Security
Cloud Infrastructure
Trimble Transportation leverages industry-recognized cloud service providers to host its cloud infrastructure, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Such providers offer secured data centers worldwide with physical access controls, protection from environmental hazards, and redundancies for continued high availability in disaster-scenarios.
Our Cloud Service Providers document their security capabilities and compliance certifications accordingly via their respective channels noted below.
|
|
|
|
|
|
Shared Responsibility
Cloud and data security are shared responsibilities between the cloud infrastructure provider and the client utilizing the cloud solution. In our case, it means that we trust our cloud service providers to manage the security of the cloud infrastructure, and we are responsible for the security in the cloud environment.
At Trimble Transportation, we ensure infrastructure security and high availability of our cloud solutions by implementing and applying industry best practices. These practices include hardened hosts with scheduled patching, isolated VPC, data encryption, role-based access control, and security groups.
Customers are responsible for customer side encryption, data integrity, security, and data protection. Customers may have ownership in some products for Identity & access management for products in which you retain ownership of the onboarding/offboarding process.
By all of us doing our part; we maintain a high level of operational security.
Data Protection
Trimble Transportation implements standard technical and administrative safeguards to protect your customer data by maintaining logical access controls and a multi-layered and measured security program.
Standardized encryption protocols, such as AES and TLS, are used to encrypt data at rest and in transit, where applicable. Employee workstations are encrypted.
Incident Response
In addition to standard event monitoring, endpoint protection, alerting and logging of security events is managed by the 24x7 Trimble Security Operations Center (SOC).
Trimble maintains a formalized Incident Response Plan which defines the standardized procedures to identify, report, triage, assess, and address security incidents. The plan includes guidance for notifying the appropriate internal and external parties where necessary based on incident severity, nature, and applicable law.
Training and Education
Employees undergo annual business ethics, cyber security, and data protection training. Developers have access to additional role-based training which covers technical concepts, such as security architecture, design, and tooling.
Trimble Secure Development Life Cycle (TSDLC)
In Trimble Transportation, we include security throughout the whole development lifecycle. We utilize industry standards wherever possible to ensure consistency and best practices across the organization and in all the products and services we deliver.
We are continuously executing 24x7 security monitoring, vulnerability scanning, intrusion detection, dynamic and static analysis, and open-source analysis of our solutions. Regular security assessments are performed, both internally and externally as needed.
Availability
Disaster Recovery
Trimble Transportation maintains disaster recovery plans covering disaster prevention and recovery. Transportation aims to provide a robust recovery plan should any disaster occur while taking all possible steps to prevent such a situation. Our prevention and recovery plans:
- Reduce the likelihood of a disaster.
- Implement contingency plans to restore partial or full service as soon as possible after an incident has occurred.
- Keep customers informed of the situation as it develops.
We maintain internal targets for Recovery Time Objective (RTO) (the maximum time expected to restore the system to operation) and Recovery Point Objective (RPO) (the maximum expected loss of data in the event of a disaster).
Data Backups
We actively maintain data backups to expedite restoration in the event of data corruption, inconsistency, or loss.
Service Monitoring
We continually monitor the performance of our services to detect and prevent possible incidents. We consolidate views from log parsing, infrastructure monitoring, and application performance management (APM).
Confidentiality
Personnel Security
America’s Trimble Transportation employees sign a confidentiality agreement and agree to comply with the Trimble Code of Business Conduct and Ethics upon hire. Background screening is performed for employment candidates where legally permissible and in accordance with applicable local law and employment regulations.
Employee workstations are encrypted along with Industry Standard endpoint security
Vendor Management
Third party vendors are evaluated, onboarded, and managed throughout the relationship lifecycle via a formalized vendor management process. Prior to sharing information designated as confidential with a third party, Trimble requires the execution of applicable non-disclosure agreements of confidentiality.
Vendors are subject to a risk-based evaluation prior to onboarding and risk based annually for existing vendors.
Trimble’s Third Party Code of Conduct prescribes its ethical expectations of vendors and business partners.
Processing Integrity
Change Management
Trimble Transportation has implemented formalized change management processes consisting of testing, approval, and post-implementation validation workflows.
Production is logically segregated from test and development environments.
Input Validation & Error Handling
Trimble Transportation values the accuracy, correctness and precision of data. We implement standard practices to ensure the validity of inputs. We employ standard tools and techniques to identify and resolve errors.
We measure, reconcile and report on completeness or recovery of missing or usable data. Within Trimble Transportation products, visible warning notices are provided. Error pages are retained to meet additional support needs.
Privacy
Data Classification and Handling
Trimble Transportation maintains an approved Data Classification Policy which establishes the framework for labeling and protecting company data.
Data Retention and Deletion
Data is retained in accordance with Trimble’s data retention schedule and then systematically deleted, unless otherwise specified.
Governance
Trimble’s Office of Data Protection (ODP) is responsible for supporting the enterprise’s data protection compliance strategy and ensuring the program is kept current. An executive steering committee, the Data Protection Council, has likewise been established for functional oversight and escalations, where necessary. Data Protection Champions are integrated throughout the business to facilitate organizational maturity.
For further privacy information, please refer to the Trimble Privacy Center.