Read our cybersecurity FAQ to learn about the measures that Siemens Digital Industries Software (DI SW) takes with the security of our systems.
Yes. Data in our cloud services, by default, has zero access. Customer administrators will grant or remove access to users.
Within Siemens Digital Industry Software (Siemens), we review cloud accounts for least-privilege access quarterly. This model includes segregation of duties, the “need to know” principle, and a request and approval process for all access requests.
Access to the production cloud environment is controlled through a designated set of access points and restricted to specific, privileged team members. Users are authenticated to access points using company credentials with hardware multi-factor authentication (MFA) depending on where the production assets are located. Passwords, along with two-factor authentication, are used to access network devices. These are restricted to authorized individuals and system processes based on job responsibilities and are changed periodically.
Applicable access control requirements also include user access management, privileged access, access review, multi-factor authentication, and password expiration, length, lockout, and complexity, along with requirements for registration and de-registration processes, access restriction, credential best practices, and reviews of user access rights.
Yes. Siemens Facilities department is responsible for assessing our physical locations, applying physical security measures, and periodically adjusting those measures as needed. Physical access control mechanisms (e.g., identification badges, controlled reception, cameras, access logging) are implemented at office buildings, data centers, and other Siemens locations.
We maintain various information security certifications, including ISO 27001/17/18, SOC2, TISAX, Cloud Security Alliance (CSA) STAR Level One CAIQ and Cyber Essentials Plus.
For more information, see the System Certificates page.
We have implemented and continue to monitor a significant number of the controls in NIST SP 800-53and our guidelines are in alignment with ISO 27001 and the SOC 2 compliance frameworks.
Yes. We have implemented technical and organizational measures (TOMs) based on data protection principles to protect our systems, meet GDPR requirements, and protect the rights of data subjects.
For details on Siemens' TOMs, see Annex II to our Data Privacy Terms.
Procedures for addressing the rights of data subjects are found in our Data Privacy Terms, Section 10, which describes how data subject rights are handled in compliance with GDPR. Generally, Siemens will notify the customer without undue delay if Siemens receives a request from a data subject to exercise its data subject’s rights (such as the right to access, rectification, erasure, or restriction of processing). Siemens will then assist the customer with technical and organizational measures for the fulfilment of its obligation to respond to such requests and to comply with applicable data protection law.
See Data Privacy Terms.
Does your organization have a structured "Data Protection by Design/Default" approach when implementing new technologies? How do you make data protection an essential component of the core functionality of your processing systems and services?
Yes. For Siemens, Privacy by Design means that legality, transparency, informational self-determination, data economy and data security are already taken into account when developing our products and services. Privacy by Design concepts are therefore integrated into our product development processes where applicable.
Yes. We have established guidelines and requirements for software development and source code repositories, which include guidelines for security throughout the software and services development lifecycle. These guidelines cover topics like maintenance of source code in approved repositories (including logging and monitoring), secure development training for software engineers and programmer analysts, and requirements for secure development, testing, and operational environments.
Our coding practices are directly informed by the Open Worldwide Application Security Project (OWASP) standards. A combination of security testing (such as penetration, static and/or dynamic analysis) is implemented to identify OWASP’s “Top 10” web application security risks and related issues. Any critical issues found are addressed as soon as feasible, while lesser issues are typically addressed in future releases.
Yes. Both cloud data in-transit and data at-rest (including backups) are encrypted.
Yes. Our employees are required to undergo security awareness training on an annual basis. Topics covered in that training include secure use of programs and tools, phishing methods, password security and multifactor authentication, information classification, mobile working/home office security, secure communication, and more.
Yes. Nondisclosure is addressed in the Siemens Company Directives, which every employee agrees to adhere to in the employment agreements. Our agreements with our partners and vendors also include confidentiality obligations and implement Siemens’ Rules for Business Partners, which define the proper handling of confidential information.
Yes. Our uptime SLA varies, depending on the service level tier applicable to the respective cloud service.
Standard = 98%
Enhanced = 99.5%
Maximum = 99.95%
(Enhanced and Maximum availability may not be available for every cloud service)
For details, see the Cloud Support and Service Level Framework (Cloud SLA).
Yes, via our Gold support service level.
See our Cloud Support and Service Level Framework (Cloud SLA) for details.
Yes. Unless otherwise specified in the Support Center, Cloud Services have a Regular Maintenance Window weekly per served region as follows:
Customers may subscribe to be notified automatically of scheduled downtimes in our Support Center.
Yes, we back up customer data hosted through our cloud services. All cloud services which are provided under our standard service level, perform a daily backup which is maintained for two weeks, and a monthly backup which is maintained for three months. Following the same access and encryption processes as the original data, all object data is backed up into a secondary system account/data center in the same geographic region as the original data.
For more information on data retention and Siemens’ Enhanced and Maximum level options (availability varies per product), see Section 3.1 in the Cloud Support and Service Level Framework (“Cloud SLA”).
Yes. We implement requirements for information security management processes, criteria, and ownership to sustain the business in adverse situations.
Procedures to restore data from backups are tested at least annually and are reviewed as part of internal and external audit processes.