Security Policy

Version: 1.0
Last Updated: November 15, 2017

This Security Policy describes Endress+Hauser Process Solutions AG, Christoph Merian-Ring 12, CH-4153 Reinach/BL (Switzerland), hereinafter “Endress+Hauser”, practices regarding the security when you use Endress+Hauser’s web-based and mobile applications (the “Service”). We take our obligations regarding your privacy seriously and have made every effort to draft this Security Policy in a clearly and easily comprehensible manner.

Introduction

This Security Policy affects your use of the following online Services:

  1. The IIoT website (https://iiot.endress.com/) within the responsibility of Endress+Hauser;
  2. Web-based Services related to the IIoT offering;
  3. Mobile Applications (“Apps”) as part of the Service

Vulnerability Reporting

If you have identified vulnerability, please report it via a support ticket. A ticket can be created within the Endress+Hauser Service. Our support personnel will take care of your report.

Authentication

The Endress+Hauser Service including Apps require a strong user password for your account. To prevent unauthorized account access, replace passwords and keys if lost or disclosed. In your profile settings you are able to lookup the last login in order to identify unauthorized access. We protect your login from brute force attacks with rate limiting. All passwords are filtered from all our logs and are one-way encrypted in the database using bcrypt.

Communication

The communication channel to our cloud service is always established via a secure and encrypted https connection. Thereby all payload data is encrypted according to industry standards and our cloud computers are trustfully authenticated by a certificate issued by a worldwide renowned certificate authority.

Data Security

Endress+Hauser’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  1. ISO 27001
  2. SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  3. PCI Level 1
  4. FISMA Moderate
  5. Sarbanes-Oxley (SOX)

Amazon Data Centers utilized by us are located in Frankfurt, Germany and/or other AWS Data Centers within the European Union/European economic Area (EEA) only. For more information regarding the Data Center security please refer to https://aws.amazon.com/security.

File System and Backups

We continuously and regularly back up the whole system to help prevent data loss and provide system recovery in case of losses. Security requirements and measures for backups are the same then in the productive system.

Field Connectivity

The Edge Device, if one is in use, will read data from the field and transmit these into the cloud. No communication is initiated in the other direction from cloud to the Edge Device. Thus all incoming ports from the internet to the Edge Device are blocked. The only incoming traffic, in form of a payload as result of an outbound call, excepted from this rule is software updates and configurations for the Edge Device. To guarantee safe downloads these updates are digitally signed and checked against the original file to prevent manipulation.

Employee Access

No Endress+Hauser employees ever access customer data unless required to do so for support reasons. Support staff may sign into your account to access settings related to your support issue. When working on a support issue we do respect your privacy; we only access the files and settings needed to resolve your issue. All Endress+Hauser employees with possible access to customer data are regularly trained on policies related to accessing personal data and data privacy.

Maintaining Security

We maintain relationships with reputable security firms to perform ongoing audits (e.g. EuroCloud Star Audit) of Endress+Hauser Services. Further we perform regular penetration tests.

Credit Card Security

When you sign up for a paid account on the Endress+Hauser Service, we do not store any of your card information on our servers. This is handed over to the Payment Service Provider “Stripe”, a company dedicated to storing your sensitive data on PCI-Compliant servers.

Any Questions?

If you have questions or comments regarding this Security Policy please contact Endress+Hauser or our data protection officer: service@solutions.endress.com