Read our cybersecurity FAQ to learn about the measures that Siemens Digital Industries Software (DI SW) takes with the security of our systems.
Yes. Data in our solutions has zero access by default. Customer administrators will grant or remove access to users. Within SISW, we review accounts for least-privilege access quarterly. This model includes segregation of duties, the “need to know” principle, and a request and approval process for all access requests.
Access to the production environment is controlled through a designated set of access points and restricted to specific, privileged team members. Users are authenticated to access points using company credentials with hardware multifactor authentication (MFA), depending on where the production assets are located. Passwords, along with two-factor authentication, are used to access network devices. These are restricted to authorized individuals and system processes based on job responsibilities and are changed periodically.
The Siemens Industry Software (SISW) SaaS Information Security Policy includes access control requirements, including user access management, privileged access, access review, multifactor authentication, password expiration, length, lockout and complexity. This policy also details requirements for registration and de-registration processes, access restriction, credential best practices and reviews of user access rights.
Yes. The SISW Facilities department is responsible for assessing our physical locations, applying physical security measures, and adjusting those measures on an ongoing basis. Physical access control mechanisms (e.g., identification badges, controlled reception, cameras, access logging) are implemented at office buildings, data centers and other locations.
SISW maintains various information security certifications, including ISO 27001/17/18, SOC2, TISAX, Cloud Security Alliance (CSA) STAR Level One CAIQ and Cyber Essentials Plus.
For more information, see the System Certificates page.
Guided by numerous Siemens Industry Software (SISW) policies, we have implemented and continue to monitor a significant number of the controls in NIST SP 800-53 to ensure the implementation of security best practices. Also, our policies are in alignment with ISO 27001 and SOC 2 compliance frameworks.
Yes. SISW has implemented technical and organizational measures (TOMs) based on data protection principles to protect our systems, meet GDPR requirements, and protect the rights of data subjects.
For details on our TOMs, see Annex II to our Data Privacy Terms.
Procedures for respecting the rights of data subjects are found in our Data Privacy Terms, Section 10, which describes how data subject rights are handled in compliance with GDPR. SISW will notify the customer without undue delay if SISW receives a request from a data subject to exercise its data subject’s rights (such as the right to access, rectification, erasure or restriction of processing). SISW will then assist the customer with technical and organizational measures to fulfill its obligation to respond to such requests and comply with applicable data protection law.
See Data Privacy Terms.
Does your organization have a structured 'Data Protection by Design/Default' approach when implementing new technologies? How do you make data protection an essential component of the core functionality of your processing systems and services?
Yes. The SISW SaaS Information Security Compliance Policy ensures that our Legal, Data Privacy, and Compliance organizations review applicable local legislative, statutory, regulatory, and contractual requirements and document and issue guidance as required by law supported by the “Privacy by Design” tool and process.
For Siemens, Privacy by Design means that legality, transparency, informational self-determination, data economy and data security are already considered when developing our products and services. Privacy by Design is firmly integrated into our product development processes. We consider Choice and Consent, Data Minimization, Access, Security, Data Accuracy and Quality and Access when developing products and services.
Yes. The Siemens Industry Software (SISW) SaaS Secure Development Policy establishes guidelines and requirements for software development and source code repositories. This policy includes guidelines for security throughout all phases of the software and services development lifecycle, maintenance of source code in approved repositories (including logging and monitoring), secure development training for software engineers and programmer analysts, and requirements for secure development, testing, and operational environments.
The Open Worldwide Application Security Project (OWASP) standards directly inform our secure coding practices. A combination of security testing (such as penetration, static and dynamic analysis) looks for OWASP’s “Top 10” web application security risks and identifies any potential issues. Critical issues are addressed as soon as possible, while lesser issues are planned for future releases if not addressed immediately.
Yes. Both data in-transit and data at-rest (including backups) are encrypted based on the Siemens Industry Software (SISW) SaaS Cryptography Policy.
Yes. SISW employees are required to undergo security awareness training on an annual basis, implemented based on the SISW SaaS Security Awareness Policy. Topics include secure use of programs and tools, phishing methods, password security and multifactor authentication, information classification, mobile working/home office security, secure communication and more.
Yes. Nondisclosure is addressed in the Company Directives, which must be reviewed and signed by staff annually. Partners and subcontractors are required to follow the same level of security as Siemens and adhere to our Nondisclosure Agreement and Rules for Business Partners, which define the proper handling of confidential information. By default, all customer data is labeled/treated as confidential.
Yes. Our uptime Service Level Agreement (SLA) varies depending on a customer's selected service level. Standard = 95%, Silver = 99.5%, Gold = 99.95%.
For details, see the Cloud Support and Service Level Framework (“Cloud SLA”).
Yes, via our Gold support service level.
See our Cloud Support and Service Level Framework (“Cloud SLA”) for details.
Yes. Unless otherwise specified in the Support Center, Cloud Services have a Regular Maintenance Window weekly per served region as follows:
SISW reserves the right to extend or change the times of the Regular Maintenance Window. SISW will use commercially reasonable efforts to notify the customer at least seven days before any such change or any scheduled maintenance.
Yes. Through our standard support measures, a daily backup is maintained for two weeks, and a monthly backup is maintained for three months. Following the same access and encryption processes as the original data, all object data is backed up into a secondary system account/data center in the same geographic region as the original data.
For more information on data retention and our Silver and Gold level options, see the Cloud Support and Service Level Framework (“Cloud SLA”).
Yes. The SISW SaaS Business Continuity Management Policy defines the rules for the business to overcome an event that requires backups and disaster recovery mechanisms. It addresses the company’s recovery from high-severity incidents (disasters) for its critical processes. The policy contains requirements for information security management processes, criteria, and ownership to sustain the business in adverse situations successfully.
Procedures for restoring data from backups are tested at least annually and are reviewed as part of internal and external audit processes. Backup restore is tested according to the SISW SaaS Data Backup and Recovery Policy.