Trend Micro Cloud One™ data privacy, security, and compliance

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, our cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, our platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response.

Trend Micro is committed to the security and privacy of our customers and their data. The following Trend Micro Cloud One resources are representative of our commitment to security, privacy, transparency, and compliance with industry-recognized standards.  For more information see the Trend Micro Trust Center.

The latest information on the security, privacy, and compliance details for Trend Micro Cloud One is provided below.

Privacy	Security	Compliance
Data Privacy GDPR Trend Micro Cloud One Data Collection Notices	Data Security Data Segregation Data Encryption Data Access Security Logs Disaster Recovery and Business Continuity Data Deletion Employee Training Change Control Vulnerability Managment Code Analysis Penetration Testing Incidence Response	PCI DSS ISO 27001 ISO 27014 ISO 27017 SOC

Data Privacy

For general information on how Trend Micro protects your data, see the Trend Micro Global Privacy Notice.

Depending on the nature of the protected environment and the object that is the target of the security event (for example, files, memory, network traffic) there is a risk that personal information may be collected within a security event. Security policy configuration and module selection are provided to meet the requirements of your target environment and minimize this risk.

For more information on the data sent to Trend Micro and customer controls over that data, please read the Trend Micro Cloud One Data Collection Notices.

GDPR

Trend Micro complies with applicable data protection laws, including GDPR. For more information, see the Trend Micro GDPR Compliance site.

• Where appropriate, we implement Technical and Organization Measures (“TOMs”) to support our processing of data under GDPR.
• As a data processor under GDPR, our processing of 'personal data' is limited in a number of cases. The details on the data processed by Trend Micro Cloud One and the controls available to you over that data are documented in the Data Collection Disclosure Notices for each Trend Micro Cloud One service.

Trend Micro Cloud One Data Collection Notices

The Data Collection Notices for each of the Trend Micro Cloud One services are in the Trend Micro Cloud One Data Collection Disclosure Notices.

When an account is created in a specific Trend Micro Cloud One region, all Trend Micro Cloud One infrastructure is in that region and this may help with concerns for data residency and data sovereignty. For more information on what regions are covered by Cloud One see Trend Micro Cloud One Regions.

Trend Micro Cloud One: Creating new accounts in Trend Micro Cloud One requires creating new users and roles as well as providing subscription information. As a result, Trend Micro Cloud One may process personal data. For more information, see the Trend Micro Cloud One Data Collection Disclosure Notice.

Trend Micro Cloud One - Workload Security: Workload Security is responsible for protecting your workloads. Consequently, Workload Security may process personal data. For example, when a security or system event takes place, some of the information processed may contain personal data such as IP addresses. The logging data created by Workload Security may also contain personal data such as administrator names and IDs. For more information, see the Trend Micro Cloud One - Workload Security Data Collection Disclosure Notice.

Trend Micro Cloud One - Conformity: Conformity requires access to your cloud account data to run rules and provide monitoring services. Account access is initially granted when you add your cloud account to the service and can be modified for existing accounts. You can configure the account access policy/rules to allow access to and collection of your cloud environment’s metadata. For more information, see the Trend Micro Cloud One - Conformity Data Collection Disclosure Notice.

Trend Micro Cloud One - Container Security: Container Security connects to your Kubernetes environment using an API key and does not collect personal information. For more information, see the Trend Micro Cloud One - Container Security Data Collection Disclosure Notice.

Trend Micro Cloud One - File Storage Security: File Storage Security is deployed using AWS CloudFormation stacks. One to three stacks will be deployed depending on the solution selected. The collected information is stored in File Storage Security and is used for managing stacks and does not contain personal information. For more information,see the Trend Micro Cloud One - File Storage Security Data Collection Disclosure Notice.

Trend Micro Cloud One - Application Security: Cloud One Application Security connects to your applications using an API key and does not collect personal information. For more information, see the Trend Micro Cloud One - Application Security Data Collection Disclosure Notice.

Trend Micro Cloud One - Network Security: Cloud One Network Security is deployed using AWS CloudFormation stacks. The collected information does not contain personal information. For more information, see the Trend Micro Cloud One - Network Security Data Collection Disclosure Notice.

Trend Micro Cloud One - Open Source Security by Snyk: Cloud One Open Source Security by Snyk is a partnership between Trend Micro and Snyk. As such when you choose to use Open Source Security by Snyk, you will be transferred to the Snyk.io interface. The Snyk.io data privacy information is here: https://snyk.io/policies/privacy/. For more information, see the Trend Micro Cloud One - Open Source Security by Snyk Data Collection Disclosure Notice.

Data Security

Trend Micro adheres to industry standards for data security and provides an outline of general security practices. In addition, Trend Micro Cloud One uses industry accepted best practices to secure your data. This includes segregating individual customer data as well as encrypting data in transit. Backup of customer data follows industry-defined best practices and our various certifications such as ISO 27001 (for access control and cryptography) and ISO 27017 (for monitoring of cloud services and segregation of environments) help define our processes for backup and data recovery.

Data Segregation

For each Trend Micro Cloud One service, all customer information is segregated to ensure that customers have access to only their own data. Customer contact details, such as their email address, are encrypted at rest to ensure confidentiality. Data collected by the Trend Micro Cloud One services is listed in the Trend Micro Cloud One Data Collection Disclosure Notices.

Data Encryption

At Rest: Data elements are protected with database-agnostic application-level encryption using AES 256 GCM (for example, databases and backups).

In Transit: A minimum of TLS 1.2 is used for all internal network communication. A minimum of TLS 1.2 is used for communication between the security agent and Trend Micro Cloud One (See Use TLS 1.2 with Workload Security). Customers are responsible for ensuring that the security agent is kept up to date to make use of the latest available cryptography and security fixes. Details on ciphers used by the security agent and connections to Trend Micro Cloud One are here: Communication between Workload Security and the agent.

Data Access

All access to Trend Micro offices and networks is strictly controlled to authorized or accompanied individuals only. Access is given through a key card system and approval is required before entry is granted into sensitive areas. The Trend Micro Cloud One infrastructure is hosted in AWS.

Trend Micro Cloud One is hosted in a highly restricted subnet with no internet access. Only a limited set of administrators have access to Trend Micro Cloud One for maintenance tasks. Operator access is done over secure encrypted connections and secured with multiple layers of network and access controls.

Access is restricted to certain allowed IPs and is monitored in a SIEM. Alerts are generated for any suspicious access. Investigation of alerts is done according to incident management procedures.

Sub-contractors are not used in the development nor operation of Trend Micro Cloud One.

Security Logs

Trend Micro Cloud One services use Cloud Trail, CloudWatch, and Amazon GuardDuty to monitor the services. In addition, where workloads are being used in the services, Trend Micro Cloud One uses the Trend Micro Cloud One agent to monitor: Anti-Malware, Firewall, Intrusion Prevention, Integrity Monitoring, and Log Inspection.

Trend Micro Cloud One enables automated alerts and employs 24/7 on-call staff. Security logs are reviewed for all systems on a daily basis. If a security incident is suspected, it is immediately reported to the Trend Micro Security Operations Center (SOC). Potential incidents are prioritized based on the severity of the suspected incident and a team from the SOC, as well as technical experts, is assigned to investigate.

These logs remain in the region that is hosting the Trend Micro Cloud One account and customers do not have access to these logs. For more information on what regions are covered by Cloud One see Trend Micro Cloud One Regions.

Data Backup

Trend Micro Cloud One backups are conducted daily. Automated tests are run weekly to validate the consistency of our backups and backups are stored to mitigate the risk of issues within a single region. Backups are kept for 35 days before they are destroyed.

Disaster Recovery and Business Continuity (DR)

Trend Micro Cloud One has a disaster recovery (DR) and business continuity plan (BCP). A Disaster Recovery (DR) simulation is executed at least annually to verify the backup data and RTO/RPO claims under ISO 27001.

The Trend Micro Cloud One current RTO and RPO claims are outlined in the Trend Micro Cloud One Service Level Agreement.

The R&D operations team monitors a number of key metrics in Trend Micro Cloud One on a 24x7 basis:

• Canary tenants that represent customer workloads that we monitor
• Splunk monitoring of metrics including, but not limited to, memory, CPU, connections, job/heartbeat throughput, heartbeat failures, database transactions
• Site24x7 to have a third party monitor our interfaces
• PagerDuty for 24/7 alerting

Our objective is to proactively act on the initial indication of problems in our operational metrics, to allow us to correct or mitigate issues before they become customer-visible.

Cloud One Workload Security: Any service impact, scheduled or unscheduled, does not impact the protection provided by existing agents running on customer workloads. Agents activated prior to the service impact continue to provide protection on the computers on which they are running until access to the service is restored. Events are queued as long as the computer has enough disk space and the agent transmits events to Trend Micro Cloud One the next time that they connect. Agents automatically reconnect once service is restored.

Data Deletion

The process to cancel your account and timeline for deletion of data is here: Cancel Your Account.

ISO 27001 contains provisions for data destruction. Both Trend Micro Cloud One and AWS are ISO 27001 compliant.

Customers may start a data deletion or porting request by sending an email to the Trend Micro legal team at gdpr@trendmicro.com.

Employee Training

Trend Micro Cloud One software developers are trained in secure coding practices using an industry-standard curriculum based on SANS 25/OWASP Top 10/PCI 6.5. Education campaigns are conducted on an annual basis and when an employee joins the company. All employees must adhere to Trend Micro internet, computer, remote access, and mobile device acceptable use policies. Failure to comply with these policies may result in disciplinary actions, which could include termination. All new employees and contractors are required to complete a criminal background check. The Trend Micro Cloud One development teams employ specialized staff to handle product security. Security testing, secure code review, and threat modeling are part of the development lifecycle. For more information about our secure coding best practices, see the Trend Micro Trust Center for Compliance.

Trend Micro adheres to the following password polices and standards:

• All passwords must be changed at least on a quarterly basis.
• Passwords must not be inserted into email messages or other forms of electronic communication.
• Passwords must not be shared or revealed to anyone.
• Passwords must be changed immediately if compromise is suspected.
• Passwords must be encrypted during transmission and stored hashed with a salt.
• Passwords must be at least eight alphanumeric characters long.
• Passwords must contain both upper and lower case characters (for example, a-z, A-Z).
• Password reuse prevention is enforced.
• Passwords must not be based on personal information, names of family, and so on.

Change Control

Ensuring that our customers continue to receive the latest security capabilities in a safe, reliable way is a key priority for our team. In addition to the development practices around code review, functional testing, and scale testing, as well as our vulnerability scanning and penetration testing, we take a number of steps to ensure that any service updates are introduced in a safe and controlled way. All service updates are introduced in small, incremental updates that are rolled out first to a staging environment and then to production. Each change is closely monitored and multiple procedures are in place, both automated and manual, to handle situations that may arise. All updates to the service are introduced transparently to customers, and can be rolled back transparently, should any unforeseen issues arise.

Application upgrades within the Trend Micro Cloud One environment are completed after meeting our quality objectives. Trend Micro uses best practices for changes, including full backups and approval processes. Trend Micro Cloud One has multiple dedicated development and testing environments. Any changes requested are first reviewed by technical stakeholders to determine the urgency and potential impact of the changes. All changes require a documented back-out plan. These changes are tracked and recorded in a change control system.

Vulnerability Management

Vulnerabilities are continuously monitored and tracked. Each vulnerability is assigned a CVSS score. Patching requirements that specify time frames for addressing a vulnerability according to CVSS-based severity are included in the Secure Development Compliance Policy. The Trend Micro Cloud One software in the Trend Micro Cloud One environment is updated weekly to use the latest available code base, including vulnerability fixes. The Trend Micro Cloud One team is responsible for patching the Trend Micro Cloud One software and supporting AWS services. Customers are responsible for updating the security agents deployed on their workloads.

Code Analysis

Vulnerability scans of the Trend Micro Cloud One production environments are performed weekly by a PCI authorized scanning vendor (ASV), Tenable.io. A PCI ASV attestation is obtained quarterly. The same vendor is used for automated weekly internal scans of the Trend Micro Cloud One environments. The Trend Micro Cloud One code base is scanned weekly using a leading static analysis security tool. The development team receives automated alerts if new issues are identified, and a clean scan is a requirement for each product release. Third-party components included with Trend Micro Cloud One are monitored continuously using a leading software composition analysis tool.

Penetration Testing

Trend Micro Cloud One production environments undergo yearly penetration tests. The scope of the third-party penetration tests includes application security tests, internal and external network scans, and network segmentation tests. Trend Micro can provide the penetration test report upon request. Trend Micro InfoSec conducts web application assessments of Trend Micro Cloud One for any major release and at least annually using leading dynamic analysis security tools.

For more information about our vulnerability response program, see the Trend Micro Vulnerability Response site.

Incidence Response

Trend Micro has a dedicated Information Security (InfoSec) team that is responsible for ensuring compliance with Trend Micro security policies. Trend Micro Cloud One engineers immediately contact the InfoSec team when a security incident is discovered. In addition, InfoSec independently monitors Trend Micro Cloud One environment logs. If a security incident is discovered, the incident is prioritized based on severity. A dedicated team of technical experts is assigned to investigate, advise on containment procedures, perform forensics, and manage communication. Following an incident, the team examines the root cause, and revises the response plan accordingly. In the event of a breach involving customer data, Trend Micro will follow its obligations under GDPR. For more information, see the Trend Micro GDPR Compliance site.

If you suspect a security incident, please contact us at the Trend Micro Technical Support site.

Certifications

ISO 27001, ISO 27014, ISO 27017 and SOC2

Trend Micro and Trend Micro Cloud Services undergo yearly audits by trusted external auditors to ensure we’re adhering to industry best practices. ISO 27001 is a global standard and is used to define the overall Information Security Management System for Trend Micro. ISO 27001 covers items such as human resource security, access control, operations security and information security incident management. SOC Type II certification is used to validate the security controls over our IT systems and includes Trend Micro internal systems as well as it’s SaaS offerings. SOC Type II controls include items such as security (firewalls, IPS, etc.), availability (Disaster recovery and incident handling), confidentiality (encryption and access control), privacy and processing integrity (quality assurance).

Trend Micro Cloud One is certified for ISO 27001, 27014, and 27017 and you can find the compliance certificates on the Trend Micro Trust Center for Compliance.

Trend Micro Cloud One has completed a SOC 2 TYPE 2 evaluation and you can find the SOC 3 report and the request form for the SOC 2 report on the Trend Micro Trust Center for Compliance.

PCI DSS

Trend Micro Cloud One completed the PCI Data Security Standards 3.2.1 assessment as a Level 1 Service Provider. PCI-DSS is meant to increase controls around cardholder data and includes controls such as maintaining security networks and systems, protection of personal data, and system maintenance and vulnerability management.

The Trend Micro Cloud One PCI Attestation of Compliance (AOC) is available on the Trend Micro Trust Center for Compliance. AWS is also PCI certified.