METTLER TOLEDO takes data protection seriously. We are committed to being transparent about how we collect and use personal data and to meeting our obligations.
This Information Notice describes the type of information that METTLER TOLEDO collects, processes and protects in connection with the METTLER TOLEDO Software Portal (the “Portal").
The general Mettler Toledo International Inc. Privacy Policy describes how METTLER TOLEDO collects, processes and protects your personal information in connection with your business dealings with METTLER TOLEDO. It supplements the information herein and is available at www.mt.com/privacy
1. What is the METTLER TOLEDO Software Portal?
The METTLER TOLEDO Software Portal is a license management portal for certain METTLER TOLEDO software products, including but not limited to LabX, ProdX, EasyDirect and other software products (the “Software").
The Portal allows you to manage license keys of the Software that you, or your company licensed from METTLER TOLEDO during the lifecycle of the Software. The Portal provides an overview on obtained Software licenses and enables you to activate these.
In order to ensure that only entitled customers can activate license keys, customers must create a customer profile that allows for customer's appropriate identification. Customers can maintain the licenses to the Software they have licensed in their customer profile. You can also expand Software products managed in a customer profile by adding licenses, as well as making upgrades during the lifecycle of the licensed Software. In addition, in case of an emergency (e.g. hardware damage and required transfer of a software installation) the functionalities of the Portal support an entitlement check, thus preventing any misuse of licenses.
The Portal also allows you to gain access to the Product Knowledge Base through your customer profile. The Product Knowledge Base may provide information on the Software products. You will find release notes, frequently asked questions and details on open issues from our R&D, technical support and user community.
Your customer profile additionally allows you access to information enabling communication for support reasons.
2. What Information do we collect about you and for what purposes is it used?
In the framework of the Portal, we collect and use the following personal information about you for your customer profile:
- username
- email address
- first name
- last name
Please ensure that all information you provide is correct and complete, and that you have the right to provide it.
We will only use the information to (i) create and manage your customer profile, (ii) identify your/your company's license entitlement to Software products, (iii) manage your/your company's licenses as described under section 1 above and to (iv) communicate about your licensed Software products with you as customers for the mentioned technical support reasons.
3. Who controls your data and who has access to it?
The controller of all information in the Portal is Mettler-Toledo GmbH, with address in Im Langacher 44, 8606 Greifensee, Switzerland. METTLER TOLEDO may share personal data with other affiliates within the METTLER TOLEDO Group, if and to the extent necessary for the purposes mentioned above.
Your data will be accessed by such METTLER TOLEDO personnel as necessary or appropriate for the usage of the Portal, such as personnel involved in supporting the functionality of the Portal, personnel supporting you with the activation of the Software and product managers responsible for software licensing.
Your data will also be shared with Trivadis AG, Sägereistrasse 29, CH-8152 Glattbrugg rendering consulting services relating to development and support for the Portal.
4. How long do we keep your information?
We will retain your information for operational use for the duration of the license term of the Software products activated in the Portal and afterwards delete it taking into consideration the applicable retention periods.
5. Security
We have implemented technical and operational security measures designed to protect personal data from loss, misuse, alteration, or destruction that you find in the Mettler Toledo International Inc. Privacy Policy. Only authorized persons who have a need to know and who are bound by confidentiality obligations, have access to the information.
In the following, you find information about specific security measures relating to the Portal:
- The systems are installed on an official windows platform.
- All systems are protected by a firewall.
- The Data transfer is encrypted via SSL (WebServices via https).
- The systems are regularly updated with patches.
- The systems are regularly scanned for eventual problems.
In the METTLER TOLEDO Security Statement, attached as Exhibit 1, you find further information on security practices in place for METTLER TOLEDO`s corporate infrastructure and implementation processes that are also applied to the Portal.
6. Access, review, and correction or deletion of information
To the extent provided by applicable data protection regulations, you may have the right to access, rectification, erasure, restriction, objection or portability of certain information in certain circumstances or coordinate with a local data protection supervisory authority.
In that case or if you have questions on the use of your data, please contact www.mt.com/contact.
Exhibit 1
METTLER TOLEDO Security Statement
1. Purpose and Scope
This document describes the Security practices that are in place for METTLER TOLEDO related to its corporate infrastructure and implementation processes. The statement does not address the specific controls around development and administration of the products that are developed and sold by METTLER TOLEDO.
2. State of the Art Practices
METTLER TOLEDO Corporate IT security measures are based on current state of the art IT best security practices as defined within the NIST Cyber Security Framework (CSF) and the International Organization for Standardization ISO27000 series. METTLER TOLEDO continues to improve its security practices beyond what is documented herein and has no obligation to notify customer/vendor of those changes. The information in the Security Statement is of general nature, irrespective of the specific METTLER TOLEDO system or service at stake. METTLER TOLEDO may provide further information relating to specific METTLER TOLEDO products or services in further product- or service-specific documentation. In case of conflict between the information in this Statement and any product- or service-specific documentation, the information in the product- or service-specific documentation will prevail.
3. Patch and Vulnerability Management
METTLER TOLEDO subscribes to patch notification services to receive notifications about regular as well as zero-day updates. The entire system and its components, i.e. including extensions and improvements, are assessed to identify vulnerabilities that can be eliminated. Whenever METTLER TOLEDO becomes aware of vulnerabilities (according to the CVE ratings), these are remediated in a timely manner.
In addition to operating systems, updates cover applications. Software obtained from 3rd parties are also included into the patch and update process.
4. Secure Basic Configuration
We have policies and procedures in place, aimed to ensure that:
- The scope of functions and thus the number of existing programs, software modules, services and network protocols of components are reduced to the minimum requirements for system operation.
- In principle, services not explicitly required are deactivated by default.
- In case a system is accessible to a larger group of users or has very critical functions, a granular role and authorization concept is enabled.
- Standard combinations of user names and passwords are changed during the initial configuration. Where the built-in administrative account cannot be modified, it is disabled.
- By policy, each component and user has only the rights necessary to perform the intended actions. For example, applications and network services are not operated with administrator privileges, but only with the minimum necessary system rights (least privilege principle).
5. Encryption
We have policies and procedures in place, aimed to ensure that:
- Sensitive data (e.g., passwords or special categories of personal data) are stored or transmitted in encrypted form in the system.
- Only the usage of well-known and secure cryptographic algorithms is used.
- Relevant cryptographic parameters are stored securely. Access to components are protected by secure authentication procedures, session timeouts, secured protocols, etc.
6. Authentication & Authorization
Many / Most applications support personalized identification and authentication. If this is the case, access is allowed to data and variables after successful authentication and authorization checks are completed.
We have policies and procedures in place, aimed to ensure that:
- Password strength and validity are managed.
- Multi-factor authentication is used for remote access to the corporate network.
- There must not be any combinations of hard coded usernames and passwords.
- Accounts not required for the operation are removed or at least deactivated.
- A least privileged, role-based access strategy is used for provisioning.
- Segregation of duty risks are managed appropriately.
- Accounts are enabled/disabled in a timely manner.
7. Verification of Information Security and Security Tests
Independent evaluation of compliance of the METTLER TOLEDO security controls has not been performed. However, METTLER TOLEDO performs periodic penetration tests and external vulnerability scans to identify the potential risk related to attacks or other security issues. If vulnerabilities are identified within the scope of these checks, section Patch and Vulnerability Management is applicable.
8. Commitment to Absence of Malware and Spyware (Trustworthiness)
METTLER TOLEDO uses commercially reasonable efforts to ensure that its systems and applications do not contain malware, spyware, hidden code, undocumented backdoors or other hidden functions (e.g. unauthorized forwarding of data) that could result in a compromise to the information security of the METTLER TOLEDO environment.
METTLER TOLEDO utilizes an endpoint protection system that is an advanced, comprehensive defense to perform threat detection using machine learning.
METTLER TOLEDO maintains a next-generation firewall (NGFW) which provides multi-layered advanced security and better visibility to protect the network and data center against advanced threats.
METTLER TOLEDO applies additional threat protections to help mitigate the risk of (D)DoS ([Distributed] Denial of Service) or other cyber-attacks.
9. Quality Assurance Process for Software
METTLER TOLEDO adheres to a standardized set of processes for secure software development with corresponding guidelines for secure coding, quality assurance measures and controls (such as peer group reviews, manual or automated source code reviews, external audits, OWASP Top 10 verification, etc.).
10. Logging and Audit-Trails
METTLER TOLEDO systems and applications are typically designed to log user interactions, security relevant actions, events and errors in a format to allow ex post and central analysis. This data is exported and integrated into SIEM solutions for security event correlation.
11. Physical Security
METTLER TOLEDO maintains and periodically tests a commercially customary disaster recovery plan that provides adequate system backup, technology replacement, and alternate (recovery) site capabilities.
METTLER TOLEDO maintains commercially customary physical security and access controls for its data center(s) and facilities.
12. Cyber Security Training
METTLER TOLEDO maintains a continuous security awareness and training program. Employees are provided anti-phishing and malware detection training on a regular basis. Additional phishing attempts are used to identify training gaps and areas that require remediation.
15. Data Retention
METTLER TOLEDO uses commercially reasonable efforts to ensure that all data is preserved in a manner that is appropriate for the type/source of the data, prevents inappropriate disclosure, is retained only for as long as reasonably required, and is responsibly disposed of or destroyed in a manner that prevents content recovery.
16. Data Privacy
METTLER-TOLEDO has processes in place in order to comply with applicable data protection regulations. All details on our handling of personal data of customers and partners is set out in our privacy policy under www.mt.com/privacypolicy .
Disclaimer
The information provided herein is for your information only. It does not extend our liability in any way.
This information was prepared by using reasonable efforts and reflects METTLER TOLEDO's findings at the date of its creation. Without prejudice to any rights or obligations under existing written agreements, METTLER TOLEDO makes no representations, warranties, or assurances of any kind, expressed or implied, including but not limited to the accuracy, currency, completeness or reliability of the information provided. METTLER TOLEDO shall in no event be liable for any damages, including direct, consequential, incidental and special or any injury resulting from your access to or use of this information or from your reliance on any information provided.
The information contained herein is the property of and copyrighted by METTLER TOLEDO and may not be reproduced, disseminated, sold, distributed, published, circulated or commercially exploited without the express written permission of METTLER TOLEDO.
The scope of this document is limited to the scope of application of standard cyber security practices, i.e. to such group systems and applications falling under the ambit of NIST CSF and ISO27001 performed by Mettler-Toledo International Inc. METTLER TOLEDO has no obligation to adopt customer specified information security controls in order for that customer to be compliant with regulations applicable to their business. This document does not contain any statement relating to any local systems and application used by a METTLER TOLEDO group company and/or any METTLER TOLEDO product manufactured or distributed, or any statement, conclusion or indication relating to METTLER TOLEDO's compliance with any other or similar regulations and Customer, nor any other party, may rely on this statement for any such purpose.
