Fiix Trust Portal

Cybersecurity is a top priority here at Fiix. As a cloud-based software service, we treat our responsibility for your data with the utmost seriousness. That’s why we maintain compliance with the most stringent information technology standards. Below you’ll find a detailed breakdown of everything we do to keep your data safe and secure.

Our efforts extend not only to the privacy and security of your data, but also its integrity and availability.

Padlock and shield icon

Data confidentiality

Only authorized parties have access to your data.

Database lock icon

Data integrity

Controls are in place to ensure that your data is protected from errors and corruption.

Shield lock icon

Data availability

Network security and availability are built into our platform so you can access your data anytime, anywhere.

Cloud storage lock icon

Data privacy

Private data is identified and protected according to applicable laws, rules and regulations.

We don’t take your trust for granted. It’s the foundation of our partnership together, and it’s why we continue to seek out new cybersecurity standards and certifications to meet.

Check back regularly on this page to learn about the updates we’re making in our mission to serve you better.

Note: On this page, “Fiix” collectively refers to both Fiix CMMS and Fiix Asset Risk Predictor.

Questions? We’re here for you. Reach out to us anytime at support@fiixsoftware.com

Compliance

SOC 2 badge
SOC 2
ISO 27001 badge
ISO 27001

ISO 27001

Fiix is ISO 27001:2022 certified. All Annex A controls were applicable and addressed.

ISO 27017

Fiix is ISO 27017:2015 certified.

SOC 2 report

Available: Please email Fiix Trust Portal

Business continuity and service resilience

Fiix’s microservice architecture enables it to provide consistent availability and scalability to its platforms. This architecture enables faster, more iterative changes, and allows “Service teams” to deliver technical solutions independently of each other. Fiix utilizes a multidata center availability zone design to provide resiliency for their platform.

Customer data is backed up to a remote location. Data is then continuously backed up to secondary cloud location that is geographically remote from the primary site. Backup jobs are monitored by IT personnel for completion and exceptions. In the event of an exception, IT personnel perform troubleshooting to identify the root cause and then re-run the backup job immediately, or as part of the next scheduled backup job. Access to backup infrastructure is secured in an isolated AWS account with access restricted to a minimum of approved personnel.

Secure SDLC

Fiix software development philosophy is based on the Rockwell Automation Product Lifecycle (RAPL), which emphasizes and prioritizes products security and safety. It follows a Design for Security (DfS) approach that requires rigorous vetting of components, methods, and technique. Development operations include a dynamic and static scan, as well as a second-level verification of functionality and security. Only secure builds are permitted in the production environment. Prior to the initiation of new applications and major upgrades, the security and privacy concerns and implications are documented and a risk analysis is conducted. Throughout the design and development phase, automated checks are imposed and a manual review and penetration test is conducted at the end of the build, before the code or feature is released.

Network security

Network security is a critical requirement for Fiix products and due care is taken to develop and maintain a secure network for the customers and employees. Measures enacted include network segmentation with appropriate zoning, a zero-trust approach to resource access, network monitoring, rapid response, and ingress/egress traffic examination. Network security has been designed into the network, helping to support the correct functioning of security controls. From the edge to the internal core, traffic is policed and monitored.

Shared cloud security responsibility model

Fiix operates a shared security responsibility model that requires the participation of the platform and the customer in managing the security of the tenant and any data hosted therein. Fiix secures its cloud platform and the underlying subsystems. It also provides customers the capability to set and enforce their own security policies with features such as Tenant firewall, access control, Single Sign-On, and event management and monitoring, amongst several other controls.

Virtualization security

As a multitenant platform, Fiix acknowledges that virtualization security and reliable tenant isolation is critical to the service provided. To this end, the platform is built on an industry-trusted and tested virtualization platform, and has chosen an architecture that supports multitenancy and prevents the cross-contamination of data. These controls are tested regularly to ensure that they remain effective. The efficacy of these controls is the subject of continuous improvement, audits, and product development efforts to provide confidence about the security of customer data.

Application security

All aspects of code development and access is securely managed. Through an automated and manual process of unit and integration testing, the security of each piece of code and feature set is established. Code repositories follow the access control policy, and any changes to the repositories are policed to validate that the change is valid, authorized, and safe. Application security testing covers all of the OWASP Top 10 security concerns.

Significant vendors

Fiix depends on certain sub-vendors to deliver its services. Fiix ensures the contractual agreement with these vendors is more than sufficient to deliver the availability and security SLA expected by customers. Below are the critical vendors used for the delivery of service:

  1. AWS - Cloud Hosting
  2. Github
  3. Auth0
  4. Datadog
  5. Confluence
  6. Microsoft Azure

Privacy notice

Fiix complies with data privacy regulations from multiple jurisdictions. Please click here (opens in new tab) to view the Fiix by Rockwell Automation cloud privacy notice.

Security scanning statement

Security scanning is conducted on the Fiix application and the infrastructure that supports and delivers the application. The scans include the following:

  1. Attack surface scanning
  2. Network scanning
  3. Cloud security posture scanning
  4. Application dynamic and static scan
  5. Public security reputation scanning

These scans provide us with a vast amount of intelligence about the security of our systems, and we immediately initiate remediatory actions to rectify any risky conditions.

Network security statement

Fiix is hosted in a network environment that features a defensible architecture that includes the use of multizoned firewalls, intrusion detection and prevention systems, and network security groups. Traffic flows and ports are policed to permit only expected and authorized traffic.

Access control statement

Fiix has implemented a resilient access control policy that includes controls such as least privileged access, multi-factor authentication, and privileged access controls. The application also gives customers the capability to deploy additional controls according to their own internal policies, such that the customer can enhance their own access to the application. Internally, access to the Fiix cloud platform is tightly restricted and requires multiple layers of authentication and multifactor authentication.

Identity management

Identity security is critical and Fiix is designed to provide enterprise-level identity management. This can optionally be a shared security control, where we provide you with the tools to manage identities based on your own internal security policy and using the identity management suites already familiar to your company.

Vendor and supply chain security

Fiix appreciates the criticality of supply chain security and third-party security. For this reason, Fiix maintains a detailed inventory of all the components that go into the application. This is maintained in a detailed Software Bill Of Material (SBOM) which is reviewed continuously for risk of compromised contents. Futhermore, Fiix tracks all suppliers and third-party providers by requesting and reviewing their SOC 2 reports and conducting a due diligence risk review prior to engaging the vendor on an ongoing basis. Only secure and authorized vendors are used as sub-processors. Contracts also include information security requirements and minimum security requirements, to which vendors and suppliers must adhere.

Internal control and audit

Fiix has implemented an Information Security Management System (ISMS) based on ISO 27001. This system calls for strong internal control and continuous improvement. Fiix is audited internally and is rapidly iterating and optimizing its controls on an ongoing basis. Internal audits examine all aspect of the ISMS for any deficiency, non-compliance, and violations. Corrective action and corrective action plans are implemented afterwards. The management team is also made aware of significant audit findings. These findings are deliberated and additional controls are applied where necessary.

Incident response and notification

Fiix is supported by a robust incident management process. The process originates with a large array of system signals that are monitored for adverse conditions. We also maintain contact channels by which users and customers can escalate incidents. Internal sources and external sources are polled continuously and the signals are triaged to isolate the most significant. A tier 1 team responds to incidents and can escalate to a tier 3 level if necessary. Incidents are contained and notifications are sent through secured channels to the right entities. A post-incident analysis is used to improve the process on an ongoing basis. Table-top exercises are also conducted periodically to test and improve the overall incident management process.

Change control and quality management

Fiix is committed to the secure management of change. For this reason, it has implemented a change management policy and process compliant with ISO 27001. In this process, all configuration item are tracked and all system states are recorded. According to the policy, all changes must be documented, and a testing plan and roll-back plan are also documented. Once approved, the change is carried through and the new system state is reviewed. Significant changes must submit to a risk assessment before being carried out. In these ways, the change management process is connected to the business continuity process and risk management process.

Cryptography

Data in transit is protected using TLS (Transport Layer Security) 1.3 or higher to ensure data confidentiality. TLS provides strong authentication, message privacy, and integrity. Data at rest is protected using AES-256 CSP default encryption and Cloud Service Provider managed keys.

Data security and protection

Data security is prioritized in Fiix. Customer data in particular is afforded the highest security classification. This requires an increased level of usage restriction throughout the lifecycle of the data. Data is securely transferred into the platform and is not shared without the customer's authorization. All security controls, including encryption, crypto-erasure and disposal, secure transportation, and distribution are applied. Detective controls are also deployed to detect potential misuse and abuse of data. Customers can apply additional data governance rules and policies within their own tenant, according to their own business objectives.

Governance, Risk and Compliance

Fiix is supported by an effective governance, risk management and compliance program administered by the global CISO team of Rockwell Automation. The GRC team manages and maintains the information security management system (ISMS) and manages the controls that are used to support the ISO 27001 and SOC 2 program.

Vulnerability management

Vulnerability management is an important practice in Fiix. The vulnerability management program covers the entire software development lifecycle, including but not limited to the cloud infrastructure, endpoints, containers, and production code. The vulnerability managers connect to multiple vulnerability databases and use automated solutions to scan the platform. Prioritized remediation is used to address the high-risk items quickly. A "Fix Directive" is in force at an enterprise level and this requires a continuous vulnerability tracking and remediation process. A risk assessment is done to determine how, what and when resources will be directed and which issues will be prioritized. Factors that inform vulnerability prioritization include vulnerability criticality, asset criticality, threat intelligence, customer experience, and business continuity concerns.

Logging and event monitoring

Fiix understands the importance of logging events and monitoring the platform. As part of its ISO 27001 ISMS, it has deployed a SIEM solution to track and correlate important system events. It also tracks events on each customer's tenant in order to give customers ample information about the security and operational status of their tenant and workloads. The logs are protected from alteration and are stored for at least one year.

Artificial Intelligence

Some of the products and functionality provided by Fiix rely on artificial intelligence and machine learning. In order to manage the risk arising from the use of AI, Rockwell Automation has established an AI Center of Excellence to review and approve each deployment. RA has also ensured no public LLM instances are used within the product. RA has deployed its own LLM model that is strategically deployed to minimize risk and maximize product benefit.

Data retention

Rockwell's data retention policy requires that the data of exiting customers be securely deleted after exceeding a specified period of dormancy. Although Fiix protects customer data throughout its lifecycle, at the end of the relationship, the customer can request for their data to be destroyed immediately, or have it exported in an agreed format. Regardless of the customer's instruction, the data will be purged after a short wait period. Based on the shared security responsibility model, customers are encouraged to implement their own data governance and management system using the capabilities provided within the PMC tenant.

Privacy and GDPR statement

Fiix is committed to protecting the privacy of personal information. Fiix only requires and stores the minimum level of PII required to uniquely identify and provide services to customers' employees. Some of these include First Name, Last name, company email address, and sometimes company address. We do not store and retain extensive levels of PII that are not required to deliver the contracted service. For more information about our privacy practices, please visit the page at: https://fiixsoftware.com/legal/privacy/ (opens in new tab)

Fiix Cloud Architecture

The Fiix cloud architecture diagram