Version: 2.1
Last Updated: September 22, 2022
Note: Only the English version of the Security Policy is legally binding.
THIS SECURITY POLICY DESCRIBES ENDRESS+HAUSER PROCESS SOLUTIONS AG, CHRISTOPH MERIAN-RING 12, CH-4153 REINACH/BL (SWITZERLAND), HEREINAFTER “ENDRESS+HAUSER”, PRACTICES REGARDING THE SECURITY WHEN YOU USE ENDRESS+HAUSER’S WEB-BASED AND MOBILE APPLICATIONS (THE “SERVICE”). WE TAKE OUR OBLIGATIONS REGARDING YOUR PRIVACY SERIOUSLY AND HAVE MADE EVERY EFFORT TO DRAFT THIS SECURITY POLICY IN A CLEARLY AND EASILY COMPREHENSIBLE MANNER.
This Security Policy affects your use of the following online Services:
If you have identified or were informed of technical vulnerability which are or may be relevant for the Netilion services, please report it to the PSIRT@endress.com email address.
Endress+Hauser sets all means necessary and reasonable to protect your information and privacy, however, should you experience data breaches, e.g. finding your information on platforms not related to Netilion or by getting access to information which are not yours, please raise such incidents immediately to QM.PCPS@endress.com, mention “Data Breach” in the email object and provide as much information on the incident as you reasonably can. Such incidents will be treated rapidly and confidentially by our experts.
All other Information Security incidents shall be raised via a support ticket. The condition, delay and procedure for the resolution of the incident are described in the Netilion Service Level Agreement (SLA).
The Endress+Hauser Service including Apps require a strong user password for your account. To prevent unauthorized account access, replace passwords and keys if lost or disclosed. In your profile settings you are able to lookup the last login in order to identify unauthorized access. We protect your login from brute force attacks with rate limiting. All passwords are filtered from all our logs and are one-way encrypted in the database using bcrypt. Users are solely responsible for the storage and protection of their personal passwords outside of the Netilion environment.
The communication channel to our cloud service is always established via a secure and encrypted https connection. Thereby all payload data is encrypted according to industry standards and our cloud computers are trustfully authenticated by a certificate issued by a worldwide renowned certificate authority.
Endress+Hauser’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been certified according to:
Amazon Data Centers utilized by us are located primarily in Frankfurt, Germany and Dublin, Ireland should further AWS Data Centers being used, they are selected by locations within the European Union/European economic Area (EEA) only. For more information regarding the Data Center security please refer to https://aws.amazon.com/security.
Endress+Hauser implemented an information security management system (ISMS) according to ISO 27001 and ISO 27017. Endress+Hauser’s ISMS is certified by a third-party independent certification body (SQS) and regularly audited. The certificates can be downloaded here: https://www.endress.com/en/Endress-Hauser-group/endresshauser-at-a-glance/cybersecurity/cybersecurity-certification.
Please note that the Endress+Hauser’s information security measures aim to protect customer process and personal information and thus are not compatible with the storage of following information or information type:
Endress+Hauser shall not be held responsible for any non-compliance issues, legal procedures or any other such incident of customer related to the storage the abovementioned information or information type.
We continuously and regularly back up the whole system to help prevent data loss and provide system recovery in case of losses. Security requirements and measures for backups are the same then in the productive system.
The edge device, if one is in use, will interact with the field devices and transmit information to the cloud. No communication is initiated from the cloud to the edge device. Thus, all incoming ports from the internet to the edge device are blocked. The edge device regularly checks the cloud if actions shall be initiated according to subscribed services, like, but not limited to firmware updates, configuration changes for the edge device, or the request for information or action from the field devices. These actions are not initialized by the cloud, and there is no pass-through communication from the cloud to the field devices. The only incoming communication is thus a response to an outbound call from the edge devices. Incoming payloads are limited to the firmware update of the edge device. To ensure the safe download of updates, these are digitally signed and checked against the original file to prevent manipulation.
No Endress+Hauser employees ever access customer data unless required to do so for support reasons. Support staff may sign into your account to access settings related to your support issue. When working on a support issue we do respect your privacy; we only access the files and settings needed to resolve your issue. All Endress+Hauser employees with possible access to customer data are regularly trained on policies related to accessing personal data and data privacy.
For the setup of the Netilion environment, very few employees with admin role have privileged access rights, enabling access to the backend of Netilion and therefore the customer’s information rough databases. These few admins are highly trained employees, which also signed dedicated agreements preventing them ever accessing customer’s information.
As part of its certified ISMS, all employees of Endress+Hauser are regularly trained on the information security topic.
We maintain relationships with reputable security firms to perform ongoing external and technical audits (penetration testing) according to international standards like ISO 27001 of Endress+Hauser Services.
When you sign up for a paid account on the Endress+Hauser Service, we do not store any of your card information on our servers. This is handed over to the Payment Service Provider “Stripe”, a company dedicated to storing your sensitive data on PCI-Compliant servers.
If you have questions or comments regarding this Security Policy please contact Endress+Hauser: service.ehds@endress.com or via our contact form.