FAQ

Produkt
Migration
Features
Technik
LTS
Community

Frequently asked questions about CIB seven

What is CIB seven?

CIB seven is an open-source fork of the Camunda 7 BPM engine and was developed specifically for companies looking for a long-term, maintainable, and license-free solution for process automation. The focus is on full compatibility with Camunda 7, supplemented by a modern, self-developed user interface (from version 2.0) and extended integration options for connecting external REST services or existing identity management systems.

CIB seven is aimed at organizations that either already use Camunda and need a future-proof alternative or are evaluating a powerful and flexible BPM platform for the first time.

Die Plattform wird kontinuierlich weiterentwickelt und bietet sowohl die kostenfreie Community-Version als auch weitere kostenpflichtige Varianten mit erweiterten Funktionen und langzeit-Support zur Verfügung. Details zu den verfügbaren Varianten erfahren Sie here.

What are the differences between the Community Edition and other Editions of CIB seven?

Die kostenfreie und open source CIB seven Community enthält alle grundlegenden Funktionen zur Modellierung und Ausführung von Geschäftsprozessen. Weitere kostenpflichtige Varianten bieten darüber hinaus und je nach Edition Security Patches, Long Term Support mit Hotfixes und alle Enterprise Features, die aus Camunda 7 bekannt sind.

Für Unternehmen, die viele Prozessinstanzen verwalten oder regulatorischen Anforderungen unterliegen, ist die LTS-Ausführung besonders empfehlenswert. CIB bietet zudem faire und transparente Lizenzmodelle, auch für OEM-Partner.

How does the migration from Camunda 7 to CIB seven work?

CIB seven provides dedicated migration scripts and tools based on Open Rewrite that enable automated conversion of existing Camunda 7 projects. The migration paths have been developed based on practical experience, including internal CIB projects, and take into account differences in APIs, data models, and deployment strategies.

In addition, the migration of running process instances is being actively tested in the demo system. The aim is an uninterrupted migration with maximum compatibility with Camunda 7.22+. Supporting tools are available for older versions.

How is database migration supported?

CIB seven is compatible with all common relational databases such as PostgreSQL, MySQL and H2. Existing Camunda database schemas can be adapted using standardized migration scripts to ensure a smooth changeover.

For more complex requirements, such as extensive historization or advanced database models, CIB offers additional tools and professional support. The database schemas of the Community and Enterprise versions are fully compatible, so it is possible to switch between the two versions at any time.

How is CIB seven developing in terms of content - and who is helping to shape this development?

CIB seven is pursuing the goal of having all significant Enterprise Features of Camunda 7's key enterprise functions by the end of 2025. These include batch operations, process modifications, complete audit logs, and the controlled migration of running instances.

There is a particular focus on performance optimization, stable releases and open, transparent further development. Feedback from existing customers as well as contributions from the developer community are incorporated into the roadmap.

CIB seven is aimed specifically at companies that need a reliable platform for extensive, business-critical processes, and at the same time value an environment in which they can act as co-creators.

Which Enterprise Features are planned, and when will they be available?

CIB seven is constantly evolving to cover and expand all of Camunda 7's Enterprise Features. Click here for the current Release-Plan.

These include, among others:

  • Batch operations and process modifications,
  • a complete operation log,
  • extended historization functions,
  • the migration of running process instances.

These features will be gradually integrated into the platform by the end of 2025. In addition, performance will be continuously optimized and the modular structure strengthened - particularly with regard to future integrations with cloud-native architectures and alternative execution models (e.g. Azure Durable Functions).

What does the new CIB seven user interface offer?

From version 2.0, CIB seven contains a modern user interface based on the previous CIB flow frontend and is completely independent of the Camunda modules “Tasklist”, “Cockpit”, and “Admin”.

It includes functions such as:

  • Task lists with filter and search options,
  • Process monitoring with runtime information,
  • streamlined user and rights management.

Erweiterte Funktionen wie der Formularbaukasten CIB easyForm, CIB ins7ght oder die Low-Code-Modellierung werden zukünftig über einen eigenen Marketplace als optionale Add-Ons angeboten. Die Oberfläche wird eng an den Anforderungen von Kunden und der Entwickler-Community weiterentwickelt.

In which operating environments can CIB seven be used?

CIB seven is designed to be platform-independent and can be operated flexibly in different IT environments. Among other things, it supports

  • Classic Java EE servers such as WildFly or JBoss,
  • Servlet containers such as Apache Tomcat,
  • Modern Spring Boot and Quarkus setups,
  • Containerized environments through Docker,
  • Kubernetes cluster (Helm charts in preparation).

This makes CIB seven suitable for on-premises scenarios as well as for use in the cloud or as part of a SaaS offering.

Does CIB seven support MariaDB even though Camunda discontinued support as of v. 7.22?

Yes. CIB seven continues to support MariaDB as a persistent database option, even beyond Camunda 7.22.

CIB seven continues to offer full compatibility with MariaDB, including:

  • Support for MariaDB 10.6+ (tested up to 11.x)
  • JDBC-Driver: org.mariadb.jdbc.Driver
  • Compatibility with Spring Boot, Camunda BPM Platform, and Standalone Deployments
  • Runtime and configuration tests with MyBatis migration scripts for MariaDB

Why this is important: Many companies rely on MariaDB as a stable, high-performance, and license-free alternative to MySQL. CIB seven ensures that existing Camunda 7 environments can continue to operate without database migration.

Does CIB seven support external tasks?

Yes, CIB seven fully supports external tasks - including visibility in monitoring, access via REST API, and assignment to workers. They can be executed on the server side or via external worker processes.

To improve traceability, we are currently working on extended logging, especially regarding logs, user actions, and technical errors.

How can I use CIB seven in commercial software projects - and what license models are available?

is published under the Apache 2.0 license and can also be used free of charge in commercial software solutions. This applies without restriction to the core functions of the platform.

CIB also offers flexible license models, for example:

  • Licenses with SLA, security patches, and long-term support (Community+, LTS, Enterprise),
  • OEM solutions for partner companies with customer-specific integration,
  • License packages based on user numbers, clients or development teams.

The models are documented and tailored to typical company requirements.

What interfaces and expansion options does CIB seven offer?

CIB seven provides a fully compatible REST API that can address processes, tasks, users, and system resources. These interfaces are openly documented and are ideal for integration into existing IT landscapes.

In addition, extensions can be implemented via custom plug-ins or individual REST endpoints, an approach widely used in the OEM and enterprise sectors. The new user interface has a modular structure and can be expanded using add-ons.

What support is available for partners, and how can you participate in CIB seven?

CIB seven is aimed not only at user companies, but also at implementation partners and solution providers. CIB offers flexible OEM models and support services for migration, integration, and operation. CIB seven also sees itself as an open project: further development is carried out in close cooperation with customers and the developer community. Contributions from the field - whether in the form of feedback, bug fixes, or self-developed modules - are expressly welcome.

Alle relevanten Informationen, Dokumentationen und Demos finden sich auf diesen Webseiten und im Entwicklerbereich https://docs.cibseven.de.

Data protection, cloud security, and compliance

Data protection regulations
  • In which countries does CIB software GmbH operate?
    Germany
  • What data protection regulations and laws is your company compliant with?
    General Data Protection Regulation (GDPR/DSGVO) and the German Federal Data Protection Act (BDSG)
  • Are there any third parties with whom customers’ data is shared?
    Kundendaten können an andere Unternehmen innerhalb der CIB Group weitergegeben werden. Darüber hinaus hängt die Weitergabe von der jeweiligen Nutzung der Dienste ab. Wir arbeiten mit verschiedenen Subunternehmern zusammen. Gerne stellen wir Ihnen weitere Informationen zu Ihrem geplanten Nutzungsszenario zur Verfügung.
  • Did your company in the past suffer of any incidents with data leaks or any other data protection failures?
    To date, we have not experienced any major data leaks or significant data protection failures impacting client data security.
  • Has your company ever been subject to data protection related investigations, fines, or legal actions?
    No
  • Does your company have any information security certifications such as ISO 27001?
    We operate an Information Security Management System (ISMS) currently audited under TISAX. We are in preparation for ISO 27001 certification and are planning the audit for 2025.
Cloud solution vendors
  • What is the location of datacenters where customers’ data is stored?
    For SaaS services, our data centers are located in Germany. For certain AI-powered offerings, a datacenter in Ireland is used.
  • What is the data retention and deletion policy in your company?
    Retention and deletion depend on the type of data and regulatory requirements. For SaaS offerings, we act as the data processor and follow the instructions of the data controller. Secure deletion methods and documentation are applied in accordance with customer contracts and legal requirements.
Vulnerability management
  • How often does your company release hotfixes or security patches?
    For all CIB seven distributions (C+, LTS, Enterprise, OEM), the release cycle for security patches and hotfixes is scheduled every 4-8 weeks, if there are mayor security breaches, a just in time fix will be released. (See:  https://cibseven.org/en/pricing/#overview)
  • Does your company publish security bulletins with vulnerability information?
    No, we don´t publish general vulnerability information yet. We can provide the vulnerability information to the client, if the client requests this and included this in the contract.
  • How security issues or vulnerabilities can be reported to your company?
    We provide the client with a contact to our Support team/ ICT-Team or helpdesk (depending on the contract and client)
  • How often are security audits conducted and when was the last time?
    Regular independent and internal audits of our ISMS and systems are conducted at least annually, in line with TISAX and ISO 27001 preparation requirements. The most recent audit was performed in June 2024 (extern); March 2025 (intern).
Security design

How data in transfer is protected?

  • HTTPS Protocol: All data transmission uses HTTPS with SSL certificates.
  • End-to-End Encryption: Data remains encrypted throughout the entire transmission process.
  • Public Network Security: Special attention to securing data when transmitted over public networks, where interception risks are higher.
  • Compliance and Standards: The encryption implementation leverages AWS KMS’s proven security framework, which is designed to meet stringent compliance requirements and industry best practices.
How data at REST is protected?

CIB employs enterprise-grade encryption for all stored data using AWS Key Management Service (KMS), which provides (References: Datenschutzkonzept):

  • FIPS 140-2 Certified Hardware Security Modules (HSMs): All encryption keys are generated and stored in certified HSMs that meet the highest security standards
  • Customer Managed Keys (CMKs): CIB maintains full control over encryption keys through customer-managed keys rather than AWS-managed keys, ensuring complete ownership of the encryption process.
  • Zero-Export Policy: Encryption keys cannot be exported from AWS KMS and never exist in plaintext outside the HSMs.
  • Secure Key Lifecycle:  Keys are only used in volatile memory during cryptographic operations and are never written to disk, ensuring maximum security
  • Authorized Access Only:  Data keys must be requested by authorized personnel and are provided to developers through controlled processes.
  • The encryption architecture ensures that neither AWS nor CIB can retrieve keys in plaintext, providing an additional layer of security through technical safeguards.
What authentication mechanisms are used e.g.: to protect API access?

CIB seven supports standard authentication mechanisms to protect API access. Depending on the use case and deployment environment, this includes support for:

  • Basic Authentication:  (e.g., for development or internal systems).
  • OAuth 2.0 / OpenID Connect: for integration with identity providers (e.g., Keycloak, Azure AD).
  • The interfaces can be protected by a JSON Web Token (JWT) mechanism, but also accept Basic Auth or access tokens issued by a configured third-party identity provider.
  • Multi-Factor Authentication (MFA): when used in conjunction with an identity provider that enforces MFA policies.
Does the company perform threat modeling?

Yes, threat modeling is performed as part of our ISMS.

Secure production
  • Does your company use any secure development standards or frameworks (NIST, OWASP, etc.)?
    We have our own Secure Development Environment Guidelines and Secure Development Policy.
  • Does your company have and can share Software Bill of Materials (SBOM)?
    For Java/Maven applications, we automatically generate SBOMs in CycloneDX format and upload them to our central Dependency-Track instance at https://dependencytrack.cib.de/ These SBOMs can be shared with the client upon request.
  • Does your company use SAST/DAST tools in the development process?We use SonarQube as our SAST tool, which is integrated into the standard Jenkins pipeline for Maven projects. For DAST, we have experimented with OWASP ZAP, but it is not yet integrated into our development process.

Would you like to know more about CIB seven?
Get advice from our expert consultants.

Contact us
Newsletter
Hello! What can I do for you?
Contact us
Data protection overview

This website uses cookies so that we can provide you with the best possible user experience. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helps our team understand which sections of the website are most interesting and useful to you.