Security FAQs
Find the answers to common data security questions about App Xchange.
Privacy and Data Security Questions
What protocol does App Xchange use for data transfer to and from the customer?
App Xchange uses HTTPS web services and REST API.
Does App Xchange maintain backup copies of sensitive customer and business data?
Yes, but App Xchange only maintains backup data that must maintain state or does not expire.
Does App Xchange encrypt backup copies of sensitive data?
Yes, App Xchange encrypts backup data at rest and in transit.
What encryption mechanism does App Xchange use to back up data?
App Xchange uses AES256 encryption to back up data.
What are App Xchange’s retention policies for customer data?
App Xchange stores customer data based on country-specific business, legal, and global regulatory specifications.
What data isolation options are available on the platform?
Data brought into the platform is located in North America. The App Xchange team is currently evaluating user needs to prioritize expanding data isolation capabilities in alignment with Trimble policies on data privacy and protection. If there is a need for any particular data isolation options to build a new App Xchange connector or integration, please let us know.
Authentication & Authorization Questions
Does App Xchange authenticate and verify user access rights before disclosing information or granting access to business functionality?
Yes.
What standards does App Xchange use to store user passwords?
App Xchange hashes user passwords with SHA-256 or PBKDF2 cryptographic functions.
Does App Xchange enforce password expiration and password rotation policies for all users’ local, administrative, and system account passwords?
Yes.
What type of administrative access is allowed to App Xchange?
App Xchange only allows internal administrative access.
Does App Xchange restrict root and sudo access?
Yes.
Does App Xchange have controls and processes to ensure immediate removal of system access which is no longer required for business purposes?
Yes.
Application Security Questions
Are APIs exposed to the customers?
Yes. APIs are available to assigned customers. They are protected with access and authorization controls and may be disabled.
What is the keychain size?
The keychain size is 2048 bytes.
How are client data and metadata accessed, analyzed, and shared with cloud partners and providers? Is metadata sent to advertising and external analytics?
Client data and metadata are not collected, analyzed, or shared with third parties.
Is data segregated between different customers that are stored in a shared environment?
Yes. Data is logically segregated using a customer ID with strong validated access controls.
Does App Xchange provide anti-virus and malware scanning capabilities before storing files on destination servers?
No. Shared files are text files (i.e. configuration files) with strict parsing controls and input parameter validation.
Does App Xchange have a policy to prevent malware execution on organizationally owned or managed end-point devices used by administrators (i.e., issued workstations, laptops, and mobile devices)?
Yes.
Does App Xchange’s software development standard address the OWASP Top 10 and CVE common web application coding mistakes?
Yes.
How often is App Xchange’s SSL certificate renewed?
App Xchange renews its SSL certificate annually.
How does App Xchange manage SSL certificates?
App Xchange uses an SSL Certificate signed by Trusted Certificate Authority.
What is the signature algorithm for App Xchange’s SSL certificate?
SHA-2 is the signature algorithm for the SSL certificate.
Infrastructure Security Questions
Does App Xchange isolate the management network from the application network?
Yes.
What is App Xchange’s hosted infrastructure service provider?
Microsoft Azure Platform is App Xchange’s hosted infrastructure service provider.
Support and Operations Questions
How are App Xchange’s environments set up to support the platform and overall solution?
App Xchange provides local, development, test, staging, and production environments for each phase of the development process.
Is there a Change Control Board in place that reviews and authorizes routine and emergency modifications to App Xchange systems?
Yes.
What source of test data does App Xchange use in testing environments?
No production data is ever copied into App Xchange testing environments. When customer testing environments are leveraged for use case/validation/usability testing, the customer retains control of the dataset.
Vulnerability Management Questions
Does App Xchange allow customers to perform an independent 3rd party vulnerability assessment on its systems?
This procedure does not currently exist. However, exceptions can be made with appropriate approvals, change control, and cost reimbursement.
Does App Xchange track third-party software and libraries in the product and identify vulnerabilities?
Yes.
Does App Xchange have the capability to rapidly patch zero-day vulnerabilities?
Yes.
Does App Xchange have the capability to rapidly patch vulnerabilities across all of its computing devices, applications, and systems?
Yes.
How often does App Xchange run Application Vulnerability reports?
App Xchange runs Application Vulnerability reports at least once every 12 months.
Logging and Auditability Questions
How does App Xchange log changes to its systems?
App Xchange uses multiple methods depending on the functional process, including local files, database tier, development work management, and tracking tools.
Do logs contain sensitive data?
No.
Is access to audit logs restricted to authorized users only?
Yes.
How long are audit logs retained?
Audit logs are retained for more than 60 days.
Incident Analysis and Forensic Questions
Does App Xchange have a notification process to inform impacted customers in case of a security incident or breach?
Yes.
Have there been any security incidents or breaches within the last six months?
No.