Our Security Statement
The following security statement is our way of transparently explaining how we securely collect, store, manage, and present your data so that we may earn and retain your digital trust.
The safety and security of your data is our top priority. As an established leader and provider of industrial software for the last three decades, we recognise that your industrial data demands a more stringent cybersecurity posture and a higher set of operating standards compared to other information domains.
Best-In-Class, Certified Data Centers
Our cloud services are physically deployed across multiple Microsoft Azure data centers. We are a strategic data center hardware vendor to Microsoft and their Azure data centers as well as a strategic Independent Software Vendor (ISV) partner to Microsoft for both their on-premises and cloud software platform technologies.
Microsoft data centers are world-class facilities with more certifications than any other cloud provider. Certifications and compliance achievements include ISO/IEC 22301, 27017, 27018 and ISO/IEC 27001 in addition to SOC 1, SOC 2 and SOC 3.
To learn more about Microsoft’s Azure data centers, please visit:
Data Residency and Digital Sovereignty
While AVEVA Insight secure cloud services are accessible worldwide, customers can elect to base their subscription and all subsequently related subscription data storage exclusively in one of three regions: the United States, Australia, or Europe.
To ensure that your subscription and all related subscription data are stored within data centers in Europe, please subscribe to the European based Insight instance located at: https://online.wonderware.eu.
Otherwise, head to https://insight.connect.aveva.com where you will be given the option to base your subscription in either the U.S.A. or Australia.
Note: The European instance of AVEVA Insight is geographically deployed across data centers in the Netherlands and in Ireland.
Committed to market leading cybersecurity best practices
Data at Rest
All sensitive customer data is encrypted, logically segregated and segmented in a multi-tenant architecture. These measures offer the best assurances that customer data is safe from unauthorized access, and limit the risk of data being compromised in any meaningful manner while protecting the privacy, control and autonomy of each customer’s data independently from any other. We have U.S. Patents Pending around the unique industrial implementation underpinning the solution.
Data in Motion
All data flow communications to and from AVEVA Insight are encrypted using SSL/TLS over HTTP (i.e., HTTPS) on the industry standard and well defined Port 443 using Advanced Encryption Standard (AES) 256-bit encryption with secure 2048-bit X.509 certificates. This is true for our on-premises data publishers, our modern browser based client and our native mobile apps. Our secure and publicly accessible REST based APIs are also leveraging this security scheme.
We continuously monitor the changing security landscape of cryptography and cybersecurity to ensure that we offer the best available protections to our customers and their sensitive data.
Given our long, rich history and domain expertise in the industrial automation market, we fully support and complement traditional industrial on-premises systems pushing data to the cloud in a hybrid-architecture where on-premises systems work in tandem with our cloud solutions.
Our small footprint data publishers are very IT friendly from a local network point of view in that we only require a single, outbound and unidirectional port to be opened to communicate to our cloud services securely with encryption using SSL/TLS over HTTP on Port 443.
Our on-premises data publishers do not receive inbound connections, only outbound connections are initiated by the system of trust from customer networks and never the other way around by any external agent. Our data publishers also do not auto-update on-premises O/S components. Updates are controlled manually by our customers at their discretion.
All data from our on-premises publishers can be safely routed through traditional next generation firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) and network segmented demilitarized zones (DMZ).
Data Transmission Reliability: Store & Forward
All data publishers provided by us employ store and forward mechanisms so that no data is ever lost in the event that a network connection between the on-premises publisher and our Insight cloud services becomes unavailable. When network connectivity resumes, a parallel data stream will be initiated to back-fill any data that was collecting during the period of network unavailability.
Protecting and defending your data across people, process and technology.
Identity and Access Management (IAM)
By default, customers sign-up, register and authenticate their account directly through our application API or web portal based on the OpenID Connect (OIDC) authentication layer on top of the OAuth 2.0 authorization framework.
For enterprise customers, Single-Sign-On (SSO) and federated identity access integrations are available with a customer’s existing IAM implementation.
We enforce a level of password complexity during sign-up and registration to promote secure credentials.
We verify account ownership during registration and for password resets to ensure the request is from an authentic source.
Customers have complete and granular control over who they chose to allow to have visibility and access to various elements of their data in the AVEVA Insight service. At any time, customers can add, modify and remove users from their account as well as immediately revoke any access by any user at their discretion.
Customers have complete and granular control over who they chose to allow to have visibility and access to various elements of their data in the AVEVA Insight service.
At any time, customers can add, modify and remove users from their account as well as immediately revoke any access by any user at their discretion.
Customers can control and manage saved content including dashboards, keywords, data point (tag) metadata, ad-hoc charts and visualizations.
AVEVA Insight offers a set of REST based APIs that are secured using SSL/TLS encryption, that require proper and valid parametrization to limit scope and that require a level of authorization beyond the default standard user permissions.
External Security Audits
We continue to work with respected third-party professional application security monitoring and assessment experts on a regular and periodic basis in an effort to proactively identify any potential vulnerabilities so that we can quickly address those concerns and stay current with the ever changing cybersecurity landscape.
In these engagements, these third-party companies conduct vulnerability and penetration scans amongst a number of additional security reviews such as OWASP identified vulnerabilities and related audits.
Continuous Monitoring and Security Assessments
We have in place various proactive monitoring and active security policies and procedures to identify abnormal behavior, catch anomalous activity, detect and isolate suspicious activity against or within our online solution. Examples include limitations on authentication requests, location based risk evaluations, size and growth of user activity, failed authentications, API rate requests and more.
AVEVA Insight is designed to be a highly secure, scalable, robust and resilient managed service deployed across data centers in multiple locations.
Insight benefits from a highly committed team of people who continue to release non-disruptive updates on a frequent and consistent basis to maintain and elevate both the security and functionality of the offering.
Ensuring continued availability of our offering is outlined in our service level agreement (SLA) which can be referenced via our legal resources.
We believe in being as transparent as possible around the availability of our service and therefore encourage you to subscribe to our service dashboard to be proactively notified about any planned maintenance periods or unexpected disruptions.
For a complete list of our existing terms and conditions governing our cloud service, please visit our legal page.
To stay current on all recent activity surround our service, subscribe to our blog.
Policy On Customer Data Access for Support
As an Insight administrator, you can now temporarily add email@example.com as a standard user to your list of authorized users for your account or “solution(s)” for which you would like assistance from Wonderware Technical Support. At any time, you can revoke access to your solution(s). You can also leverage the Wonderware Online tag based security model to further limit visibility into the specific tags, sensors or data values that require further investigation by our support personnel.
Specific steps to take should you require support:
Add firstname.lastname@example.org as a standard user to the solution(s) that require investigation. Optionally, you can limit access to a limited subset of tags, sensors or data values here in this step.
Notify your technical support contact once this has been done. Collaborate with your technical support contact to help them reproduce the issue(s).
Once the issue(s) have been addressed to your satisfaction or, at any time prior and at your discretion, remove email@example.com from your list of authorized users.
Embrace Your Digital Transformation
Contact us to get started on your journey today.