Trend Micro Vision One Data Privacy, Security, and Compliance

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, our cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, our platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response.

Trend Micro is committed to the security and privacy of our customers and their data. The following Trend Micro Vision One resources are representative of our commitment to security, privacy, transparency, and compliance with industry-recognized standards. For more information see the Trend Micro Trust Center.

The latest information on the security, privacy, and compliance details for Trend Micro Vision One is provided below.

Data Privacy

For general information on how Trend Micro protects your data, see the Trend Micro Global Privacy Notice.

Depending on the nature of the protected environment and the object that is the target of the security event (for example, files, memory, network traffic) there is a risk that personal information may be collected within a security event. Security policy configuration and module selection are provided to meet the requirements of your target environment and minimize this risk.

For more information on the data sent to Trend Micro and customer controls over that data, please read the Trend Micro Vision One Data Collection Notice.

GDPR

Trend Micro complies with applicable laws, including GDPR. For more information, see the Trend Micro GDPR Compliance site.

  • Where appropriate, we implement Technical and Organization Measures ("TOMs") to support our processing of data under GDPR.

  • As a data processor under GDPR, our processing of "personal data" is limited in a number of cases. The details on the data processed by Trend Micro Vision One and the controls available to you over that data are documented in the Trend Micro Vision One Data Collection Notice.

Trend Micro Vision One Data Collection Notice

Certain features available in Trend Micro Vision One collect and send feedback regarding product usage and detection information to Trend Micro. For more information, see the Trend Micro Vision One Data Collection Notice.

Data Security

Trend Micro adheres to industry standards for data security and provides an outline of general security practices. In addition, Trend Micro Vision One uses industry-accepted best practices to secure your data. This includes segregating individual customer data as well as encrypting data at rest and data in transit. Backup of customer data follows industry-defined best practices and our various certifications such as ISO 27001 (for access control and cryptography) and ISO 27017 (for monitoring of cloud services and segregation of environments) help define our processes for backup and data recovery.

Customers can choose an available Trend Micro Vision One region to provision the Trend Micro Vision One console, and store and process all data lake services and data. Customers can assign roles to users which limit access rights to Trend Micro Vision One, including but not limited to, granting support access, initiating response actions, collecting files from endpoints, and limiting users to read-only access.

Data at rest is protected by the native cloud technologies in the cloud on which it resides. Customer data is tagged with a “Customer ID” during ingestion as part of the data schema. The internal data access layer of Trend Micro applications requires this “Customer ID” parameter to access the data. This measure protects the customer data from being accessed by any other party as queries may only access one “Customer ID” at a time. Customers do not provide the “Customer ID” directly when interacting with the service; it is handled by the application itself. This ensures that there is no way for a malicious actor to pass the wrong customer ID to access another data set.

Trend Micro Vision One uses TLS 1.2 wherever possible for data transmission.

Supported Ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_256_CBC_SHA256

Data Segregation

All customer information is segregated to ensure that customers have access to only their own data. Customer data is tagged with a “Customer ID” during ingestion as part of the data schema. The internal data access layer of the Trend Micro application requires this “Customer ID” parameter to access the data. This measure protects the customer data from being accessed by any other party as queries may only have access to the specific “Customer ID” that the customer is authenticated to. Customers do not provide the “Customer ID” directly when interacting with the service, it is handled by the application itself. This ensures there is no way for a malicious actor to pass the wrong customer ID to access another data set.

Customer contact details, such as their email address, are encrypted at rest to ensure confidentiality. Data collected by Trend Micro Vision One is listed in the Trend Micro Vision One Data Collection Notice

Data Encryption

Information processed by Trend Micro Vision One is encrypted both in transit, at rest and is sent to a Trend Micro Vision One node in the region the customer selects during initial setup.

At Rest: Data at rest is protected by native cloud technologies to the cloud on which it resides. For Azure SQL, the database is encrypted by Transparent Database Encryption. Trend Micro's proprietary architecture within AWS utilizes native AES 256 encryption for the data lake contents at rest.

In Transit: Trend Micro Vision One uses TLS 1.2 wherever possible for data transmission. Trend Micro manages the management console and client-server communication encryption for the customer using cloud-native key management infrastructure.

Data Access

All access to Trend Micro offices and networks is strictly controlled to authorized or accompanied individuals only. Access is given through a key card system and approval is required before entry is granted into sensitive areas. The Trend Micro Vision One platform and data lake infrastructure reside within Microsoft Azure and AWS.

Trend Micro Vision One is hosted in a highly restricted subnet with no direct internet access. Only a limited set of administrators have access to Trend Micro Vision One for maintenance tasks. Operator access is done over secure encrypted connections and secured with multiple layers of network and access controls.

Access to information in Trend Micro Vision One is restricted to Trend Micro Site Reliability Engineers (SREs), the threat research and analytics teams, and, when explicitly enabled in the console, the customer support teams. Access is allowed for the purposes of troubleshooting, solving issues, and improving the effectiveness of security protections. All access is recorded and audited. Access privileges are managed and approved by the product leadership team. Information in Trend Micro Vision One may be accessed/viewed by the above Trend Micro teams from physical locations outside of the customer's deployed region.

Access is restricted to certain allowed IP addresses and is monitored in a SIEM. Alerts are generated for any suspicious access. Investigation of alerts is done according to incident management procedures.

Sub-contractors are not used in the development or operation of Trend Micro Vision One.

Security Logs

Trend Micro Vision One uses the Trend Micro Cloud One agent to monitor: Anti-Malware, Firewall, Intrusion Prevention, Integrity Monitoring, and Log Inspection. All access to the infrastructure is monitored and recorded through native security services offered by the Cloud Service provider.

Trend Micro Vision One enables automated alerts and employs 24/7 on-call staff. Security alerts are reviewed for all systems on a daily basis. If a security incident is suspected, it is immediately reported to the Trend Micro Security Operations Center (SOC). Potential incidents are prioritized based on the severity of the suspected incident and a team from the SOC, as well as technical experts, is assigned to investigate.

These logs remain in the region that is hosting the Trend Micro Vision One account and customers do not have access to these logs. For more information on what regions are covered by Trend Micro Vision One, see Trend Micro Vision One Data Center Locations.

Audit Logs are generated and stored for all user access and actions in Trend Micro Vision One systems. Trend Micro Vision One retains the audit logs for 180 days. Customers can view customer access logs in their console, and can export them if needed.

Data Retention

With regards to Log Retention, Trend Micro Vision One applies retention policies that purge data once it is no longer needed for the purpose for which it was collected. Trend Micro Vision One retains the collected raw information for 30 days by default, unless the customer purchases an extended storage option (up to a maximum of 365 days). Trend Micro Vision One also generates and retains alert workbenches for 180 days to give customers time for investigation/reporting. If a customer license expires, all data is deleted after a 30-day grace period.

Classification

Retention Period

Example

Notes

Non-Personal Data

Up to 7 years

Executable, hashes of data, irreversible meta-data, hardware or environmental profile, installed application information, numeric data and statistics, license AC code, product or device GUID/UUID, randomly generated access token, etc.

Others: Company name/asset/entity, organization, network group name, domain name, subnet IP, hostname/IP/MAC of non-personal devices, employee's private information (for example, compensation, performance evaluation), password

Common data that cannot be used to directly identify a person

Personal Data

Up to 3 years

Personal Identifier: Person's name, personal digital identifier (username, account name, social ID, AD/LDAP account credentials, email address, hostname, IP address, MAC address), personal identifier (social security number, national ID, passport number, driver's license, vehicle license plate, etc.)

User-metadata (only when including or associated with a personal identifier): URL, browsing history, path/filename, computer program behavior log, debug log, support collected data, age, birthday, gender, contact info (address, phone/fax number, etc.), geo-location, network metadata

Personal Identifiable Information (PII): data related to identifying a natural person.

Personal data: data that can be used to directly or indirectly identify a natural person.

User-metadata is only considered personal when we also collect the identity of the natural person at the same time.

Personal Data

Up to 1 week

Personal data with reduced retention period: Documentations (Office files, PDF, text, social media user-content, etc.), email body and attachments, network traffic pcap files, photo, video

These types of personal data may contain a lot of content that may include sensitive information and should be retained with minimum length by default.

Longer retention is permitted if the user manually changes the retention duration in policy.

Sensitive Personal Data

Up to 3 days

Health data, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or bio-metric information, etc.

Sensitive information associated with a natural person

Note:

"Sensitive personal data" is classified when: (a) the product knows the data is sensitive when processing, such as a product GUI asking user to provide their health data, or (b) the product has proper technology to determine whether the data is sensitive.

Note:

Encryption does not change or affect data classification except when a Trend Micro product or service has no access to the plain-text data or decryption key.

Data Backup

Trend Micro Vision One databases are backed up and kept separately with multiple copies. Validation testing of backed-up data is performed periodically for disaster recovery purposes. Backup standards and policies, procedures, and controls are verified, documented, and audited internally and by third-party assessors. Over the last year, Trend Micro Vision One has had 99.9% uptime (excluding pre-scheduled maintenance windows).

Disaster Recovery and Business Continuity (DR)

Trend Micro prepares Information Processing Operation BCPs based on the results of the BIA and performs the BCP drill at least once a year. The BCP is covered under our ISO 27001 certification.

Backups are stored to mitigate the risk of issues within a single region. DR simulations are executed periodically to verify the data and RTO/RPO claims. Over the last year, Trend Micro Vision One has had 99.9% uptime (excluding pre-scheduled maintenance windows).

The Trend Micro Vision One platform and data lake reside within Microsoft Azure and AWS. The Trend Micro Vision One platform utilizes service-to-service connections to facilitate the operations of an advanced detection and response system. For more information, please refer to https://success.trendmicro.com/solution/000282728.

Data Deletion

Trend Micro is committed to protecting customers' privacy and personal information. Please visit https://www.trendmicro.com/en_us/about/trust-center/privacy/gdpr/individual-rights.html for more information.

ISO 27001 contains provisions for data destruction. Trend Micro Vision One, Microsoft Azure, and AWS are ISO 27001 compliant.

Customers may start a data deletion request by sending an email to Trend Micro at gdpr@trendmicro.com.

Employee Training

Trend Micro Vision One software developers are trained in secure coding practices using an industry-standard curriculum based on SANS 25/OWASP Top 10. Education campaigns are conducted on an annual basis and when an employee joins the company. All employees must adhere to Trend Micro internet, computer, remote access, and mobile device acceptable use policies. Failure to comply with these policies may result in disciplinary actions, which could include termination. The Trend Micro Vision One development teams employ specialized staff to handle product security. Security testing, secure code review, and threat modeling are part of the development life-cycle. For more information about our secure coding best practices, see the Trend Micro Trust Center for Compliance.

Trend Micro adheres to the following password polices and standards:

  • All passwords must be changed at least on a quarterly basis.

  • Passwords must not be inserted into email messages or other forms of electronic communication.

  • Passwords must not be shared or revealed to anyone.

  • Passwords must be changed immediately if compromise is suspected.

  • Passwords must be encrypted during transmission and stored hashed with a salt.

  • Passwords must be at least eight alphanumeric characters long.

  • Passwords must contain both upper and lower case characters (for example, a-z, A-Z).

  • Password reuse prevention is enforced.

  • Passwords must not be based on personal information, names of family, and so on.

Change Control

Ensuring that our customers continue to receive the latest security capabilities in a safe, reliable way is a key priority for our team. In addition to the development practices around code review, functional testing, and scale testing, as well as our vulnerability scanning and penetration testing, we take a number of steps to ensure that any service updates are introduced in a safe and controlled way. All service updates are introduced in small, incremental updates that are rolled out first to a staging environment and then to production. Each change is closely monitored and multiple procedures are in place, both automated and manual, to handle situations that may arise. All updates to the service are introduced transparently to customers, and can be rolled back transparently, should any unforeseen issues arise.

Application upgrades within the Trend Micro Vision One environment are completed after meeting our quality objectives. Trend Micro uses best practices for changes, including full backups and approval processes. Trend Micro Vision One has multiple dedicated development and testing environments. Any changes requested are first reviewed by technical stakeholders to determine the urgency and potential impact of the changes. All changes require a documented back-out plan. These changes are tracked and recorded in a change control system.

Vulnerability Management

Vulnerabilities are continuously monitored and tracked. Each vulnerability is assigned a CVSS score. Patching requirements that specify time frames for addressing a vulnerability according to CVSS-based severity are included in the Secure Development Compliance Policy. The Trend Micro Vision One software in the Trend Micro Vision One environment is updated once every two weeks to use the latest available code base, including vulnerability fixes. Trend Micro Vision One team is responsible for patching the Trend Micro Vision One software and supporting AWS and Microsoft Azure services.

Code Analysis

Trend Micro source code is scanned using static code analysis using industry-standard tools like Fortify, BlackDuck, and more, which are deployed at every development stage or phase. Also, Third-party vulnerabilities are scanned by industry-leading software monthly. Security testing, secure code review, and threat modeling are also part of the development lifecycle of all Trend Micro products.

Trend Micro Vision One goes through strict quality checks from the development phase up to the GM release. After release, teams perform vulnerability scans weekly, in an automated fashion. The severity of vulnerabilities is rated using the CVSS score. Third-party penetration tests are conducted annually on the SaaS environment and cover application, external and internal network, and segmentation tests. Critical vulnerabilities are required to be fixed within one month or addressed through mitigation or workaround.

Penetration Testing

The Trend Micro Vision One platform undergoes regular security assessments, both automated and manual, including external 3rd-party assessments.

Penetration tests are conducted by third-party security experts to detect and rectify common security issues. The scope of the third-party penetration tests includes application security tests, internal and external network scans, and network segmentation tests. Trend Micro can provide the penetration test report upon request. Trend Micro InfoSec conducts web application assessments of Trend Micro Vision One for any major release and at least annually using leading dynamic analysis security tools.

For more information about our vulnerability response program, see the Trend Micro Vulnerability Response site.

Incidence Response

Trend Micro has a dedicated Information Security (InfoSec) team that is responsible for ensuring compliance with Trend Micro security policies. Trend Micro Vision One engineers immediately contact the InfoSec team when a security incident is discovered. In addition, InfoSec independently monitors Trend Micro Vision One environment logs. If a security incident is discovered, the incident is prioritized based on severity. A dedicated team of technical experts is assigned to investigate, advise on containment procedures, perform forensics, and manage communication. Following an incident, the team examines the root cause, and revises the response plan accordingly. In the event of a breach involving customer data, Trend Micro will follow its obligations under GDPR. For more information, see the Trend Micro GDPR Compliance site.

Certifications

ISO 27001, ISO 27014, ISO 27034-1, ISO 27017 and SOC2

Trend Micro and Trend Micro Cloud Services undergo yearly audits by trusted external auditors to ensure we're adhering to industry best practices. ISO 27001 is a global standard and is used to define the overall Information Security Management System for Trend Micro. ISO 27001 covers items such as human resource security, access control, operations security, and information security incident management. SOC Type II certification is used to validate the security controls over our IT systems and includes Trend Micro internal systems as well as its SaaS offerings. SOC Type II controls include items such as security (firewalls, IPS, and more), availability (disaster recovery and incident handling), confidentiality (encryption and access control), privacy and processing integrity (quality assurance).

Trend Micro Vision One is certified for ISO 27001, 27014, 27034-1, and 27017. You can find the compliance certificates on the Trend Micro Trust Center for Compliance.

Trend Micro Vision One is currently undergoing SOC 2 and SOC 3 audits for the Trend Micro Vision One platform to demonstrate its strong security policies and internal controls environment. This is scheduled to be completed in 2022. For more information, please refer to https://success.trendmicro.com/solution/000282728.