Compliance, Security, and Privacy
Compliance, Security, and Privacy
Compliance certifications
ISO/IEC 27001:2013 is an international standard for information security management that specifies best practices and comprehensive security controls for information security. ISO/IEC 27001 consists of 114 controls covering 14 different security categories, including access controls, asset management, physical security, and development security.
In adopting this standard, Trimble Cloud Core Platform had developed standards and procedures to help ensure the security of our systems and the data contained within. This standard ensures that Trimble Cloud Platform:
- Evaluates information security risks
- Develops and follows efficient operating procedures
- Implements controls to ensure information security
- Manages security in a holistic and comprehensive manner
ISO/IEC 27001 compliance is audited annually by independent, third-party auditors. These audits provide validation that security controls are in place and operating effectively. Trimble Cloud Platform’s compliance with the ISO 27001 standard provides evidence of our commitment to security and our effort to follow industry best practices.
Cloud Platform Services Certified in 2022
- Trimble Identity
- API Cloud v2
- API Cloud v3
- Cloud Console v3
- Data Ocean
- Processing Framework
- EMS v4
- Search
- IoT
- Profiles
- AuthZ
- Events
- Data Hub
- Invitation Service
Cloud Service Providers in scope:
- AWS
- Azure
Within Trimble, the ISO/IEC 27001 certification process is managed by Trimble Cloud xOps Compliance team. xOps has written and maintains policies based on the ISO standard, employs an individual responsible for conducting internal audits, and coordinates the external audit process.
To be included in the Trimble ISO/IEC 27001 certification, individual groups within Trimble need to comply with policies written by xOps and undergo an internal and external audit. Learn more about the services provided by Trimble Cloud xOps.
Security Questionnaires, CAIQ
Trimble Cloud Core platform maintains a Consensus Assessment Initiative Questionnaire (CAIQ) v3.1. This can be used by Trimble Product teams to answer security questionnaires from enterprise customers. Answers from this CAIQ should not be used to represent all of Trimble or a specific product’s security posture. This information must be combined with answers from the product’s perspective to answer the customer’s questionnaires holistically.
Penetration Testing
Trimble Cloud Core Platform regularly utilizes an external vendor to conduct penetration tests against Core Services. The latest executive summary for penetration tests can be found here. This information is Trimble Confidential and should not be shared with customers without approval.
Source Code Sharing Policy
Except for what we have contributed to Trimble Innersource, Trimble Cloud does not allow access to the source code of Core Services as part of maintaining ISO-27001 certification, and the majority of Core Services are categorized as Enterprise Critical in Trimble Security Portal. ISO-27001 imposes strict standards for both change and access control to ensure security is maintained: Change management for the purposes of quality control in our Production environments, and access controls to avoid exposure and exploitation of any security features or potential vulnerabilities unknown to the team.
Trimble Cloud is committed to transparency and will provide as much documentation as it can to enable integrators to seamlessly adopt its services while maintaining compliance with its certifications.