Below you can find a detailed list of the most frequently requested information by IT departments regarding the security of BIMcollab.
If you look at our pricing model you can start to understand that we cannot spend the time to fill in detailed assessments for all of our customers. So we kindly ask you to start with a self-assessment with the help of the list below. If you still miss anything or have additional questions, do not hesitate to contact your sales-contact.
Security - Legal
Data storage - Location
- Data residency of the cloud service is restricted appropriately.
- All data is stored in The Netherlands unless when using an on-premise installation.
Data storage - Deleting data
- All data from client shall be securely erased from the cloud service upon service termination or at request.
- We have no formal policies and procedures established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.
- We don't have formal policies at this time for procedures and controls to protect the confidentiality and availability of the encryption keys.
Data storage - Protection
- The availability commitments of the service, including our ability to recover from outages can be found here.
- Production data shall not be replicated or used in non-production environments.
- All clients/corporation data stored or processed on the cloud services is owned by the client / corporation.
- Data use policy with regard to customer data of the cloud service is clearly defined to prevent unauthorized use of customer data.
- BIMcollab Cloud, BIMcollab ZOOM and the BCF Managers don't collect personal data. To obtain the express consent of the data subjects (i.e. Personal Information Collection Statement) and comply in all aspects with the Personal Data Privacy Ordinance (PDPO), including data security assurance, retention period limited to such period as necessary etc., is not applicable.
- Read our full privacy statement here.
Certification - Datacenter
- Certification/Attestation for CSA STAR Self-Assessment is in progress.
- The Payment Card Industry Data Security Standard (PCI-DSS) for protection of Payment Card Industry data is applicable.
- Security regulations and governance of relevant countries of the cloud service and data residency shall be applied.
- SOC 2 Audit Reports for SSAE 16 will not be provided to customer upon request.
- There are independent reviews and assessments planned at least annually.
- The client/corporation shall reserve the right of compliance audit for the security of systems and processes of the cloud service.
- Business Continuity Plan is to be formalized.
Service Level Agreements
- Service Level Agreement (SLA) is part of the Business Agreement and specifies the scope of our service.
Legal jurisdiction(s) of the service provider
- This information can be found in our Service Level Agreement.
Security - Physical
- Our data center utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) are secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions.
- Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) are implemented to safeguard sensitive data and information systems.
- Information security policies and procedures are to be formalized.
- Policies and procedures are partly established regarding personnel security including background check, security awareness and termination.
- There is a daily backup of the customer data with retention period of at least 1 months. The backup is physically protected and encrypted.
- The security incident response plan is yet to be documented. Any security breach affecting customer will be reported to customer responsible person as soon as possible.
- All expired components potentially containing data are professionally destroyed.
- A limited number of engineers (both internal and 3rd party IT) have root access to the servers.
- Access can only be achieved from pre-approved IP-addresses.
- All communications is performed over encrypted communication lines.
Security - Technical
Protection - Access
- The system does not support ADFS Authentication with MTR. Support can be made available when using an on-premise installation.
- Access controls are enforced to ensure only authorized users can access the cloud service and data.
- Role-based access controls are implemented for segregation of duty. For more information on roles in the BIMcollab environment, consult the article Roles within the BIMcollab environment.
- The production and non-production environments are separated to prevent unauthorized access or changes to information assets.
- The multi-tenant organizationally-owned or managed (physical and virtual) applications, infrastructure system and network components, designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users. Every tenant has their own instance of the web application as well as their own database.
- The management environment is separated for unauthorized access by IP, not through two-factor authentication.
- The data and service are separated from other consumers of the service. All customers run in their own spaces, completely separated from each other
- The management of the service is kept separate from other costumers.
- A uniform message is displayed when a wrong combination of user/password is entered.
Protection - Password
- The system provides a secure mechanism for a user the reset their own password.
- The password is not stored in a one-way salted hash in the system.
- The password is securely stored in the database.
- The system can enforce strong passwords of at least 8 characters long and with a complex composition.
- The system enforces periodical change of password of user accounts.
- The prevention of brute-force password attacking is planned.
Protection - Firewall
- The BIMcollab space is protected by a firewall which allows only necessary traffic from an entrusted network.
- Spaces are protected by an IDS/IPS from an untrusted network.
- The space has mitigation against a DDoS attack.
- The servers are protected by antivirus software with real-time protection and a scheduled full scan.
- The web application is protected by a Web Application Firewall or periodically scanned by a web application scanner to make sure that there is no known web application vulnerabilities.
- The app is only reachable by IPv4 or IPv6.
- Open TCP/UDP ports are limited to a minimum, and all others are in stealth mode.
- SSL tunneling is not used.
- A Web Application Firewall (white-listing) is in place for additional security.
- The system does not support two-factor authentication if the data is sensitive.
Protection - Encryption
- Transmission of data is encrypted. Web access is encrypted by TLS 1.2 or above using strong cipher with Perfect Forward Secrecy (PFS). File transfer is encrypted by SFTP.
- When using an on-premise installation and the customer domain is used in the web access, the SSL/TLS certificate is provided by the customer or the certificate is provided by the system which is signed by industry trusted CA. This is entirely up to the customer.
- Data in transit is protected between the consumer’s end user device and the service.
- Personal data storage complies to GDPR however
is not encrypted at rest.
- Security events of user account activities are logged and kept for at least 3 months.
- The network environments and virtual instances are designed and configured to restrict and monitor traffic between trusted and untrusted connections.
- Logging and notification of security events are available on request and enabled.
- The servers are setup and hardened according to a secure configuration baseline.
- A threat and vulnerability management process is in place where security patches are installed to the OS, applications and network infrastructure regularly in a timely manner.
- A regular vulnerability scanning and penetration test is in place. The scan and test report with detailed result can be shared after signing a NDA agreement.
- Security audit logs are available to authorized staff of the client in case of security investigation.
- Formal risk assessments are performed at least annually or at planned intervals, (and in conjunction with any changes to information systems) to determine the likelihood and impact of all identified risks.
- Vulnerability- and patch-management is in place.
- Accounts and credentials specific to redundant equipment are deleted as soon as the equipment is taken out of commission, to reduce their value to an attacker.
- Potential new threats, vulnerabilities or exploitation techniques which could affect the service are assessed and corrective action taken. All security updates are installed as soon as possible.
- The severity of threats and vulnerabilities is considered within the context of the service and this information is used to prioritize implementation of mitigations. All high severity risks are immediately acted upon.
- Known vulnerabilities within the service are logged and tracked within our tooling, until suitable mitigations have been deployed through a suitable change management process.
Security - Functional
Security - Supported
- There are no software version numbers of the webserver or application in the http headers.
- There are no software version numbers on the application page before login.
- Internal IP addresses, host names, domain names and other internal information are not visible to others.
- Default pages are removed or replaced.
- All error handling is caught with custom pages. (404, 500, etc.).
- No debug mode or elaborate error descriptions are used.
- Demo pages and documentation are removed from the server.
- Content is only in HTTPS and not mixed.
- We have our own solution against clickjacking.
- HTTP methods are restricted to a minimum (GET, POST).
- The sitemap.xml contains references to support pages such as 404 or 500 pages.
- Username and password are not saved in cookies.
- A SameSite (Secure of Lax) protection against Cross-Site Request Forgery (CSRF) -attacks is in place.
- Max age attributes are supported.
- Domain/path attributes are supported.
- (REST-)API's are protected to not give away unnecessary information.
- Code signing is used for the apps. The Mac applications are signed with our certificate, notarized by Apple. Our Windows applications are also signed with our trusted certificate.
- Crypto keys, passwords, and security settings are saved and protected in the apps. Our applications connect to an external API (BIMcollab), which requires user authentication and proxy settings. We remember user credentials, only when selected by the user, in obfuscated format in the filesystem/registry for user-friendlyness.
- Measures are taken to protect against reverse engineering and manipulation. Most of our code is compiled-code (C++), making it difficult to reverse-engineer to the original code. The part which is not compiled (C#, JS), is obfuscated.
Security - Not Supported
- A CSP header (no unsafe tags) and ‘report-url=’ tag is not included.
- X-Frame-Options are not used to prevent clickjacking, next to CSP header as “frame-ancestors”. We have our own solution against clickjacking.
- Web forms are not protected with CSRF tokens. We have our own solution.
- Rate-limiting is not activated on web forms.
- The HSTS header is not minimum 2 year (max-age=63072000; includeSubDomains; preload).
- Cipher Suites are not restricted.
- Secure flags are not supported.
- Used open-source components are analyzed as
trustworthy by our best means. Colophon.
- The app does not use certificate pinning for all network communications.
- HTTP to HTTPS redirection (301) is supported.
- All communication with web forms is performed through HTTPS.
- Robots.txt file in website root is not supported (not applicable).
- Other versions then TLS version 1.2 or higher (1.3) are used.
- We inspect, account for, and work with our cloud supply-chain partners to correct data quality errors and associated risks.
- Controls are designed and implemented to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel.
- The used code and code libraries are up-to-date and contain no known vulnerabilities. This is periodically checked based on build reports. For web components, we run NPM audit.
- The web application always runs through HTTPS.
- No self-signed or untrusted CA certificates are used on external interfaces.
- The Application Programming Interface (API) is designed, developed, deployed, and tested in accordance with industry standards. We follow open standards defined by BuildingSmart.
- Older web browser are supported up to a reasonable limit. See our system requirements.
- Our web application does not contain cookie banners.