Committed to integrity
Building the future starts with trust. Protecting your data and responsibly innovating with AI are core values at Honeywell. Learn more about our approach to privacy, security, AI governance and compliance.
| Organization | Scope | Certification |
|---|---|---|
| Honeywell International Inc. | Managed Security Services (Houston, TX) | ISO/IEC 20000-1:2018 |
| Honeywell International Inc. | Managed Security Services (Houston, TX) | ISOIEC 27001:2013 |
| Honeywell Connected Enterprise | Honeywell Forge Performance+ (Platform) | N/A |
| Honeywell Connected Enterprise | Honeywell Forge Performance+ (Platform) | CSA Star Level I |
| Sine Group Pty Ltd | Honeywell Forge Visitor and Contractor Management (formerly Sine) | N/A |
| Movilizer GmbH | Honeywell Connected Logistics | ISO/IEC 27001:2022 |
| Movilizer GmbH | Honeywell Connected Logistics | ISO 9001:2015 |
| Sparta Systems Inc. | Honeywell Life Sciences Applications Suite, TrackWise, TrackWise Digital | ISO 9001:2015 |
| Sparta Systems Inc. | Honeywell Life Sciences Applications Suite, TrackWise, TrackWise Digital | N/A |
| Honeywell Romania s.r.l. | Managed Security Services (Bucharest, Romania) | ISO/IEC 20000-1:2018 |
| Honeywell Romania s.r.l. | Managed Security Services (Bucharest, Romania) | ISO/IEC 27001:2013 |
| Honeywell International Inc. | Multiple Systems | ISO/IEC 27001:2022 |
| Honeywell UK Limited | Multiple Sites | Cyber Essentials Scheme |
| Honeywell UK Limited | Multiple Sites | Cyber Essentials Plus Scheme |
| Tridium, Inc. | Secure Software Development Lifecycle | IEC 62443-4-1 |
| Tridium, Inc. | Niagara Cloud Suite | ISO/IEC 27001:2013 |
| Honeywell Cyber Security | Secure Software Development Lifecycle | IEC 62443-4-1 |
| Honeywell Connected Enterprise | Secure Software Development Lifecycle | IEC 62443-4-1 |
| Honeywell Process Solutions | Secure Software Development Lifecycle | IEC 62443-4-1 |
| Building Automation | Secure Software Development Lifecycle | IEC 62443-4-1 |
| Honeywell Specialty Chemicals Seelze GmbH | Seelze, Germany | Trusted Information Security Assessment Exchange (TISAX) |
| Honeywell Security Americas, LLC (LenelS2) | Elements SaaS | N/A |
| Report request | Request a copy of our compliance reports | Request Form for HCE Compliance reports |
| Sparta compliance | Visit the Sparta System compliance page | Commitment to Compliance - Honeywell |
Read about responsible AI
Learn about global data privacy
How Honeywell uses customer data
Information about data processing for suppliers
Read about third-country data transfer and EU regulations
Information about transfers between controllers
Information about compliance and Salesforce services
Information about compliance, cloud security and more at AWS
White paper about cloud solutions validation
White paper about TrackWise digital security
Honeywell is committed to protecting the personal data that we process and complying with applicable data privacy laws in the countries in which we operate. Honeywell’s global privacy program includes a dedicated in-house data privacy team (the “Data Privacy Function”), led by our Chief Privacy Officer, which monitors developments in data privacy regulation globally, including the General Data Protection Regulation (“GDPR”). The Data Privacy Function is responsible for overseeing our data protection strategy and its implementation to ensure compliance with applicable data protection regulations worldwide (which includes formal policies procedures and processes to facilitate data subject rights, privacy impact assessments, data transfers, data retention, appropriate technical and organizational measures, incident response plan, and privacy training and awareness).
Honeywell’s annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. Additional privacy training is provided for specific job functions.
We work hard to promote a positive culture of data protection compliance across our business.
Honeywell generally conducts privacy impact assessments to identify and manage privacy risks associated with new products and services.
Where the customer is the controller, Honeywell will redirect the data subject access request to the customer in accordance with our customer agreement. Honeywell will not respond directly to the data subject unless authorized by the customer to do so and mutually agreed between the parties. Where Honeywell is the controller, Honeywell will deal with the data subject access request in accordance with its policies and procedures.
Honeywell uses leading cloud service providers to host our applications. The data centers for Honeywell Forge are primarily located in the United States, but regional deployment models may be available for some products. Please contact your sales representatives for more information regarding in-region cloud hosting availability.
Honeywell maintains a suite of security policies that address numerous areas, including physical and logical access, environmental, change management, backup and retention, remote access, firewall management, logging and monitoring, batch processing, segregation of duties, host hardening/vulnerability management and security operations/incident management.
We regularly review and update our policies, conduct vulnerability scanning and perform penetration testing to test and monitor compliance with our security policies.
We use a range of tools and practices throughout our secure software development lifecycle where security is embedded into each phase to secure our products. Depending on the product risk profile, these may include threat modeling, security testing and vulnerability scanning. Our developers are trained to follow secure coding guidelines.
Source code reviews and security testing are conducted to identify potential system flaws, with the goal of mitigating risk, protecting data and maintaining intended systems functionality. Requirements of security testing may include confidentiality, integrity, authentication, availability, authorization and nonrepudiation. Actual requirements tested depend on the context of the security implemented by the system.
We use security design patterns based on Honeywell standards and industry best practices. Components included in our infrastructure, platform and applications are reviewed against these design patterns to identify problematic coding activities that could lead to vulnerabilities in our code.
Our policies require developers to use secure coding practices and conduct security testing, which are aligned with OWASP guidelines.
We use established cloud service providers who follow physical security controls to limit access to authorized personnel. Our data center providers are audited by independent third-party auditors who report their findings via SOC 2 Type 2 reports.
Honeywell has a defined procedure for provisioning user access. All users have individual logins. We use role-based access to ensure staff only have access appropriate to their roles. We control access to our corporate applications through a single sign-on platform.
Honeywell uses commercially standard cryptography and security protocols to protect the confidentiality and integrity of customer data.
Cryptographic keys are managed according to defined policies and procedures. Duties are segregated to ensure an appropriate level of security controls.
We use commercially reasonable efforts to promptly apply security patches (including open-source software) after potential vulnerabilities become known to us.
Logs associated with security events are aggregated and stored centrally and are monitored through Honeywell’s security operations center (SOC).
Incident response procedures exist for security and data protection incidents, which includes incident analysis, containment, response, remediation, reporting and the return to normal operations. We have an incident response capability which includes a Computer Incident Response Team (CIRT) with a formal process to respond to cyberattacks. Intrusions are logged, monitored and investigated. Incident response plans are maintained, updated and tested on an annual basis.
Yes, we adhere to our incident response procedures to support timely reporting of security breaches consistent with applicable regulatory and contractual requirements.
Yes, we follow security practices aligned with industry standards to enable logging and monitoring of security events through our security operations center (SOC) that helps detect data privacy-related incidents.
Yes, our development and operations teams follow a defined change management process while making configuration changes on applications and their underlying infrastructure platform to ensure all changes are approved and that there is minimal business impact. Changes are logged, assessed and authorized prior to implementation and reviewed against planned outcomes following implementation.
Vulnerability scans are conducted periodically with static code scans on every checked-in code change. Open source and container scans are performed on every build. Infrastructure resources are continuously scanned for vulnerabilities.
Honeywell follows a global resilience framework that includes conducting business impact analysis and maintaining business continuity plans. Honeywell periodically tests its business continuity and disaster recovery plans as per Honeywell’s Global Resilience framework.
Honeywell validates and approves usage of open source as part of the security requirements' definition and scans the source code using security tools to help identify and remediate known vulnerabilities.
Honeywell performs background checks as part of the recruitment process for employees and contractors, where allowed by local law and as reasonable for job roles.
Prior to engaging a third-party supplier, Honeywell reviews any proposed engagements and requires suppliers to provide evidence of their security practices. We require suppliers to comply with minimum security requirements, and these standards are incorporated into the supplier’s contract.
