Trustable Technology Mark application form (draft)
The Trustable Technology Mark is an initiative by ThingsCon e.V. to create a trustmark for the Internet of Things (IoT). Learn more at http://trustabletech.org or https://thingscon.com/iot-trustmark. Development of the Trustable Tech mark is supported by Mozilla Foundation through a fellowship.

Please note: This form is a work in progress, the Trustable Technology Mark application process has not yet launched.

Most questions follow the format YES/NOT APPLICABLE/NO:
- If the answer is YES please explain what that means concretely for your context.
- If the answer is NOT APPLICABLE, please explain why.

REQUIRED questions are marked with a red asterisk. For these questions, an affirmative answer plus explainer is required unless sufficient reasons are given why in the context of this device this would counter trustworthiness. The other questions are voluntary, but we strongly urge you to fill out all questions. The extra answers serve to provide more transparency for your users and help our reviewers make a better informed decision. Also, extra points beyond the minimum requirement might in the future be used for extra levels of trustmark achievements.

Please keep it concise. Providing links is OK if they are meaningful. As a guideline, make this as clear and easy to understand as possible.

We are aware that IoT is a big field with many edge cases and that not every question might apply meaningfully to your device, and we take that into account. If a question doesn't apply for your context, please mark it as NOT APPLICABLE and explain why.

Please note: In the final version of the trustmark certification process, the results will be published in full online. This does NOT apply for the prototyping and test phase: If you are filling this out now the results will not be published.

Our team will get back to you shortly with either a final decision or follow-up questions. In the meantime, please feel free to get in touch at trustabletech@thingscon.com
Sign in to Google to save your progress. Learn more
Email *
Your information
Name the company or organization responsible for the device to be certified. *
Do you have the authority to legally bind the company or organization? *
Please state your full name *
Which country is the company based in? *
Street Address Line 1
Street Address Line 2
City
State/Province/Region
Zip Code/Postal Code
Trustable Tech contact email address *
This address will be kept private and only used for official communications from ThingsCon/Trustable Tech about your certification.
Public contact email address
This address will be made publicly available in the certification directory.
Device information
Device name *
What is the core functionality of the device? *
Describe what the product is.
Device website
Please include the protocol to your URL (e.g. http:// or https://).
Primary device type *
Additional device types
Select any that apply.
Keywords
If you would like your device to be searchable by specific keywords, add them here. Separate keywords using commas.
# PRIVACY & DATA PRACTICES
For data collected via the device you wish to certify, do you offer the same privacy and security protections for all users, regardless of citizenship or geographic location? *
Please elaborate.
Do you employ state of the art practices Privacy-by-Design in the design, manufacturing, and deployment of your device? *
For reference, Privacy-by-Design guidelines are laid out, among other sources in "The 7 Foundational Principles" by Ann Cavoukian, Ph.D (https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf), as well as in the UK's Data Protection Authority Data protection by design and default checklist (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/)
Please elaborate.
Please elaborate on the steps and measures you take, guidelines or frameworks you use, etc.
Do you have a published privacy policy that specifically applies to this device?
Clear selection
Please elaborate.
If so, please provide a link to where users can read it.
Do you have a published policy concerning acceptable uses of data collected from the device? *
Please elaborate.
If so, please provide a link to where users can read it.
Can users perform a factory reset on the device? *
Please elaborate.
If so, please provide a description or link to how one would perform a factory reset.
Do you agree not to assert or authorize the assertion of any legal action against any user of a certified device for examining, studying, auditing, analyzing, or researching whether the use of personal data gathered by the device is fair, accountable, or transparent? *
Please elaborate.
Are users able to delete the data about them collected by the device? *
Please elaborate.
Please provide a description or link to how one would perform such a deletion. Please also include information on whether or not you verify deletion and over what time frame.
Are users able to export the data about them collected by the device? *
Please elaborate.
Are there safeguards in place to prevent your company from seeing individual user data? *
Please elaborate.
Do you maintain a list of every entity that you knowingly give access to user data? *
Please elaborate.
Can you revoke such access from any such entity?
Clear selection
Please elaborate.
# TRANSPARENCY
Do users own the device if they purchase it? *
Please elaborate.
If they do not, please provide a description or link to information that explains when a user does or does not own the device. For example, if there is a rental or subscription model, and what if anything users will own under those models. You may also want to define or distinguish the device from any network services or backend infrastructure provided.
Do you provide a transparency report concerning requests for user data, records, or content? *
For reference, see https://en.wikipedia.org/wiki/Transparency_report . Please note specifically if you use warrant canaries.
Please elaborate.
If so, please provide a link to where users can read it.
Have you assessed your device to see if it is compliance with the General Data Protection Regulation (GDPR)?
Clear selection
Please elaborate.
If not applicable, please explain the results of your assessment.
Is there an easy way for your users to access and see the data you collect from them? *
Please elaborate.
If so, please provide a description or link to documentation on how to do this.
Is there an easy way for your users to access and see the data you infer about them?
Clear selection
Please elaborate.
If so, please provide a description or link to documentation on how to do this.
Is there an easy way for users to understand in which ways you collect, process, and share data (user data, personal data, inferred data)? *
Please elaborate.
If so, please provide a description or link to documentation on how to do this.
Do you provide a publicly available change log of the device's software and firmware updates? *
Please elaborate.
Please include a link to the change log.
Do you provide an easy way to contact support staff? *
Please elaborate.
Do you disclose where user data is stored and processed?
Clear selection
Please elaborate.
For example, is it on-device or in the cloud, or both?
Do you agree not to assert or authorize the assertion of any legal action against any user of a certified device for examining, studying, auditing, analyzing, or researching data protection, privacy, or security issues related to the device? *
Please elaborate.
# SECURITY
Do you employ state of the art Security-by-Design practices? *
For reference, OWASP offer Security-by-Design principles (https://www.owasp.org/index.php/Security_by_Design_Principles)
Please elaborate.
Please elaborate on the steps and measures you take, guidelines or frameworks you follow, etc.
If there any other features or functionalities in addition to the core functionality, can you explain why those are included?
Clear selection
Please elaborate.
Please explain why the choice was made to include this feature or functionality and the most important trade-offs you considered.
Do you clearly communicate for how long you commit to providing security updates?
Clear selection
Please elaborate.
Do you have a strategy to deliver security updates? *
Please elaborate.
Do you disclose data or security breaches? *
Please elaborate.
Please outline your mechanisms and practices for disclosure.
Is there a bug bounty program for your device?
Clear selection
Please elaborate.
Do you employ cryptographic security for your device? *
Please specify. (For example, do you use TLS, full-disk encryption, etc.)
Please elaborate.
Do you escrow keys?
Clear selection
Please elaborate.
Do you employ best practices for the device passwords? *
Please elaborate.
For example, devices should not be shipped with default or identical passwords. Please elaborate on your password practices.
In case the device changes owners (re-sell, re-use, etc.), is there an easy way for a secure full wipe of user data? *
Please elaborate.
Please include other relevant information for device ownership changes.
# STABILITY
Do you guarantee ongoing software and security updates? *
Please elaborate.
For how long do you guarantee those updates?
Do you guarantee providing all services required for the device to function? *
Please elaborate.
For how long do you guarantee those updates?
Does the device work fully in the case that your servers are switched off (for example due to technical issues, change of ownership, etc.)
Clear selection
Please elaborate.
Please explain how the device availability might be impacted if the servers and/or service backend are compromised.
Does the core functionality of the device still work in the case that your servers are switched off (for example due to technical issues, change of ownership, etc.) *
Please elaborate.
Please explain how the device availability might be impacted if the servers and/or service backend are compromised.
Does your device work without an active internet connection?
Clear selection
Please elaborate.
Do you meaningfully ask for consent if you plan any firmware updates that would significantly change the nature of the device and allow users to opt out without risking their device working as advertised?
Clear selection
Please elaborate.
Do you agree not to assert or authorize the assertion of any legal action against any owner of a certified device (or their agent) for reselling or repairing the device? *
Please elaborate.
Are users allowed to open the device for repairs? *
Please elaborate.
Do you provide spare parts for repairing the device?
Clear selection
Please elaborate.
If applicable, please also include for how long you provide any unique, non-serviceable spare parts.
Do you provide documentation for repairs on the device?
Clear selection
Please elaborate.
# OPENNESS
In our view, openness is not a required condition, but openness is an indicator for trustworthiness. Concretely, when evaluating incoming applications we look for openness, and if the device is largely open we look at the rest of the application with a stronger assumption of trustworthiness.
Have you certified your device with OSHWA?
An OSHWA certification is not a requirement. But should you have certified your device with OSHWA, please share the OSHWA UID for that project and (future versions of) this form will automatically check YES for all questions in the Openness section.
Please elaborate.
Please provide a description or link to how one would perform such an export, including elaboration on the range of import/export protocols and support of standard data formats such as CSV, JSON, XML (or others if applicable).
Do you publish the device source code under an open source license?
Clear selection
Please elaborate
If so, please link to your license.
Do you publish the backend source code under an open source license?
Clear selection
Please elaborate.
If so, please link to your license.
Do you publish your hardware designs under an open license?
Clear selection
Please elaborate.
If so, please link to your license.
Are there other open source aspects to your device?
Clear selection
Please elaborate.
Please elaborate and/or provide links on these aspects and how they relate to your device, both on the input and output side.
Can third-party developers build on top of your device through open licensing, open source, or an API?
Clear selection
Please elaborate.
Please elaborate and/or provide links on these aspects and how they relate to your device, both on the input and output side.
Do you have an source, tool chain, and signing keys escrow for all code required by the device?
For example in case the company stops actively maintaining the code or supporting the device.
Clear selection
Please elaborate.
A copy of your responses will be emailed to the address you provided.
Submit
Clear form
Never submit passwords through Google Forms.
reCAPTCHA
PrivacyTerms
This form was created inside of Thewavingcat.com. Report Abuse
Google Forms