Trustable Technology Mark application form
The Trustable Technology Mark is an initiative by ThingsCon e.V. to create a trustmark for the Internet of Things (IoT).

Learn more at https://trustabletech.org and at ThingsCon.org. Development of the Trustable Technology Mark is supported by Mozilla Foundation through a fellowship for ThingsCon Co-Founder and Chair Peter Bihr.

HOW DOES THIS FORM WORK?

The Trustmark application form consists of about 50 questions across 5 "dimensions" or focus areas: Privacy & Data Protection, Security, Transparency, Stability and Openness. Our experts review the answers and might follow up with you; once all potential issues are sorted out, the final results (minus your non-public contact details) will be published in full online under a Creative Commons (by) license, on trustabletech.org. Publishing this information is part of the Trustable Technology Mark requirements.

NOTES FOR FILLING OUT THIS APPLICATION

Most questions follow the format YES/NOT APPLICABLE/NO:
- If the answer is YES please explain what that means concretely for your context.
- If the answer is NOT APPLICABLE, please explain why.

Questions that REQUIRE a YES are marked with a red asterisk. For these questions, an affirmative answer plus explainer is required unless sufficient reasons are given why in the context of this device this would counter trustworthiness. (Within reason, up to two NO answers are acceptible unless they are highly problematic in the context of your product.)

The other questions are voluntary, but we strongly urge you to fill out all questions. The extra answers serve to provide more transparency for your users and help our reviewers make a better informed decision. Also, extra points beyond the minimum requirement might in the future be used for extra levels of Trustmark achievements.

Please keep it concise. Providing links is OK if they are meaningful. As a guideline, make this as clear and easy to understand as possible.

We are aware that IoT is a big field with many edge cases and that not every question might apply meaningfully to your device, and we take that into account. If a question doesn't apply for your context, please mark it as NOT APPLICABLE and explain why.

Our team will get back to you shortly with either a final decision or follow-up questions. In the meantime, please feel free to get in touch at trustabletech@thingscon.com

Email address *
Name the company or organization responsible for the device to be certified. *
Your answer
Which country is the company based in? *
Do you have the authority to legally bind the company or organization? *
Please state your full name *
Your answer
Street Address Line 1
Your answer
Street Address Line 2
Your answer
City
Your answer
State/Province/Region
Your answer
Zip Code/Postal Code
Your answer
Trustable Tech contact email address *
This address will be kept private and only used for official communications from ThingsCon/Trustable Tech about your certification.
Your answer
Public contact email address
This address will be made publicly available in the certification directory.
Your answer
Device information
Device name *
Your answer
What is the core functionality of the device? *
Describe what the product is.
Your answer
Device website
Please include the protocol to your URL (e.g. http:// or https://).
Your answer
Primary device type *
Additional device types
Select any that apply.
Keywords
If you would like your device to be searchable by specific keywords, add them here. Separate keywords using commas.
Your answer
# PRIVACY & DATA PRACTICES
For data collected via the device you wish to certify, do you offer the same privacy and security protections for all users, regardless of citizenship or geographic location? *
Please elaborate.
Your answer
Do you employ Privacy-by-Design practices in the design, manufacturing, and deployment of your device? *
For reference, Privacy-by-Design guidelines are laid out, among other sources in "The 7 Foundational Principles" by Ann Cavoukian, Ph.D (https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf), as well as in the UK's Data Protection Authority Data protection by design and default checklist (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/)
Please elaborate.
Please elaborate on the steps and measures you take, guidelines or frameworks you use, etc.
Your answer
Do you have a published privacy policy that specifically applies to this device?
Please elaborate.
If so, please provide a link to where users can read it.
Your answer
Do you have a published policy concerning acceptable uses of data collected from the device? *
Please elaborate.
If so, please provide a link to where users can read it.
Your answer
Can users perform a factory reset on the device? *
Please elaborate.
If so, please provide a description or link to how one would perform a factory reset.
Your answer
Do you agree not to assert or authorize the assertion of any legal action against any user of a certified device for examining, studying, auditing, analyzing, or researching whether the use of personal data gathered by the device is fair, accountable, or transparent? *
Please elaborate.
Your answer
Are users able to delete the data about them collected by the device? *
Please elaborate.
Please provide a description or link to how one would perform such a deletion. Please also include information on whether or not you verify deletion and over what time frame.
Your answer
Are users able to export the data about them collected by the device? *
Please elaborate.
Your answer
Are there safeguards in place to prevent your company from seeing individual user data? *
Please elaborate.
Your answer
Do you maintain a list of every entity that you knowingly give access to user data? *
Please elaborate.
Your answer
Can you revoke such access from any such entity?
Please elaborate.
Your answer
# TRANSPARENCY
Do users own the device if they purchase it? *
Please elaborate.
If they do not, please provide a description or link to information that explains when a user does or does not own the device. For example, if there is a rental or subscription model, and what if anything users will own under those models. You may also want to define or distinguish the device from any network services or backend infrastructure provided.
Your answer
Do you provide a transparency report concerning requests for user data, records, or content?
For reference, see https://en.wikipedia.org/wiki/Transparency_report . Please note specifically if you use warrant canaries.
Please elaborate.
If so, please provide a link to where users can read it.
Your answer
Have you assessed your device to see if it is compliance with the General Data Protection Regulation (GDPR)?
Please elaborate.
If not applicable, please explain the results of your assessment.
Your answer
Is there an easy way for your users to access and see the data you collect from them? *
Please elaborate.
If so, please provide a description or link to documentation on how to do this.
Your answer
Is there an easy way for your users to access and see the data you infer about them?
Please elaborate.
If so, please provide a description or link to documentation on how to do this.
Your answer
Is there an easy way for users to understand in which ways you collect, process, and share data (user data, personal data, inferred data)? *
Please elaborate.
If so, please provide a description or link to documentation on how to do this.
Your answer
Do you provide a publicly available change log of the device's software and firmware updates? *
Please elaborate.
Please include a link to the change log.
Your answer
Do you provide an easy way to contact support staff? *
Please elaborate.
Your answer
Do you disclose where user data is stored and processed?
Please elaborate.
For example, is it on-device or in the cloud, or both?
Your answer
Do you agree not to assert or authorize the assertion of any legal action against any user of a certified device for examining, studying, auditing, analyzing, or researching data protection, privacy, or security issues related to the device? *
Please elaborate.
Your answer
# SECURITY
Do you employ Security-by-Design practices? *
For reference, OWASP offer Security-by-Design principles (https://www.owasp.org/index.php/Security_by_Design_Principles)
Please elaborate.
Please elaborate on the steps and measures you take, guidelines or frameworks you follow, etc.
Your answer
If there any other features or functionalities in addition to the core functionality, can you explain why those are included?
Please elaborate.
Please explain why the choice was made to include this feature or functionality and the most important trade-offs you considered.
Your answer
Do you clearly communicate for how long you commit to providing security updates?
Please elaborate.
Your answer
Do you have a strategy to deliver security updates? *
Please elaborate.
Your answer
Do you disclose data or security breaches? *
Please elaborate.
Please outline your mechanisms and practices for disclosure.
Your answer
Is there a bug bounty program for your device?
Please elaborate.
Your answer
Do you employ cryptographic security for your device? *
Please specify. (For example, do you use TLS, full-disk encryption, etc.)
Please elaborate.
Your answer
Do you escrow keys?
Please elaborate.
Your answer
Do you employ best practices for the device passwords? *
Please elaborate.
For example, devices should not be shipped with default or identical passwords. Please elaborate on your password practices.
Your answer
In case the device changes owners (re-sell, re-use, etc.), is there an easy way for a secure full wipe of user data? *
Please elaborate.
Please include other relevant information for device ownership changes.
Your answer
# STABILITY
Do you guarantee ongoing software and security updates? *
Please elaborate.
For how long do you guarantee those updates?
Do you guarantee providing all services required for the device to function? *
Please elaborate.
For how long do you guarantee those updates?
Does the device work fully in the case that your servers are switched off (for example due to technical issues, change of ownership, etc.)
Please elaborate.
Please explain how the device availability might be impacted if the servers and/or service backend are compromised.
Your answer
Does the core functionality of the device still work in the case that your servers are switched off (for example due to technical issues, change of ownership, etc.) *
Please elaborate.
Please explain how the device availability might be impacted if the servers and/or service backend are compromised.
Your answer
Does your device work without an active internet connection?
Please elaborate.
Your answer
Do you meaningfully ask for consent if you plan any firmware updates that would significantly change the nature of the device and allow users to opt out without risking their device working as advertised?
Please elaborate.
Your answer
Do you agree not to assert or authorize the assertion of any legal action against any owner of a certified device (or their agent) for reselling or repairing the device? *
Please elaborate.
Your answer
Are users allowed to open the device for repairs? *
Please elaborate.
Your answer
Do you provide spare parts for repairing the device?
Please elaborate.
If applicable, please also include for how long you provide any unique, non-serviceable spare parts.
Your answer
Do you provide documentation for repairs on the device?
Please elaborate.
Your answer
# OPENNESS
In our view, openness is not a required condition, but openness is an indicator for trustworthiness. Concretely, when evaluating incoming applications we look for openness, and if the device is largely open we look at the rest of the application with a stronger assumption of trustworthiness.
Have you certified your device with OSHWA?
An OSHWA certification is not a requirement. But should you have certified your device with OSHWA, please share the OSHWA UID for that project and (future versions of) this form will automatically check YES for all questions in the Openness section.
Your answer
Please elaborate.
Please provide a description or link to how one would perform such an export, including elaboration on the range of import/export protocols and support of standard data formats such as CSV, JSON, XML (or others if applicable).
Your answer
Do you publish the device source code under an open source license?
Please elaborate
If so, please link to your license.
Your answer
Do you publish the backend source code under an open source license?
Please elaborate.
If so, please link to your license.
Your answer
Do you publish your hardware designs under an open license?
Please elaborate.
If so, please link to your license.
Your answer
Are there other open source aspects to your device?
Please elaborate.
Please elaborate and/or provide links on these aspects and how they relate to your device, both on the input and output side.
Your answer
Can third-party developers build on top of your device through open licensing, open source, or an API?
Please elaborate.
Please elaborate and/or provide links on these aspects and how they relate to your device, both on the input and output side.
Your answer
Do you have an source, tool chain, and signing keys escrow for all code required by the device?
For example in case the company stops actively maintaining the code or supporting the device.
Please elaborate.
Your answer
A copy of your responses will be emailed to the address you provided.
Submit
Never submit passwords through Google Forms.
reCAPTCHA
This content is neither created nor endorsed by Google. Report Abuse - Terms of Service