ThingsCon: IoT Trustmark evaluation checklist (draft stage, work in progress)
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
Comment only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Note: This form now serves archival purposes only. The publicly available prototype form is available here:
https://docs.google.com/forms/d/e/1FAIpQLSf9PVgbu2QK17MmUGxT5fjeF05scUu2oTka_M3Vlk8U32WaIg/viewform
2
Included in prototype online form?Questioncheckbox Y/not applicable"Please elaborate here and/or provide any useful links to further information that informs this response + additional guidelines where requiredNotes
3
Explanation of the format this will take:Simply said, all criteria will consist of a checkbox [Yes/No/Not Applicable) plus a text field to elaborate. Our experts will assess all provide answers and if need be ask for clarifications.This checklist is informed among others by the Open IoTmark Principles (see iotmark.org, CC BY SA 4.0, retrieved https://www.dropbox.com/sh/kht2szdg8y7uj93/AAA8dDrDHGXZ7G9qHrmVClzJa?dl=0&preview=iotmark_poster_principles.pdf)
4
5
Privacy & Data Practices
6
YFor data collected via the device you wish to certify, do you offer the same privacy and security protections for all users, regardless of citizenship or geographic location?
7
YDid you employ any Privacy-by-Design best practices in the design, manufacturing, and deployment of your device?Please elaborate on the steps and measures you take.
8
YDo you have a published privacy policy that specifically applies to this device?If so, please provide a link to where users can read it.
9
YDo you have a published policy concerning acceptable uses of data collected from the device?If so, please provide a link to where users can read it.
10
YCan users perform a factory reset on the product?If so, please provide a description or link to how one would perform a factory reset.
11
YAre users able to delete the data about them collected by the device?If so, please provide a description or link to how one would perform such a deletion. Please also include information on whether or not you verify deletion and over what timeframe.
12
YDo you maintain a list of every entity that you knowingly give access to user data?
13
YCan you revoke such access from any such entity?
14
15
16
Openness
17
YAre users able to export the data about them collected by the device?If so, please provide a description or link to how one would perform such an export, including elaboration on the range of import/export protocols and support of standard data formats such as CSV, JSON, XML (or others if applicable).
18
YDo you publish the product source code under an open source license?If so, please link to your license and any associated documentation.
19
YDo you publish the backend source code under an open source license?If so, please link to your license and any associated documentation.
20
YDo you publish your hardware designs under an open license?If so, please link to your license and any associated documentation.
21
YAre there any other open source aspects to your product?Please elaborate and/or provide links on these aspects and how they relate to your product, both on the input and output side.
22
YCan third-party developers build on top of your products through open licensing, open source, or an API?Please elaborate and/or provide links on these aspects and how they relate to your product, both on the input and output side.
23
YDo you have an source, toolchain, and signing keys escrow for all code relevant to the product (in case the company stops actively maintaining the code or supporting the product)?
24
25
26
27
28
Transparency
29
YDo you provide a transparency report on request for user data, records, or content?If so, please provide a link to where users can read it.
30
YHave you assessed for device to see if it is compliance with the General Data Protection Regulation (GDPR)?If not applicable, please explain the results of your assessment.
31
YIs there an easy way for your users to access and see the types of data you collect from them?If so, please provide a description or link to documentation on how to do this.
32
YIs there an easy way for your users to access and see the data you infer about them?If so, please provide a description or link to documentation on how to do this.
33
YIs there an easy way for users to understand in which ways you collect, process, and share data (user data, personal data, inferred data)?If so, please provide a description or link to documentation on how to do this.
34
YDo you inform users ahead of time of upcoming firmware updates?If so, please provide a desciption of how or where this information can be found.
35
YCan users easily decline to update their device?
36
YDo you provide a publicly available change log of the product's software and firmware updates?Please include a link to the change log if not posted here.
37
YDo you provide an easy way to contact support staff?
38
YDo you disclose data or security breaches?Please also elaborate your mechanisms and practices for disclosure.
39
YDo you disclose where user data is stored and processed?For example, is it on-device or in the cloud, or both?
40
YDo you agree not to assert or authorize the assertion of any legal action against any user of a certified device for examining, studying, auditing, analyzing, or researching data protection, privacy, or security issues related to the device?
41
YDo you agree not to assert or authorize the assertion of any legal action against any user of a certified device for examining, studying, auditing, analyzing, or researching whether the use of personal data gathered by the device is fair, accountable, or transparent?
42
YDo you agree not to assert or authorize the assertion of any legal action against any owner of a certified device (or their agent) for reselling or repairing the device?
43
YDo users own the device if they purchase it? If not, please provide a description or link to information that explains when a user does or does not own the device. For example, if there is a rental or subscription model, and what if anything users will own under those models. You may also want to define or distinguish the device from any network services or backend infrastructure provided.
44
45
Security
46
YDo you employ Security-by-Design best practices?Please elaborate on the steps and measures you take.
47
YCan you define the core functionality of this product?Please explain the core functionality of your product.
48
YIf there any other features or functionalities in addition to the core functionality, can you explain why those are included? Please explain why the choice was made to include this feature or functionality.
49
YCan you share the road map to other additional features that could be enabled in the future?Please explain why the choice was made to potentially enable this feature or functionality in the future.
50
YDo you clearly communicate for how long you commit to providing security updates?
51
YIs there a bug bounty program for your product?
52
YCan your product be remotely updated?
53
YCan users control if a product can be remotely updated or not?Please explain your choices regarding remote updates and optional vs forced remote updates.
54
YCan your product be updated easily by the user?
55
YDo you employ cryptographic security for your product?
56
YIn case the product changes owners (re-sell, re-use, etc.), is there an easy way for a secure full wipe of user data?Please include other relevant information for device ownership changes.
57
YDo you employ good password practices for the product?For example, devices should not be shipped with default or identical passwords. Please elaborate on your password practices.
58
59
60
61
62
Stability
63
YDo you guarantee software and security updates?For how long do you guarantee those updates?
64
YDo you clearly communicate for how long you commit to provide all services needed for the product to work?
65
YDo you clearly communicate for how long you commit to provide customer service for the product?
66
YDoes the product work fully in the case that your servers are switched off (for example due to technical issues, change of ownership, etc.)Please explain how the service/product availability might be impacted if the servers and/or service backend are compromised.
67
YDoes the core functionality of the product still work in the case that your servers are switched off (for example due to technical issues, change of ownership, etc.)Please explain how the service/product availability might be impacted if the servers and/or service backend are compromised.
68
YDoes your product work without an active internet connection?
69
YDo you meaningfully ask for consent if you plan any firmware updates that would significantly change the nature of the product/service and allow users to opt out without risking their device working as advertised?
70
YAre users allowed to open the product for repairs?
71
YDo you provide spare parts for repairing the product?If applicable, please also include for how long you provide any unique, non-serviceable spare parts.
72
YDo you provide documentation for repairs on the product?
73
74
75
76
77
78
79
80
81
Meta
82
Are you applying for this certification on behalf of any other person or entity?If so, for whom? Please include the name, title, and contact information of the person authorizing you to apply and also please note that any person or entity for whom you are applying shall be bound by your answers and statements as a condition of any Trustmark license granted.
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu