Security and privacy statement

      Security and privacy


      Security is embedded in all aspects of our innovation, in products, systems, and services—from secure system development, to device, network and cloud security, system monitoring, and secure device updates.


      Our security processes are built on a strong foundation of industry standards, governance, and procedures. When selecting Signify as a partner, you can trust that we have dedicated abundant attention to security across the ecosystem of our offerings, and that Signify will support you throughout the entire lifecycle of a connected lighting system.



      At Signify, the Corporate Security Office manages security governance, provides overarching guidance and assurance.


      The Product Security Leadership Team, which includes members from the Corporate Product Security organization, business division, and Innovation team coordinates our security efforts. A network of security architects and security champions embedded in the development teams supports security activities related to product development.


      Signify policies and processes are aligned with global standards such as ISO/IEC 27001—Information Security Management Systems (ISMS), the ISA/IEC 62443 standards suite and ETSI EN 303 645 for product development.

      Through our Standards and Regulation department, we collaborate with many worldwide standardization organizations, such as IEC, ANSI, and CENELEC, and with industry alliances such as the IoT Security Foundation. Signify business processes are internally and externally audited on a regular basis.


      All Signify employees are required to attend regular cybersecurity and privacy awareness trainings. System architects and development engineers must also receive specific additional training and internal security certifications.


      Signify security experts hold various industry certifications such as Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA).

      Security by design


      The Signify SDL is certified on IEC62443-4-1.


      All of our internal and external development activities follow the Signify Security Development Lifecycle (SDL), which codifies industry accepted best practices. The major components of the SDL are security risk analysis and threat modeling, code analysis and review, and vulnerability management. We apply the SDL to all of our hardware products, systems, services, software, and cloud solutions.


      In accordance with the SDL, Signify takes the following actions during design, development, and testing:


      • A security risk analysis, based on Signify security requirements aligned with the ISA/IEC 62443 standards suite, is performed for every new project and for every significant change to an existing project.
      • Automated code analysis and manual code reviews are regularly performed during development. These analyses and reviews are based on, but not limited to, such frameworks as OWASP IoT Project and the OWASP Top Ten Project.
      • Third-party code, including open source code, is automatically analyzed to identify and mitigate vulnerabilities.
      • Hardening of the operating system is performed for embedded devices and cloud-based solutions.
      • Appropriate network security and firewall rules are implemented and reviewed regularly.
      • Encryption of data in transit and at rest is implemented according to generally accepted industry standards as described in the Federal Information Processing Standard Publication 140-2 (FIPS 140-2).
      • Penetration tests by internal and/or external parties are performed regularly.


      The Corporate Product Security and Innovation research team is responsible for evaluating the latest IoT security technologies, and supports the development teams in making the right choices when introducing new security algorithms, solutions, and technology partners.


      Signify regularly audits its partners and supply chain to maintain the appropriate level of security in the manufacturing process.

      Operations and maintenance


      Signify partners with leading global cloud service providers to deliver a resilient platform for our cloud-based systems. Deployment of those cloud-based services within data centers across various geographical areas, in accordance with data jurisdiction requirements, enables business continuity.


      Our cloud-based systems are managed by a specialized team to ensure proper segregation of duties for system administration purposes. Responsibilities of the team include producing operational specifications and performing maintenance, security updates, vulnerability management, backup, logging, monitoring, and management of events and incidents. The team also performs periodic review of network and application security.


      Signify has a strict protocol for deploying updates to cloud-based systems, which defines a formal test, development, and acceptance process prior to approving systems for production.

      Incident management


      Signify addresses product security as an integral part of our quality process. Assigned responsibilities and established procedures ensure an adequate response to suspected security events and incidents. Each suspected security event is assessed against a set of criteria to determine whether it qualifies as a security incident. When security incidents occur, immediate and appropriate mitigation measures are taken.


      Lessons-learned activities are conducted periodically, and additionally after major incidents, to improve security measures in general and the incident handling in particular.

      The customer’s role in product security


      Signify recognizes that the security of our products and services is an important part of our customers’ in-depth security strategy. In practice, however, security is a shared responsibility between manufacturers, providers of products and services and their customers.


      Appropriate evaluation of risks and proper care in installation, maintenance, and operations are essential to mitigate internal and external threats.

      Signify security: selected best practices


      Selected best practices for ensuring the security of IoT connected lighting products, systems, and service include (but are not limited to) the following:

      Governance, education and training

      • Dedicated Product Security Office oversight (Corporate and business level)
      • Alignment to standards such as ISO 2700x and IEC 62443 and IoT Security Framework
      • Segregation of duties
      • Least privileged access
      • Participation in standardization bodies such as IEC, ANSI, and CENELEC
      • Security certification and training for all employees
      • Specific training and certification for security architects and development engineers
      • Security champions embedded throughout the organization
      • Industry-standard certifications, including CISSP, CISM, CISA, and CSSLP for employees in key roles


      Design and development

      • Industry accepted practices for security development lifecycle processes for all product and services development
      • Threat modeling and security risk assessment
      • Automated and manual code analysis and review
      • Third-party open source code automated vulnerability assessment


      Device and physical security

      • Mechanisms designed to ensure only trusted code is executed
      • Remove hardware debug interfaces
      • Restricted communications with debug interfaces
      • Authentication to protect firmware updates
      • Resistance to side channel attacks
      • Operating system hardening
      • OWASP and OWASP IoT frameworks applied


      Wireless and wired interfaces

      • Latest version of application layer protocols
      • Use best practice encryption for Wi-Fi
      • Unique device identity and certificates
      • Latest Bluetooth protocols
      • Zigbee protocol with enhanced security features


      Device authentication and authorization

      • Unique device identity and certificates
      • Multi-factor authentication available
      • Authentication using pre-shared keys and passwords
      • Change default password at installation (first login)
      • Role-based access control


      Encryption and key management

      • Cryptographically secure random number generation
      • Crypto functions designed for expected product lifetime
      • Secure data at rest and transit with industry accepted standards (e.g. FIPS 140-2)
      • Sensitive information in tamper-resistant location
      • Data in transit encrypted with latest technologies (e.g. TLS 1.2)
      • Data at rest encrypted with industry accepted standards when needed (e.g. AES 256)


      Mobile applications

      • Android and Apple iOS security guidelines and standards
      • Restricted access to databases and files
      • Data in transit encrypted with latest technologies (e.g. TLS 1.2)
      • Use secure certificates for communications with remote servers
      • Data validation for all inputs


      Cloud services

      • Cloud security best practices as recommended by cloud service providers
      • CIS benchmarks and other hardening frameworks
      • Alignment with Cloud Security Alliance best practices
      • Cloud and container security


      Business continuity and resilience

      • Deployment in various geographically distinct data centers
      • Distinct Test/acceptance/production environments
      • Rigorous approval process for updating production systems


      Supply chain and manufacturing

      • Rigorous process for distribution of keys and secrets
      • Controlled distribution of firmware and updates
      • Dedicated supplier security team


      Innovation and research

      • Dedicated team to research new IoT security technologies
      • Support to development team in deploying new security algorithms and technologies
      • Rigorous approval process for updating production systems


      Device ownership

      • Complete removal of all personal data upon ownership transfer or service termination
      • Secure device de-registration
      • Privacy coordinated by Chief Privacy Officer
      • Privacy impact assessment performed for each system
      • Alignment with EU GDPR and applicable privacy regulations


      This information is provided for informational purposes only. It represents the current Signify product development practices as of the date of publication. These are subject to change without notice.

      Customers are responsible for making their own independent assessment of Signify products or services and the use thereof. This information is provided “as is” without warranty of any kind, whether express or implied. This information does not create any warranties, representations, contractual commitments, conditions, or assurances from Signify, its affiliates, suppliers, or licensors. The responsibilities and liabilities of Signify and its customers are defined in the agreements between Signify and its customers. This information is not part of, nor does it modify, any agreement between Signify and its customers.