FAQ

Produkt
Migration
Features
Technik
LTS
Community

Frequently asked questions about CIB seven

What is CIB seven?

CIB seven is an open-source fork of the Camunda 7 BPM engine and was developed specifically for companies looking for a long-term, maintainable, and license-free solution for process automation. The focus is on full compatibility with Camunda 7, supplemented by a modern, self-developed user interface (from version 2.0) and extended integration options for connecting external REST services or existing identity management systems.

CIB seven is aimed at organizations that either already use Camunda and need a future-proof alternative or are evaluating a powerful and flexible BPM platform for the first time.

The platform is continuously being developed and offers both the free community version and other paid versions with extended functions and long-term support. Details on the available versions can be found here.

What are the differences between the Community Edition and other Editions of CIB seven?

The Community Edition of CIB seven includes all essential features for modeling and executing business processes. Other paid versions offer, depending on the edition, security patches, long-term support with hotfixes, and all enterprise features known from Camunda 7.

Für Unternehmen, die viele Prozessinstanzen verwalten oder regulatorischen Anforderungen unterliegen, ist die LTS-Ausführung besonders empfehlenswert. CIB bietet zudem faire und transparente Lizenzmodelle, auch für OEM-Partner.

How does the migration from Camunda 7 to CIB seven work?

CIB seven provides dedicated migration scripts and tools based on Open Rewrite that enable automated conversion of existing Camunda 7 projects. The migration paths have been developed based on practical experience, including internal CIB projects, and take into account differences in APIs, data models, and deployment strategies.

In addition, the migration of running process instances is being actively tested in the demo system. The aim is an uninterrupted migration with maximum compatibility with Camunda 7.22+. Supporting tools are available for older versions.

How is database migration supported?

CIB seven is compatible with all common relational databases such as PostgreSQL, MySQL and H2. Existing Camunda database schemas can be adapted using standardized migration scripts to ensure a smooth changeover.

For more complex requirements, such as extensive historization or advanced database models, CIB offers additional tools and professional support. The database schemas of the Community and Enterprise versions are fully compatible, so it is possible to switch between the two versions at any time.

How is CIB seven developing in terms of content - and who is helping to shape this development?

CIB seven is pursuing the goal of having all significant Enterprise Features of Camunda 7's key enterprise functions by the end of 2025. These include batch operations, process modifications, complete audit logs, and the controlled migration of running instances.

There is a particular focus on performance optimization, stable releases and open, transparent further development. Feedback from existing customers as well as contributions from the developer community are incorporated into the roadmap.

CIB seven is aimed specifically at companies that need a reliable platform for extensive, business-critical processes, and at the same time value an environment in which they can act as co-creators.

Which Enterprise Features are planned, and when will they be available?

CIB seven is constantly evolving to cover and expand all of Camunda 7's Enterprise Features. Click here for the current Release-Plan.

These include, among others:

  • Batch operations and process modifications,
  • a complete operation log,
  • extended historization functions,
  • the migration of running process instances.

These features will be gradually integrated into the platform by the end of 2025. In addition, performance will be continuously optimized and the modular structure strengthened - particularly with regard to future integrations with cloud-native architectures and alternative execution models (e.g. Azure Durable Functions).

What does the new CIB seven user interface offer?

From version 2.0, CIB seven contains a modern user interface based on the previous CIB flow frontend and is completely independent of the Camunda modules “Tasklist”, “Cockpit”, and “Admin”.

It includes functions such as:

  • Task lists with filter and search options,
  • Process monitoring with runtime information,
  • streamlined user and rights management.

Extended functions, such as the CIB easyForm form construction kit or low-code modeling, will be offered as optional add-ons via a separate marketplace in the future. The interface will be further developed to meet the requirements of customers and the developer community.

In which operating environments can CIB seven be used?

CIB seven is designed to be platform-independent and can be operated flexibly in different IT environments. Among other things, it supports

  • Classic Java EE servers such as WildFly or JBoss,
  • Servlet containers such as Apache Tomcat,
  • Modern Spring Boot and Quarkus setups,
  • Entornos en contenedores a través de Docker,
  • Kubernetes cluster (Helm charts in preparation).

This makes CIB seven suitable for on-premises scenarios as well as for use in the cloud or as part of a SaaS offering.

Does CIB seven support external tasks?

Yes, CIB seven fully supports external tasks - including visibility in monitoring, access via REST API, and assignment to workers. They can be executed on the server side or via external worker processes.

To improve traceability, we are currently working on extended logging, especially regarding logs, user actions, and technical errors.

How can I use CIB seven in commercial software projects - and what license models are available?

is published under the Apache 2.0 license and can also be used free of charge in commercial software solutions. This applies without restriction to the core functions of the platform.

CIB also offers flexible license models, for example:

  • Licenses with SLA, security patches, and long-term support (Community+, LTS, Enterprise),
  • OEM solutions for partner companies with customer-specific integration,
  • License packages based on user numbers, clients or development teams.

The models are documented and tailored to typical company requirements.

What interfaces and expansion options does CIB seven offer?

CIB seven provides a fully compatible REST API that can address processes, tasks, users, and system resources. These interfaces are openly documented and are ideal for integration into existing IT landscapes.

In addition, extensions can be implemented via custom plug-ins or individual REST endpoints, an approach widely used in the OEM and enterprise sectors. The new user interface has a modular structure and can be expanded using add-ons.

What support is available for partners, and how can you participate in CIB seven?

CIB seven is aimed not only at user companies, but also at implementation partners and solution providers. CIB offers flexible OEM models and support services for migration, integration, and operation. CIB seven also sees itself as an open project: further development is carried out in close cooperation with customers and the developer community. Contributions from the field - whether in the form of feedback, bug fixes, or self-developed modules - are expressly welcome.

All relevant information, documentation, and demos can be found on this page and in the developer area https://docs.cibseven.de.

Data protection, cloud security, and compliance

Data protection regulations
  • In which jurisdictions does your company operate?
    Germany
  • What data protection regulations and laws is your company compliant with?
    General Data Protection Regulation (GDPR/DSGVO) and the German Federal Data Protection Act (BDSG)
  • Are there any third parties with whom customers’ data is shared?
    Customer data may be shared with other companies within the CIB Group. Additionally, sharing depends on the specific service usage. We use different subcontractors. We are happy to provide additional detail based on your intended usage scenario.
  • Did your company in the past suffer of any incidents with data leaks or any other data protection failures?
    To date, we have not experienced any major data leaks or significant data protection failures impacting client data security.
  • Has your company ever been subject to data protection related investigations, fines, or legal actions?
    No
  • Does your company have any information security certifications such as ISO 27001?
    We operate an Information Security Management System (ISMS) currently audited under TISAX. We are in preparation for ISO 27001 certification and are planning the audit for 2025.
Cloud solution vendors
  • What is the location of datacenters where customers’ data is stored?
    For SaaS services, our data centers are located in Germany. For certain AI-powered offerings, a datacenter in Ireland is used.
  • What is the data retention and deletion policy in your company?
    Retention and deletion depend on the type of data and regulatory requirements. For SaaS offerings, we act as the data processor and follow the instructions of the data controller. Secure deletion methods and documentation are applied in accordance with customer contracts and legal requirements.
Vulnerability management
  • How often does your company release hotfixes or security patches?
    For all CIB seven distributions (C+, LTS, Enterprise, OEM), the release cycle for security patches and hotfixes is scheduled every 4-8 weeks, if there are mayor security breaches, a just in time fix will be released. (See:  https://cibseven.org/en/pricing/#overview)
  • Does your company publish security bulletins with vulnerability information?
    No, we don´t publish general vulnerability information yet. We can provide the vulnerability information to the client, if the client requests this and included this in the contract.
  • How security issues or vulnerabilities can be reported to your company?
    We provide the client with a contact to our Support team/ ICT-Team or helpdesk (depending on the contract and client)
  • How often are security audits conducted and when was the last time?
    Regular independent and internal audits of our ISMS and systems are conducted at least annually, in line with TISAX and ISO 27001 preparation requirements. The most recent audit was performed in June 2024 (extern); March 2025 (intern).
Security design

How data in transfer is protected?

  • HTTPS Protocol: All data transmission uses HTTPS with SSL certificates.
  • End-to-End Encryption: Data remains encrypted throughout the entire transmission process.
  • Public Network Security: Special attention to securing data when transmitted over public networks, where interception risks are higher.
  • Compliance and Standards: The encryption implementation leverages AWS KMS’s proven security framework, which is designed to meet stringent compliance requirements and industry best practices.
How data at REST is protected?

CIB employs enterprise-grade encryption for all stored data using AWS Key Management Service (KMS), which provides (References: Datenschutzkonzept):

  • FIPS 140-2 Certified Hardware Security Modules (HSMs): All encryption keys are generated and stored in certified HSMs that meet the highest security standards
  • Customer Managed Keys (CMKs): CIB maintains full control over encryption keys through customer-managed keys rather than AWS-managed keys, ensuring complete ownership of the encryption process.
  • Zero-Export Policy: Encryption keys cannot be exported from AWS KMS and never exist in plaintext outside the HSMs.
  • Secure Key Lifecycle:  Keys are only used in volatile memory during cryptographic operations and are never written to disk, ensuring maximum security
  • Authorized Access Only:  Data keys must be requested by authorized personnel and are provided to developers through controlled processes.
  • The encryption architecture ensures that neither AWS nor CIB can retrieve keys in plaintext, providing an additional layer of security through technical safeguards.
What authentication mechanisms are used e.g.: to protect API access?

CIB seven supports standard authentication mechanisms to protect API access. Depending on the use case and deployment environment, this includes support for:

  • Basic Authentication:  (e.g., for development or internal systems).
  • OAuth 2.0 / OpenID Connect: for integration with identity providers (e.g., Keycloak, Azure AD).
  • The interfaces can be protected by a JSON Web Token (JWT) mechanism, but also accept Basic Auth or access tokens issued by a configured third-party identity provider.
  • Multi-Factor Authentication (MFA): when used in conjunction with an identity provider that enforces MFA policies.
Does the company perform threat modeling?

Yes, threat modeling is performed as part of our ISMS.

Secure production
  • Does your company use any secure development standards or frameworks (NIST, OWASP, etc.)?

    We have our own Secure Development Environment Guidelines and Secure Development Policy.
  • Does your company have and can share Software Bill of Materials (SBOM)?
    For Java/Maven applications, we automatically generate SBOMs in CycloneDX format and upload them to our central Dependency-Track instance at https://dependencytrack.cib.de/ These SBOMs can be shared with the client upon request.
  • Does your company use SAST/DAST tools in the development process?Wir verwenden SonarQube als unser SAST-Tool, das in die Standard-Jenkins-Pipeline für Maven-Projekte integriert ist.
    Für DAST haben wir mit OWASP ZAP experimentiert, aber es ist noch nicht in unseren Entwicklungsprozess integriert.

Would you like to know more about CIB seven?
Get advice from our expert consultants.

Contact us
Newsletter
Hello! What can I do for you?
Contact us
Data protection overview

This website uses cookies so that we can provide you with the best possible user experience. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helps our team understand which sections of the website are most interesting and useful to you.