Last Updated: March 2026
Applies to: All Rockwell Automation entities, employees, contractors, systems, and third parties processing PII on behalf of Rockwell Automation.
1. Purpose and Scope
These Technical and Organizational Measures (TOMs) describe the administrative, technical, and physical safeguards implemented by Rockwell Automation to protect PII against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with:
- GDPR Article 32
- ISO/IEC 27001 and 27002
- NIST Cybersecurity Framework
- Applicable contractual and regulatory requirements
These TOMs apply to the entire lifecycle of PII, including collection, access, processing, storage, transmission, retention, and secure disposal—across IT, OT, cloud, AI-enabled, and third‑party environments.
Rockwell Automation implements, operates, and regularly maintains appropriate technical and organizational measures (TOMS) aligned to industry standards to protect Customer PII. Customer acknowledges and agrees that Rockwell Automation reserves the right to modify these TOMS provided that the functionality and security are not materially degraded. Without limiting the generality of the foregoing, Rockwell Automation will at a minimum maintain its TOMS as set forth below.
2. Information Security Governance and Accountability2.1 Governance Framework
Rockwell Automation maintains an enterprise-wide Information Security Management System (ISMS) governed through formal policies, standards, and procedures aligned with internationally recognized frameworks. Oversight is provided by senior leadership, including a designated Chief Information Security Officer (CISO).
Governance includes:
- Enterprise security policies approved by executive leadership
- Risk ownership and accountability assigned at system, data, and business levels
- Formal exception and risk acceptance processes
- Periodic management review of security posture and risk
2.2 Roles and Responsibilities
- Data Owners: Accountable for classification, lawful use, and protection of PII
- System Owners: Responsible for secure system configuration and operation
- Global Cybersecurity Organization: Defines security standards, monitoring, and assurance
- Employees and Contractors: Required to comply with policies and complete mandatory
training
3. Data Classification and PII Handling
Rockwell Automation classifies all data, including PII, based on sensitivity and risk. PII is treated as Confidential or Highly Confidential (Restricted) depending on impact.
Controls include:
- Mandatory data classification and labeling
- Defined handling requirements per classification
- Restrictions on storage, transmission, and sharing
- Prohibition on unauthorized personal or public AI tool use with PII
PII handling requirements are embedded across operational processes and enforced through preventive and detective controls.
4. Access Control and Identity Management
4.1 Identity and Access Management (IAM)
Access to systems processing PII is controlled using least privilege and need-to-know principles.
Key measures:
- Unique individual user accounts (no shared identities unless approved)
- Centralized identity lifecycle management
- Role-based access controls
- Formal access request, approval, and review processes
- Immediate access revocation upon role change or termination
4.2 Strong Authentication
- Multi-factor authentication (MFA) enforced for:
- Remote access
- Privileged access
- Cloud and administrative interfaces
- Strong password policies enforced via technical controls
5. Technical Security Measures5.1 Encryption and Cryptographic Protections
PII is protected using encryption:
- At rest: Full-disk and database encryption
- In transit: Industry-standard TLS encryption
- Cryptographic key management: Centralized and controlled
Encryption requirements align with data classification standards and regulatory expectations.
5.2 Endpoint and System Security
- Managed endpoints with standard security baselines
- Anti-malware and endpoint detection controls
- System hardening per defined configuration standards
- Patch and vulnerability management with regular scanning and remediation
5.3 Network Security
- Defense-in-depth architecture
- Network segmentation and firewall protections
- Secure remote access with logging and MFA
- Intrusion detection and prevention systems (IDS/IPS)
6. Logging, Monitoring, and DetectionRockwell Automation employs continuous monitoring to detect unauthorized access or anomalous activity involving PII.
Measures include:
- Centralized Security Information and Event Management (SIEM)
- Logging of:
- Access to PII
- Administrative activities
- Authentication events
- 24x7 security operations monitoring
- Alerting and investigation of suspicious events
Audit logs are protected from unauthorized alteration and retained according to defined schedules.
7. Incident Management and Breach ResponseRockwell Automation maintains a formal Incident Response Program covering:
- Incident identification and classification
- Investigation and containment procedures
- Forensic evidence preservation
- Regulatory and customer notification where required
- Root cause analysis and corrective actions
Incidents involving PII are escalated, documented, and handled according to contractual and legal obligations, including GDPR breach notification timelines.
8. Business Continuity and Availability
To ensure ongoing availability and resilience of systems processing PII, Rockwell Automation implements:
Business Impact Analysis (BIA)
Documented Business Continuity Plans (BCP)
- Disaster Recovery (DR) strategies with defined RTOs/RPOs
- Regular testing of recovery capabilities
- Backup, redundancy, and failover mechanisms
9. Physical and Environmental Security by Rockwell or Hosting Provider
- Facilities and physical assets processing PII are protected through:
- Controlled physical access (badges, biometrics where applicable)
- Surveillance and monitoring (e.g., CCTV)
- Environmental controls (fire suppression, power redundancy)
- Secure storage and disposal of physical media
Visitor access is managed and logged.
10. Asset and Lifecycle Management
- All systems processing PII are inventoried
- Ownership and responsibility are documented
- Secure configuration and baseline enforcement
- Controlled system changes through formal Change Management
- Secure sanitization and disposal of equipment and media
For Operational Technology (OT), enhanced lifecycle and disposal controls apply.
11. Third-Party and Subprocessor Management
Rockwell Automation requires all third parties handling PII to meet defined security and privacy expectations.
Controls include:
- Pre-engagement risk assessments
- Contractual security and data protection clauses
- Ongoing monitoring of critical vendors
- Defined incident notification obligations
- Secure exit and data return or destruction procedures
12. Secure Software Development and Change Management
- Secure SDLC practices for applications processing PII
- Code reviews, testing, and vulnerability assessments
- Formal Change Management with security impact analysis
- Dual authorization and segregation of duties where required
13. AI, Automation, and Emerging Technologies
Use of AI systems involving PII is subject to:
- Prior risk assessment and approval by the AI Governance Council
- Data minimization and purpose limitation
- Human oversight and auditability
- Restrictions on use of public generative AI tools with PII
14. Training, Awareness, and Insider Risk
- Mandatory onboarding and annual security training
- Role-based training for privileged roles
- Phishing simulations and awareness campaigns
- Insider risk controls with legal oversight
15. Assurance, Audits, and Continuous Improvement
- Periodic control assessments and internal audits
- Independent security assessments where required
- Monitoring of regulatory and threat environment changes
- Continuous improvement of controls based on risk and lessons learned
16. Conclusion
These Technical and Organizational Measures demonstrate that Rockwell Automation implements state-of-the-art, risk‑based, and proportionate safeguards to protect PII. The controls described are embedded into governance, operational processes, and technical architectures, providing a defensible and auditable security posture consistent with regulatory and contractual expectations.
Detailed Control Table (Enhanced)
Legend:
✓ = Implemented
◐ = Implemented with conditions / risk-based application
1. Physical Access Control Measures to prevent unauthorized persons from gaining physical access to systems where PII is processed |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Secured facilities and security zones | Access-controlled facilities with restricted security zones for data processing environments | ✓ | ✓ | ✓ | ✓ | ✓ |
| Badge-based and/or biometric access controls | Electronic badge systems and biometric controls where appropriate | ✓ | ✓ | ✓ | ✓ | ✓ |
| Visitor access management | Visitor registration, badges, escort requirements, and access logs | ✓ | ✓ | ✓ | ✓ | ✓ |
| CCTV monitoring and intrusion detection | Camera surveillance and alarm systems at critical locations | ✓ | ✓ | ✓ | ✓ | ✓ |
| Physical access logging and review | Logging and periodic review of physical access to sensitive areas | ✓ | ✓ | ✓ | ✓ | ✓ |
| Environmental safeguards (fire, HVAC, power redundancy) | Fire suppression, temperature control, UPS, and generators | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure storage of physical media | Locked cabinets or secure rooms for physical records and removable media | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure disposal of physical records | Cross-cut shredding and certified destruction vendors | ✓ | ✓ | ✓ | ✓ | ✓ |
2. Logical (Virtual) Access Control Measures Measures to prevent unauthorized logical access to systems processing PII |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Unique user identification (no shared accounts) | Individual identities for all users | ✓ | ✓ | ✓ | ✓ | ✓ |
| Strong password and authentication policies | Enforced complexity, rotation, and system controls | ✓ | ✓ | ✓ | ✓ | ✓ |
| Multi‑factor authentication (MFA) | Required for remote access, privileged access, and cloud services |
✓ | ✓ | ✓ | ✓ | ✓ |
| Least privilege access model | Role-based access aligned to job responsibilities | ✓ | ✓ | ✓ | ✓ | ✓ |
| Formal access approval workflows | Authorized role owners approve access | ✓ | ✓ | ✓ | ✓ | ✓ |
| Periodic access reviews and recertification | Scheduled reviews to ensure continued appropriateness |
✓ | ✓ | ✓ | ✓ | ✓ |
| Immediate deprovisioning on termination | Automated disablement of accounts upon role change or exit | ✓ | ✓ | ✓ | ✓ | ✓ |
| Logging of authentication and access events |
Centralized logging to SIEM for monitoring | ✓ | ✓ | ✓ | ✓ | ✓ |
3. Data Security Measures ensuring users only access PII they are authorized to access |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Data classification and labeling | Mandatory classification of PII as Confidential or Restricted | ✓ | ✓ | ✓ | ✓ | ✓ |
| Role-based data access restrictions | Segregated access by function and need-to-know | ✓ | ✓ | ✓ | ✓ | ✓ |
| Monitoring of access to PII | Logging and alerting on access to sensitive data |
✓ | ✓ | ✓ | ✓ | ✓ |
| Encryption of PII at rest | Full disk and database encryption | ✓ | ✓ | ✓ | ✓ | ✓ |
| Encryption of PII in transit | TLS encryption for internal and external communication | ✓ | ✓ | ✓ | ✓ | ✓ |
| Prevention of unauthorized copying/export | Technical and procedural controls, supplemented by monitoring |
✓ | ✓ | ✓ | ✓ | ✓ |
| Disciplinary measures for unauthorized access | Enforced through policy and HR procedures | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure deletion and anonymization |
Sanitization and anonymization per retention policies | ✓ | ✓ | ✓ | ✓ | ✓ |
4. Confidentiality Controls Measures to prevent unauthorized disclosure of PII during transmission, storage, or sharing |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Data classification and labeling | Mandatory classification of PII as Confidential or Restricted | ✓ | ✓ | ✓ | ✓ | ✓ |
| Role-based data access restrictions | Segregated access by function and need-to-know | ✓ | ✓ | ✓ | ✓ | ✓ |
| Monitoring of access to PII | Logging and alerting on access to sensitive data |
✓ | ✓ | ✓ | ✓ | ✓ |
| Encryption of PII at rest | Full disk and database encryption | ✓ | ✓ | ✓ | ✓ | ✓ |
| Encryption of PII in transit | TLS encryption for internal and external communication | ✓ | ✓ | ✓ | ✓ | ✓ |
| Prevention of unauthorized copying/export | Technical and procedural controls, supplemented by monitoring |
✓ | ✓ | ✓ | ✓ | ✓ |
| Disciplinary measures for unauthorized access | Enforced through policy and HR procedures | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure deletion and anonymization |
Sanitization and anonymization per retention policies | ✓ | ✓ | ✓ | ✓ | ✓ |
4. Confidentiality Controls Measures to prevent unauthorized disclosure of PII during transmission, storage, or sharing |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Data classification and labeling | Mandatory classification of PII as Confidential or Restricted | ✓ | ✓ | ✓ | ✓ | ✓ |
| Role-based data access restrictions | Segregated access by function and need-to-know | ✓ | ✓ | ✓ | ✓ | ✓ |
| Monitoring of access to PII | Logging and alerting on access to sensitive data |
✓ | ✓ | ✓ | ✓ | ✓ |
| Encryption of PII at rest | Full disk and database encryption | ✓ | ✓ | ✓ | ✓ | ✓ |
| Encryption of PII in transit | TLS encryption for internal and external communication | ✓ | ✓ | ✓ | ✓ | ✓ |
| Prevention of unauthorized copying/export | Technical and procedural controls, supplemented by monitoring |
✓ | ✓ | ✓ | ✓ | ✓ |
| Disciplinary measures for unauthorized access | Enforced through policy and HR procedures | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure deletion and anonymization |
Sanitization and anonymization per retention policies | ✓ | ✓ | ✓ | ✓ | ✓ |
5. Integrity Controls Measures to monitor whether PII has been entered, altered, or deleted and by whom |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| System audit logging | Audit trails for create/read/update/delet e (CRUD) actions | ✓ | ✓ | ✓ | ✓ | ✓ |
| User attribution in logs | Logs tied to individual user identities | ✓ | ✓ | ✓ | ✓ | ✓ |
| Timestamped audit records | Accurate time synchronization and timestamps |
✓ | ✓ | ✓ | ✓ | ✓ |
| Monitoring of privileged actions | Enhanced logging for administrative functions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Protection of audit logs | Restricted access and tamper-resistant storage | ✓ | ✓ | ✓ | ✓ | ✓ |
| Log retention per policy | Retention aligned with legal and business requirements |
✓ | ✓ | ✓ | ✓ | ✓ |
| Review of audit logs | Manual and automated reviews via SIEM | ✓ | ✓ | ✓ | ✓ | ✓ |
6. Control of Instructions Measures ensuring PII is processed only according to controller instructions |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Clearly defined contractual instructions | DPAs and service agreements define processing scope | ✓ | ✓ | ✓ | ✓ | ✓ |
| Sub-processor approval and oversight | Risk assessments and contractual controls | ✓ | ✓ | ✓ | ✓ | ✓ |
| Instruction change management | Formal change management processes |
✓ | ✓ | ✓ | ✓ | ✓ |
| Employee training on data handling | Mandatory training and awareness | ✓ | ✓ | ✓ | ✓ | ✓ |
| AI and automation usage governance | AI Governance Council oversight | ✓ | ✓ | ✓ | ✓ | ✓ |
| Restriction of unauthorized processing | Technical and procedural enforcement |
✓ | ✓ | ✓ | ✓ | ✓ |
7. Availability and Resilience Control Measures protecting PII against accidental loss or destruction |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Data backup procedures | Regular, tested backups | ✓ | ✓ | ✓ | ✓ | ✓ |
| Redundant systems and failover | High availability architectures | ✓ | ✓ | ✓ | ✓ | ✓ |
| Disaster recovery plans | Documented DR strategies with RTO/RPO | ✓ | ✓ | ✓ | ✓ | ✓ |
| Business continuity planning | Annual BIA and plan testing | ✓ | ✓ | ✓ | ✓ | ✓ |
| Power and network redundancy | UPS, generators, redundant connectivity | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incident response and recovery | Coordinated response and restoration | ✓ | ✓ | ✓ | ✓ | ✓ |
8. Organizational Measures (NEW – not explicit in old table) |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Information security policies and standards | Enterprise-wide ISMS framework | ✓ | ✓ | ✓ | ✓ | ✓ |
| Security awareness and training | Onboarding and annual training | ✓ | ✓ | ✓ | ✓ | ✓ |
| Insider risk management | Monitoring with legal oversight | ✓ | ✓ | ✓ | ✓ | ✓ |
| Background checks (where permitted) | Pre-employment screening | ✓ | ✓ | ✓ | ✓ | ✓ |
| Segregation of duties | Prevents conflict of interest | ✓ | ✓ | ✓ | ✓ | ✓ |
| Continuous improvement and audits | Ongoing assessments and remediation | ✓ | ✓ | ✓ | ✓ | ✓ |
9. External Assurance and Certifications |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Assurance Mechanism | Description | |||||
| SOC 1 / SOC 2 reports | Independent third-party assessments | ✓ | ✓ | ✓ | ✓ | ✓ |
| ISO/IEC 27001 certification | ISMS certification | ✓ | ✓ | ✓ | ✓ | ✓ |
| Periodic internal audits | Policy and control reviews | ✓ | ✓ | ✓ | ✓ | ✓ |
| External/Independent audits | Support for customer and regulator requests | ✓ | ✓ | ✓ | ✓ | ✓ |
10. Shared Responsibility and Cloud Governance Control Measures ensuring that responsibilities between Rockwell Automation and cloud service providers are clearly defined and enforced |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Defined shared responsibility model | Clear delineation of Rockwell Automation vs. cloud provider responsibilities for security and privacy | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud security policies and standards | Cloud usage governed by Cloud Security Policy and associated standards | ✓ | ✓ | ✓ | ✓ | ✓ |
| Pre‑approval of cloud providers | Cybersecurity and risk review required before onboarding any cloud provider | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud service inventory | Central inventory of all cloud platforms, services, and environments | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud architecture security reviews | Security design reviews before production deployment | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud exit and decommissioning procedures | Secure exit plans including data deletion and confirmation | ✓ | ✓ | ✓ | ✓ | ✓ |
11. Sub-Service Provider and Co-Location Oversight Measures governing cloud providers, data centers, and downstream subprocessors |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Due diligence and risk assessments | Security, privacy, and compliance assessments prior to engagement | ✓ | ✓ | ✓ | ✓ | ✓ |
| Contractual data protection obligations | DPAs, security clauses, audit rights, and breach notification requirements | ✓ | ✓ | ✓ | ✓ | ✓ |
| Approved sub-processor lists | Formal documentation of approved cloud sub processors | ✓ | ✓ | ✓ | ✓ | ✓ |
| Ongoing provider risk monitoring | Periodic reassessment of critical providers | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud provider audit reports | Review of SOC 1 / SOC 2 / ISO 27001 or equivalent reports | ✓ | ✓ | ✓ | ✓ | ✓ |
| Co‑location physical security assurance | Reliance on audited physical security controls of data centers | ✓ | ✓ | ✓ | ✓ | ✓ |
| Sub‑processor change notification | Notice and approval processes for material changes | ✓ | ✓ | ✓ | ✓ | ✓ |
12. Cloud Identity and Access Control Measures preventing unauthorized access to cloud‑hosted PII |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Multi-factor authentication for cloud access | MFA enforced for administrative and user access | ✓ | ✓ | ✓ | ✓ | ✓ |
| Role-based access controls (RBAC) | Cloud roles mapped to least privilege principles | ✓ | ✓ | ✓ | ✓ | ✓ |
| Privileged access management (PAM) | Elevated cloud access restricted and logged | ✓ | ✓ | ✓ | ✓ | ✓ |
| Segregation of tenant and customer access | Logical isolation enforced via cloud controls | ✓ | ✓ | ✓ | ✓ | ✓ |
| Periodic cloud access reviews | Regular validation of access rights | ✓ | ✓ | ✓ | ✓ | ✓ |
13. Cloud Data Protection and Encryption Measures protecting PII at rest, in transit, and during processing in cloud environments |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Encryption of PII at rest in cloud | Provider-native encryption or customer‑managed encryption | ✓ | ✓ | ✓ | ✓ | ✓ |
| Encryption of PII in transit | TLS-encrypted communication for all data flows | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure key lifecycle management | Rotation, revocation, and access restrictions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud storage access controls | Bucket/container access tightly restricted | ✓ | ✓ | ✓ | ✓ | ✓ |
| Data minimization in cloud workloads | Only necessary PII processed or stored | ✓ | ✓ | ✓ | ✓ | ✓ |
14. Cloud Network and Infrastructure Security Measures preventing unauthorized access to cloud infrastructure |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Network segmentation and isolation | Virtual networks, security groups, firewalls | ✓ | ✓ | ✓ | ✓ | ✓ |
| Restriction of public cloud exposure | Default deny; explicit approvals required | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure administrative interfaces | Administrative endpoints protected by MFA and IP restrictions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Protection against lateral movement | Network segmentation and workload isolation | ✓ | ✓ | ✓ | ✓ | ✓ |
| DDoS and perimeter protection | Provider services and security controls applied | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure connectivity to on‑premises systems | Encrypted VPN or private links | ✓ | ✓ | ✓ | ✓ | ✓ |
15. Cloud Logging, Monitoring, and Detection Measures ensuring visibility and detection of incidents affecting PII in cloud environments |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Centralized cloud log collection | Cloud logs forwarded to SIEM | ✓ | ✓ | ✓ | ✓ | ✓ |
| Logging of access to PII | API, storage, and identity events logged | ✓ | ✓ | ✓ | ✓ | ✓ |
| Monitoring of privileged cloud activity | Enhanced logging and alerts | ✓ | ✓ | ✓ | ✓ | ✓ |
| Automated alerting for anomalous behavior | Security rules and detection use cases | ✓ | ✓ | ✓ | ✓ | ✓ |
| Time synchronization | Consistent time sources for audit logs | ✓ | ✓ | ✓ | ✓ | ✓ |
| Protection of cloud audit logs | Restricted access and retention controls | ✓ | ✓ | ✓ | ✓ | ✓ |
17. Cloud Incident Response and Breach Handling Measures ensuring effective response to incidents involving cloud‑hosted PII |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Cloud-specific incident response procedures | Integrated into enterprise IR plan | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incident detection and escalation | SOC monitoring and response workflows | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud provider breach notification clauses | Contractual SLAs for notification | ✓ | ✓ | ✓ | ✓ | ✓ |
| Evidence preservation and forensics | Cloud-appropriate forensic processes | ✓ | ✓ | ✓ | ✓ | ✓ |
| Regulatory and customer notification | GDPR and contractual | ✓ | ✓ | ✓ | ✓ | ✓ |
| Post-incident remediation | Root cause analysis and corrective actions | ✓ | ✓ | ✓ | ✓ | ✓ |
18. Data Residency, Retention, and Secure Deletion (Cloud) Measures governing where PII is stored, for how long, and how it is destroyed |
Plex PMC | Fiix CMMS | DataMosaix | Design Studio | Energy Manage | |
|---|---|---|---|---|---|---|
| Control Measures | Description | |||||
| Data residency controls | Regional hosting selected based on legal requirements | ✓ | ◐ | ◐ | ◐ | |
| Data retention enforcement | Retention schedules applied to cloud storage | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure deletion upon contract termination | Verified deletion or anonymization | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud provider deletion assurance | Written confirmation where required | ✓ | ✓ | ✓ | ✓ | ✓ |
| Backup lifecycle management | Backup retention aligned with policy | ✓ | ✓ | ✓ | ✓ | ✓ |
| Aggregation and anonymization controls | Non‑identifiable data retained where permitted | ✓ | ✓ | ✓ | ✓ | ✓ |