Yes

Yes

To enable multi-factor authentication (both email and authenticator-app based MFA is available), please visit: https://www.devexpress.com/MyAccount/

Yes

To view 30-day login activity associated with your account, please visit: https://www.devexpress.com/MyAccount/.

Yes

Yes

The DevExpress data backup and recovery plan is designed to safeguard critical information, maintain business continuity, and restore operations following data loss, corruption, or system failures. Our protocols define responsibilities, technologies, and procedures required to ensure data availability, integrity, and recoverability. DevExpress protocols help ensure that essential data/systems can be restored within acceptable timeframes, minimizing operational disruption. Like all DevExpress protocols, our data backup and disaster recovery plans comply with legal, regulatory, and contractual requirements.

The DevExpress data backup and recovery plan covers all mission-critical business systems, applications, databases, user data, cloud services, and on‑premises infrastructure. Policies require the use of management approved backup platforms, automation tools, and monitoring systems. Our backup-related infrastructure encrypts data at rest and in transit, enforces strict access controls, audit logging, and integrity validation. DevExpress backup environments are protected from malware, ransomware, and related threat vectors.

Yes

Yes

For a detailed summary on the steps we take to ensure the integrity of DevExpress deliverables, please visit: Security - What You Need to Know | DevExpress Documentation.

Yes

• DevExpress uses multiple tools to scan its information systems for vulnerabilities. Third-Party tools used include: Microsoft Sentinel and Tenable Nessus.
• DevExpress monitors all its external sites through BitSight’s security platform.
• DevExpress uses CloudFlare to protect against Denial-of-Service attacks.

Yes

Source control access restrictions. We enforce Least Privilege Access (LPA) via GitHub/GitLab Enterprise CI/CD using corporate authentication methods (Microsoft 365). Code repositories require Multi-Factor Authentication (MFA). We employ a 'Branch Protection' policy that strictly prohibits direct commits to main/production branches. Every change requires at least two independent peer reviews and a successful build status before merging.

CI/CD hardening. DevExpress uses secure and authenticated methods (GitHub Actions, GitLab CI/CD) to publish product code, tools, installations (Trusted Publishing), avoiding reliance on long-lived API tokens. Our build pipelines run on ephemeral, isolated runners that are destroyed after every job to prevent persistent threats. All pipeline configurations are managed as code (YAML and other configuration files) and are subject to the same peer-review process as application code.

Automated scanning. DevExpress uses a multi-layered scanning strategy for every PR (code repositories and container images are continuously and automatically scanned for vulnerabilities during the CI/CD process) prior to release. This includes Static Application Security Testing (SAST) for product source code, Software Composition Analysis (SCA) for vulnerable third-party libraries/license compliance, antiviral software installation and artifact scanning. High-risk vulnerabilities trigger an automatic 'Build Fail'. DevExpress employs a combination of commercial and internally managed security tools (including, but not limited to Veracode, Dependabot, CodeQL, NuGet Audit, VirusTotal, etc). DevExpress automated hooks and manual code review processes prevent accidental commits of API keys or credentials (Secret Detection).

Artifact integrity. Every production-ready artifact is cryptographically signed, our public key and checksum are available for validation. This enables customers to independently verify the authenticity and integrity of DevExpress product libraries throughout their lifecycle.

For additional information, see
Security - What You Need to Know | DevExpress Documentation

Yes

DevExpress evaluates security risks associated with critical third-party service providers and applies contractual, technical, and organizational safeguards as appropriate.

Yes

DevExpress maintains a responsible disclosure process for security vulnerabilities reported by employees, researchers, or customers. For additional information, see Security Advisories and Product Update Process.

Yes

DevExpress also has a documented vulnerability handling process that includes intake, triage, remediation, and customer notification. Security fixes are prioritized based on severity and risk and are delivered through product updates and security advisories. For additional information, see Security Advisories and Product Update Process.

Yes

DevExpress provides security updates and fixes for supported product versions in accordance with its product lifecycle and update policies. For additional information, see Supported Product Versions.

Yes

DevExpress provides relevant information to customers and publishes SBOM files in the CycloneDX format. For additional information in this regard, please review the following support ticket: Software Bill of Materials (SBOM) for DevExpress .NET assemblies/NuGet packages, JavaScript, VCL and other redistributable artifacts (must have a DevExpress.com account to view content).

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

The DevExpress Support & Client Center are maintained/managed in-house. DevExpress does not use a third-party service provider for its Support & Client Center.

United States of America

Yes

The DevExpress data backup and recovery plan is designed to safeguard critical information, maintain business continuity, and restore operations following data loss, corruption, or system failures. Our protocols define responsibilities, technologies, and procedures required to ensure data availability, integrity, and recoverability. DevExpress protocols help ensure that essential data/systems can be restored within acceptable timeframes, minimizing operational disruption. Like all DevExpress protocols, our data backup and disaster recovery plans comply with legal, regulatory, and contractual requirements.

The DevExpress data backup and recovery plan covers all mission-critical business systems, applications, databases, user data, cloud services, and on‑premises infrastructure. Policies require the use of management approved backup platforms, automation tools, and monitoring systems. Our backup-related infrastructure encrypts data at rest and in transit, enforces strict access controls, audit logging, and integrity validation. DevExpress backup environments are protected from malware, ransomware, and related threat vectors.

Yes, see Website Terms of Use.

Yes

Yes

Yes, DevExpress is PCI scan compliant through July 13, 2026.

Yes

DevExpress fully complies with both the United States and European Union sanctions regime. DevExpress does not license its products nor offer support services to anyone residing in a sanctioned country. For additional information in this regard, refer to the DevExpress End User License Agreement.

For sanctions-related inquiries please email management@devexpress.com.

Yes

For additional information in this regard, please refer to the DevExpress Privacy Policy: https://www.devexpress.com/aboutus/privacy-policy.xml.

Yes

For additional information in this regard, please refer to the DevExpress Privacy Policy: https://www.devexpress.com/aboutus/privacy-policy.xml.

Yes

To obtain our LEI number, please contact the DevExpress Client Services Team.

Yes

Yes

Access to personally identifiable information is restricted to authorized personnel based on role, business need, and access approval processes. Personnel with access receive background checks where legally permissible and mandatory security and privacy training.

Yes

Yes

DevExpress has established AI governance policies covering approved use cases, access controls, and risk management.

Yes

DevExpress restricts employee use of generative AI tools to approved AI tools and services provided under existing corporate agreements or otherwise approved under internal policy. Currently, DevExpress employees are authorized to use approved enterprise AI services, including Microsoft enterprise AI services (such as Microsoft 365 Copilot, GitHub Copilot and Azure OpenAI), which operate within Microsoft’s enterprise security and compliance boundary and are governed by contractual data protection commitments.

The use of consumer or unmanaged AI services is prohibited by internal policy. These internal policies are designed to reduce risks associated with unintended data disclosure and ensure that AI usage aligns with DevExpress security, privacy, contractual, and customer-specific obligations.

Yes

No

DevExpress does not use personally identifiable customer information or Support Center content to train general purpose AI models.