— Security Trust Centre —
Utopia Digital Provides Resilient Security For Critical Infrastructure.
Utopia Digital handles sensitive engineering data across major infrastructure projects worldwide. We've built our security program to meet the exacting requirements of transportation, energy, and construction organisations through transparent practices, rigorous compliance, and architecture that keeps project data protected and under customer control.
Our Security Trust Centre provides security, SOC 2 Type 2 compliance, and privacy documentation for CDE Sync™, Issues Sync™, and Utopia Digital's enterprise services. We've organised everything procurement and security teams need for assessments.
CDE Sync uses zero-persistence architecture
to stream between platforms without storage
stored project files while maintaining complete
eliminating the risk of data breaches from
audit trails for compliance and traceability.
— Security Controls —
Utopia Digital’s Security and Compliance Controls for SOC 2 Type 2.
Utopia Digital’s products are built on Microsoft Azure with end-to-end TLS encryption, role-based access controls, multi-factor authentication, and credentials secured in Azure Key Vault. All activity is captured in tamper-proof audit logs, and production services are isolated behind private endpoints with public access disabled.
Organisational Security
Policies, people practices, and governance that underpin security culture across Utopia Digital.
HR Policies & Procedures
Utopia Digital maintains documented HR policies and procedures covering employee hiring, ongoing training, and termination processes.
Roles & Responsibilities
Roles and responsibilities are defined and documented in job descriptions by the HR team, establishing clear boundaries for allowable activities within each designated role.
Organisational Structure
Utopia Digital maintains documented organisational structures, reporting lines, authorities, and responsibilities that support the design, development, operation, and monitoring of CDE Sync.
Code of Conduct
A documented Code of Conduct forms part of the employee handbook. It is reviewed and approved by management on an annual basis.
Code of Conduct Acceptance
All personnel are required to read and formally accept the Code of Conduct and a confidentiality statement upon joining Utopia Digital.
Whistleblower Policy
A documented Whistleblower policy is available to all employees via SharePoint and reviewed and approved by management annually.
Candidate Evaluation
Candidate suitability is evaluated against documented job requirements as a standard component of the recruitment process.
Background Verification
Background verification checks — including identity, employment history, and educational verification — are performed by an independent third-party vendor prior to all new employee commencements.
Security Awareness Training
Security awareness training is conducted annually for all staff, covering information security responsibilities and policy. New employees complete training upon joining.
Performance Evaluations
Management conducts annual performance evaluations of all employees, including assessment of adherence to standards of conduct and expected competency levels.
Information Security Policy
A documented Information Security Policy is available to all employees on request. It is reviewed and approved by management on an annual basis.
Risk Management
Processes to identify, assess, and mitigate information security risks on an ongoing basis.
Risk Assessment & Management Policy
Utopia Digital maintains a formal risk assessment and management policy to identify, plan, resolve, monitor, and optimise information security risks. The policy is reviewed and approved by management annually.
Asset Ownership
Mechanisms are in place to assign and manage asset ownership responsibilities, establishing a common understanding of asset protection requirements across the organisation.
Annual Risk Assessment
A risk assessment is conducted annually based on documented risk criteria. Results are recorded in a risk register and communicated to appropriate stakeholders.
Vulnerability Scanning & Penetration Testing
Vulnerability scans and penetration testing are performed by an external vendor on a regular basis. Identified risks are documented in the risk register alongside mitigation steps.
Internal IT Audits
Internal IT audits are performed according to an annual audit calendar. Observations are documented and shared with management for review and remediation.
Access Control
Controls governing how users, systems, and services authenticate and access Utopia Digital infrastructure and applications.
Access Control Policy
A documented Access Control policy governs access management across all systems and applications. The policy is reviewed by management annually.
Password Management
Password parameters for applications and infrastructure are defined in the Access Control Policy and reviewed annually to ensure compliance with current security standards.
VPN for External Access
External access to Utopia Digital business applications is permitted only via an authenticated virtual private network (VPN) connection.
User Provisioning
User accounts are created only upon receipt of a formal access request with appropriate stakeholder approval. Provisioning is managed by the IT team.
Quarterly Access Reviews
Access reviews for both privileged and standard users are conducted quarterly to ensure access remains appropriate, role-based, and current.
Firewall Protection
System networks and hosts are protected by firewalls that manage permissible inbound and outbound traffic connections.
Offboarding Access Removal
Access for departing employees is disabled or removed from all systems and applications within two working days of their last working day.
Unauthorised Software Monitoring
Workstations, servers, and laptops are monitored for the presence or use of restricted or unauthorised software.
Endpoint Screen Lock
Endpoints with access to critical servers or data are configured to automatically screen lock after 15 minutes of inactivity.
Application Encryption (TLS)
User access to CDE Sync applications is secured via HTTPS using TLS encryption and industry-standard cryptographic algorithms.
Production Infrastructure Isolation
Production databases and servers are protected from public internet access. All backend services operate behind private endpoints with public access disabled.
Multi-Factor Authentication
Multi-factor authentication (MFA) is enforced for all users with access to the Microsoft Azure environment.
Azure Log Monitoring
Microsoft Azure activity logs are continuously monitored to detect unusual activity, anomalous access patterns, or unauthorised logon attempts.
Daily Azure Backups
Daily backups of servers hosted on Microsoft Azure are performed automatically using Azure-managed backup services.
Endpoint Encryption
Storage on Utopia Digital laptops and all removable media is encrypted using approved encryption software.
Physical Security
Documented procedures and controls govern physical security within Utopia Digital's premises. The policy is reviewed by management annually.
Antivirus Protection
Antivirus software is installed and maintained on all Utopia Digital laptops and servers to detect and mitigate malware and other endpoint threats.
Network Diagrams
Utopia Digital maintains documented network diagrams as part of the Access Control Policy. These are reviewed by management on an annual basis.
Incident Management
Controls for detecting, escalating, resolving, and learning from security incidents.
Incident Management Procedures
Incident management and service request procedures are documented and available to the IT team. They are reviewed by management annually.
Internal Incident Resolution
Internal incidents are raised, communicated, and resolved in accordance with the documented Incident Management policy.
Security Incident Reporting
Security incidents are reported, resolved, and monitored against defined SLAs in accordance with Utopia Digital's security incident reporting policy.
Incident Response Testing
The incident response plan is tested at least annually through tabletop exercises, simulations, or live drills to assess the team's readiness to respond effectively to security incidents.
Vendor Management
Third-party risk assessment, contractual obligations, and ongoing vendor oversight.
Vendor Management Policy
A documented Vendor Management policy guides personnel through the third-party risk assessment process. The policy is reviewed and approved by management annually.
Annual Vendor Risk Assessment
An annual vendor risk assessment is conducted based on the Vendor Management Policy. Findings are shared with management for review and remediation.
Vendor NDAs & Data Protection Agreements
Vendors sign a Non-Disclosure Agreement (NDA) prior to engagement, or a Data Privacy Agreement (DPA) is executed to protect confidential and private information.
Security Commitments in Service Agreements
Security, service, confidentiality, and privacy commitments are included in customer service agreements. Changes that affect user responsibilities are communicated to relevant personnel.
Third-Party Security Attestation
Third-party and vendor systems are subject to security review. SOC 2 reports or other relevant security attestations are obtained and evaluated as part of vendor oversight.
Customer Feedback & Complaints
Customers may raise issues, complaints, or feedback directly with business leads via email. Employees may raise grievances through HR channels.
Public Service Information
Utopia Digital maintains current information about its services on its public website, ensuring that customers and stakeholders have access to accurate and up-to-date service details.
Change Management
Controls ensuring system and infrastructure changes are reviewed, tested, and safely deployed.
Change Management Policy
A documented Change Management policy and process is maintained and reviewed and approved by management annually.
Change Approval Process
System change requests are reviewed and approved according to a defined change approval matrix before implementation.
Change Testing
System and network infrastructure changes are tested by appropriately qualified individuals. Testing outcomes are documented and deviations from expected results are analysed and remediated.
Back-out Planning
A back-out plan is developed for every system change or upgrade, providing a documented rollback path in the event of a major disruption during deployment.
Environment Separation
Separate and isolated environments are maintained for development, testing, and production to prevent unintended changes from affecting live systems.
Change Review & Approval Compliance
All planned changes are required to undergo a documented review and approval process in accordance with the guidelines and procedures defined in the Change Management policy.
IT Infrastructure Hardening
Documented policies and procedures govern the hardening of IT infrastructure and desktops. The policy is reviewed and approved by management annually.
Business Continuity & Availability
Controls ensuring CDE Sync remains available and recoverable under adverse conditions.
Business Continuity & Disaster Recovery Plans
BCP and DR plans are defined and documented, covering infrastructure failover, communication plans, and operational transitions. Plans are reviewed annually and tested through fire drills and exercises at least once per year.
Backup & Restoration Procedure
A documented backup and restoration procedure is maintained and approved by management annually. Backup storage is geo-redundant, with data replicated to a paired Azure region for disaster recovery.
Backup Restoration Testing
Backup restoration testing for Utopia Digital servers is performed by the IT team on an annual basis to validate recoverability.
Capacity Management
Capacity management processes are documented and reviewed by management annually to ensure infrastructure can support current and projected operational demands.
Server Capacity Monitoring
Processing capacity of Utopia Digital servers is monitored on an ongoing basis via Microsoft SCOM to detect performance degradation or resource constraints.
Capacity Threshold Alerting
Capacity utilisation is monitored against defined thresholds to predict infrastructure requirements and prevent system failures before they occur.
Security Patch Management
Security patches are regularly applied to employee workstations, servers, and network devices to maintain currency with supported OS versions and eliminate critical security vulnerabilities.
Data Classification & Confidentiality
Controls governing how data is classified, retained, and securely disposed of.
Information Classification Policy
Utopia Digital maintains a documented Information Classification and Data policy, reviewed and approved by management annually.
Data Classification & Retention
Data is classified across four tiers — Confidential, Internal, Restricted, and Public. A Data Retention policy defines the period for which confidential data must be retained, reviewed and approved annually.
Data Sanitisation & Disposal
Documented procedures ensure that data and storage media are completely sanitised and securely disposed of, rendering content unreadable and irrecoverable.
Subprocessors
Third-party services engaged by Utopia Digital to process data in connection with the delivery of CDE Sync.
| Entity | Service | Purpose |
|---|---|---|
MS Microsoft Corporation |
Microsoft Azure | Cloud Infrastructure |
G Google LLC |
Google Analytics | Website Analytics |
HS HubSpot Inc. |
HubSpot CRM | Customer Relationship Management |
XE Xero Limited |
Xero | Accounting & Finance |
Integration Technologies
CDE platforms and enterprise systems that CDE Sync connects to on behalf of customers. Utopia Digital does not control these platforms but interacts with them as part of service delivery.
| Entity | Platform | Category |
|---|---|---|
AD Autodesk |
Autodesk Construction Cloud (ACC) / BIM 360 | CDE & Project Management |
BS Bentley Systems |
ProjectWise | CDE & Engineering Data Management |
BS Bentley Systems |
iTwin | Digital Twin & Infrastructure |
MS Microsoft |
SharePoint / OneDrive | Document Management & CDE |
12 12d Solutions |
12d Synergy | CDE & Civil Engineering Data |
PC Procore Technologies |
Procore | Construction Project Management |
TR Trimble |
ProjectSight / Trimble Connect | CDE & Field Management |
RV Revizto |
Revizto | Issue Tracking & BIM Coordination |
NF Newforma |
Newforma Project Centre | Project Information Management |
DX Dalux |
Dalux Field / Dalux BIM | Site Management & BIM Viewer |
AS Asite |
Asite CDE | CDE & Document Control |
IE InEight |
InEight Document | Document Control & Project Controls |
OR Oracle |
Aconex / Primavera Cloud | CDE & Project Controls |
SB StreamBIM |
StreamBIM | BIM Viewer & Site Management |
RB RIB Software |
RIB Project (iTWO) | Cost Management & Project Controls |
ES Esri |
ArcGIS | GIS & Spatial Data Management |
HX Hexagon |
Hexagon PPM / EAM | Asset Management & Plant Design |
IB IBM |
Maximo | Enterprise Asset Management |
SA SAP |
SAP S/4HANA / SAP PM | ERP & Asset Management |
AV AVEVA |
AVEVA Engineering / Net | Plant & Process Asset Management |
Compliance & Attestation
SOC 2 attestation, penetration testing, and internal audit documentation.
Testing & Incident Reports
Results from BCP/DR exercises, incident response testing, and capacity reviews.
Legal & Commercial Agreements
NDAs, DPAs, SLAs, SOWs, and payment services agreements for customer engagements.
Security Policies
Operational security policies covering access, encryption, endpoints, and infrastructure.
Data & Privacy
Data classification, retention, disposal, backup, and privacy protection policies.
Risk & Governance
Risk assessment, asset management, change control, and vendor management policies.
Business Continuity
BCP, DRP, and incident management procedures ensuring operational resilience.
People & Organisational
Code of conduct, HR, ethics, modern slavery, WHS, and communications policies.