Skip to main content

Help us improve the Digital Marketplace - send your feedback

Software AG (UK) Limited

Software AG - Cumulocity IoT (Internet of Things) Platform

Available for cloud, on premise, edge and hybrid deployments, Cumulocity gives fast visibility and control over remote assets. API and software libraries establish seamless remote connectivity and control with assets. Providing market-leading device management, data visualization and real-time analytics. Monitor device connectivity via dashboards, responding promptly to alerts and events.

Features

  • IoT compatible hardware list
  • Software libraries (SDKs)
  • Mobile networking support
  • Device connectivity and management
  • Machine learning and artificial intelligence capabilities
  • Dashboarding and custom visualisation
  • Remote control
  • Third party integrations
  • APIs
  • Real-time analytics and reporting

Benefits

  • Supports many IoT Devices Netcomm, Arduino, Cinterion boards, Tinkerforge
  • Supports IoT devices with software libraries Java, JavaME, C/C++, Python
  • Supports Internet connectivity including Mobile networks in a secure manner
  • Mobile Internet connectivity supported natively for IoT applications
  • Provides extensive IoT device management for fully certified devices
  • Visualises sensor data graphically through web user interface
  • Common sensor, control types rendered correctly regardless of sensor data
  • Provides custom visualisation, new control widgets, custom business logic
  • Complete functionality exposed through programming interfaces (APIs)
  • Allows users to run real-time IoT business logic inside Cumulocity

Pricing

£860 an instance a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at maurice.hancock@softwareag.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

5 2 3 5 0 8 5 6 3 1 7 5 0 2 5

Contact

Software AG (UK) Limited Maurice Hancock
Telephone: 07964 244563
Email: maurice.hancock@softwareag.com

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
Cumulocity IoT Application is based on OSGi stack and Web standards and runs on MS-Azure, Amazon AWS and Alibaba Cloud IaaS.

Depending on the type of operational SLAs required - Service Provider or Enterprise Editions are available for customers.
System requirements
  • Apache Karaf as OSGI container for the core webservices.
  • Mongo DB as document oriented database.
  • APAMA streaming analytics engine.
  • Kubernetes cluster for microservice hosting.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times vary depending on the urgency/severity of the support required. The response time can be between 30 minutes to 1 working day. In case of Standard Cloud Hosted Enterprise customers, support is provided Monday to Friday 9 am to 5pm.

For Cumulocity On Premise or high value government customers, the response times can be uplifted after performing feasibility study and pricing per mutual agreement e.g. 24*7.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
No
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Software AG provides standard levels of support for customers. For Cumulocity in the cloud:

- SLA 1 : Critical Incidents, Initial Response Goal : 4 Business Hours.
- SLA 2 : Major Incidents, Initial Response Goal : 2 Business Days.
- SLA 3 : Minor Incidents : 2 Business Days.

Support Available : 08:00 to 18:00 CET/CEST, Excluding German Weekends and German Public Holidays. Further support packages and SLA's can be mutually agreed on after discussions with the customer.

A Customer Success /technical account manager may be available
subject to feasibility and at a mutually agreed price for Cumulocity on premise, a discussion is required to determine the scope and is subject to feasibility. Enterprise active support for 24*7 is provided to customers who have entered into an agreement.
Support available to third parties
No

Onboarding and offboarding

Getting started
Initially customers are provided with information regarding availability, SLA's, product specifications, and the process to register their cloud tenancy. Along with this, instructions for accessing support functions are provided to the customer as well as providing guides and documentation for implementation (where applicable).

Various training options are available at differing costs to the customer. An education portal is also provided at no extra cost that contains tutorials and guides for using Cumulocity. Instructor lead training sessions are available for customers that can be tailored for various teams and personas. These can be both in person, on-site or online, as such the costs associated with instructor lead training varies.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
For Public Cloud Hosting in AWS (or equivalent) access to the Cumulocity hosting services will be removed upon termination of the agreement. Customers will be able to download a final backup of their data within 90 days after termination of the agreement (the “Exit Period”).

After this exit period, the customer's environment/tenant and data will be deleted following industry-standard practices. This same policy also applies to dedicated environments.
End-of-contract process
The date for end of the contract will be based on sufficient notice by providing notification from either party and the procedure will be carried out by mutual consent and as documented.

Due to the specific needs of government organizations, this end-of-contract activity will be documented mutually at the time of drafting the contract. This is to ensure accountability on either side for the completion of tasks and progressing towards graceful closure of the contract including extraction of data owned by the customer.

The commercials for this part of the contract will have to be pre agreed prior to commencement of the project.

Using the service

Web browser interface
Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Cumulocity supports HTML5, rendered in previously mentioned supported browsers. Cumulocity visualizes your sensor data centrally and graphically through its modern web user interface. The user interface automatically adapts itself to the devices you connect, no configuration required. It also adapts itself to the web browser that you use.

For example, if you use a mobile phone or tablet with limited screen size, it will change user interface controls to use less screen estate. All core features and functionalities are supported when when using Cumulocity on a mobile device.
Service interface
No
User support accessibility
None or don’t know
API
Yes
What users can and can't do using the API
Cumulocity exposes its complete functionality through APIs. This means that all of Cumulocity’s core functionality is available for use in different use cases and custom applications outside of what Cumulocity directly provides out of the box.

In contrast to many other M2M and IoT platforms, Cumulocity's APIs are holistic preventing the need to create different interfaces for various use cases and technologies. As a consequence, you have a wider range of choices in putting intelligence into your IoT devices, only limited by the restraints of the hardware and devices.

You also have to use only one set of APIs and one technology to build a complete solution from device to application on your own. Cumulocity utilises HTTP and REST which is supported by any internet-connected device ranging from small embedded microcontrollers up to desktop PCs. The secure variant, HTTPS, is used for the most security critical applications and will give you the best possible security.

In addition, we provide a microservice API for developing and deploying microservices to Cumulocity IoT. These allow you to extend functionality of the platform outside of it's native capabilities.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
Cumulocity is based on W3C web standards and supports open source. Cumulocity allows extensibility of the IoT device management functionality through implementing customised microservices. The Web user Interface can be customised using custom widgets developed in both HTML5, and Angular java script. The Cumulocity functionality already provides a wide range of device management, visualization and control options.

Furthermore it produces custom visualization, new control
widgets and custom business logic. Cumulocity has extensive customization options, for example:
- Write alarm rules to reprioritize or suppress alarms and to define your SLA parameters.
- Use real-time analytics to implement real-time business rules, e.g., get an email when critical events happen, or trigger automated actions on devices in that case.
- Set up a graphical dashboard with your most important KPIs. Subscribe to plugins that contribute new functionality to the Cumulocity application.

Scaling

Independence of resources
To keep up with the demand of other customers on our service, Cumulocity scales horizontally by instantiating additional nodes when needed. In conjunction with this a load balancer is utilised to evenly distribute the traffic from users to avoid resource bottlenecks. The primarily monitored scaling attributes are the number of transactions per second being received and how many devices are concurrently connected.

Cumulocity’s “application tier” is mostly stateless preventing lingering sessions where possible. Cumulocity's “database tier” uses sharding, based on the device id, spreading the workload and mitigating performance issues.

Analytics

Service usage metrics
Yes
Metrics types
Cumulocity users can view their usage metrics using two main methods. The first method utilises the REST API available for users to query device data, this can be used to export device and tenant data by the user providing insights in to service usage.

There are also a series of device centric dashboards that allow users to view the device usage data, as well as any additional services the tenant may be using that can be treated as "consumables".

Additionally a custom microservice could be developed to query and report service usage data in a customised format.
Reporting types
  • API access
  • Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other
Other data at rest protection approach
All functionality is implemented using publicly documented, session-less REST APIs, which means "session stealing" techniques will not be effective. The database used for IoT storage is not SQL based and itself is not based on a scripting language meaning "injection attacks" will be ineffective.

Cumulocity was designed, developed and deployed following industry best practices and supplier-defined controls. Extensive RBAC controls are used to protect data at rest. Secure multi-tenancy, scalability, high availability, and encryption making it secure for virtually any IoT use case.

Software AG is happy to provide details upon request to meet compliance for bespoke solutions.
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Cumulocity users have multiple options for exporting data from the platform. The REST API provided allows users to query platform device data and export it in JSON format for data analysis.

Another method for Cumulocity users is the reporting functionality. This allows users to export device data via reports in CSV format. This can be done both on-demand, or scheduled.

If these methods aren't sufficient, custom reporting can be implemented by users through the use of a custom microservice which can be developed and hosted on the platform.
Data export formats
  • CSV
  • Other
Other data export formats
JSON
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • MQTT

Data-in-transit protection

Data protection between buyer and supplier networks
Other
Other protection between networks
Cumulocity is a telecom grade service provider IoT platform and has been designed, developed and deployed following Industry best practices and supplier-defined controls.

Cumulocity provides security at device, network, cloud, application, and IT management level. Data transiting between networks is secured via various security measures. Data is encrypted in transit, DoS/DDoS protection is provided as well as demilitarised zones, IP range restrictions, intrusion detection/prevention, network port restriction, network firewall and VPN.

As the requirements of government are specific to
each project, Software AG is happy to provide details upon request to meet compliance to protect data.
Data protection within supplier network
Other
Other protection within supplier network
The security requirements the platform follows are derived from the industry best practice guidelines such as NIST 800-53 and the OWASP. All business partners and service providers have recognised security certificates. Network security is performed through various authentication and authorisation methods. Connections are established through HTTPS which reinforces communications with transport-level encryption (SSL/TLS).

All functionality of Cumulocity IoT is implemented with the same set of publicly documented, session-less REST APIs, this means "session stealing" techniques will not be effective on Cumulocity.

Software AG is happy to provide further specific details upon request to meet compliance needs for the customer.

Availability and resilience

Guaranteed availability
Service availability 99.9% based on web services availability measured over 5 minute intervals per calendar month (excluding standard scheduled maintenance). This excludes the availability of the underlying cloud /AWS infrastructure.

Option for users to be refunded may be feasible if a separate agreement had been exclusively drawn up mutually for a bespoke uplifted service. This is when the Cumulocity IoT platform could not meet the mutually agreed guaranteed levels of availability of Cumulocity software due to unforeseen circumstances.
Approach to resilience
Cumulocity IoT is setup in a multi availability zone setup with all components been distributed between these zones. 3 zones will always be used for production platforms.

This means all key components are available always 3 times to allow for high availability. The system will continue working as long as a majority of a component is still available. This setup has been proven to be effective numerous times.

Cumulocity runs on AWS, Azure and Alibaba as cloud providers, only supporting installations on virtual machines. Cumulocity supports VMWare and OpenStack and the service is designed to be resilient. Cumulocity can be deployed with bespoke high availability architectures and geographic resiliency as required for specific projects by government customers. Further details regarding this can be provided on request.
Outage reporting
Two methods are used to report on service outages, service reports and a public dashboard visible for customers. Service reports inform customers of any planned service outages in advance, whether it is for maintenance purposes or for upgrades, etc.

Day to day operational information on the service is available for customers to view via a dashboard. This method informs customers of any outages that were not foreseen or otherwise planned for. The dashboard is published and can be accessed via the below link:
http://status.cumulocity.com/

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
There are various authorization and authentication tools available
for management users. 2 Factor authentication is provided as standard through SMS or chosen authentication app to restrict access.

Admins can define how strong passwords of users needs to be in terms of characters, special symbols, numbers etc. Admins can also specify how often password changes are required.

RBAC can be applied at user, device, and application level. Global and Inventory roles allow admins to set strict rules to decide which type of users get what type of permissions to data, devices, and applications.

Software AG can provide further details upon request.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Description of management access authentication
For Cumulocity, all operations for each environment are done via the management tenant. For public cloud customers, we restrict access to this management tenant. For dedicated cloud customers, access is granted to this management tenant.

As mentioned previously, functionalities such as 2 factor authentication, password requirements, and RBAC can be applied at user, device, and application level. All activity on the tenant is logged for audit which can be viewed through an auditing interface.

Cumulocity also provides a distributed multi-tenancy architecture, allowing the management tenant to control, oversee, and restrict access to the tenants lower in the hierarchy.

Audit information for users

Access to user activity audit information
You control when users can access audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
DQS GmbH
ISO/IEC 27001 accreditation date
26/01/2021
What the ISO/IEC 27001 doesn’t cover
Software AG has certification for compliance with ISO/IEC 27001:2013, ISO/IEC 27017:2015, and ISO/IEC 27018:2019. Software AG Standard and Managed Cloud Services as listed in the certification scope statement delivered by Cloud Operations and PS Managed Services including supporting operation functions.
https://www.softwareag.com/en_corporate/company/iso-certified.html
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
No
Other security certifications
Yes
Any other security certifications
  • ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019
  • Complies with SOC 2 standards

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
REPORTING STRUCTURE: Head of Cloud Security, Compliance and Certifications, Cloud Compliance and Certification Manager, Cloud Security Technical Manager, Cloud Security and Compliance Sales Support Manager.

SECURITY POLICIES: Cumulocity Standard Edition Tenants can be hosted at Microsoft Azure and Amazon Web Services (AWS). AWS has been certified according to ISO 27001, DSS and other standards (http://aws.amazon.com/compliance/). It features extensive physical security measures and is independently audited. Audit reports can be obtained directly at AWS Compliance (http://aws.amazon.com/compliance/contact/).

Cumulocity ensures that Customer data stays confidential and cannot be tampered with through an end-to-end implementation of HTTPS from devices to applications. It uses up-to-date encryption technology that has been independently rated "A" by SSLlabs (https://www.ssllabs.com/).

Any communication with Cumulocity is subject to individual authentication and authorization. All functionality of Cumulocity is coherently implemented with the same set of publicly documented, session less REST APIs. This means that none of the popular "session stealing" techniques will work with Cumulocity.

To capture security-relevant events, Cumulocity offers an auditing interface which enables applications and agents to write audit logs, which are persistently stored and cannot be externally modified after being written. Cumulocity also writes its own audit records related to login and device control operations.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes are implemented following a strict change process as per ISO27001 and SOC2 certification. Please visit the following links for more details:

https://www.softwareag.com/content/dam/softwareag/global/marketing-material/en/terms-and-conditions/business-continuity-and-cloud-certificates/softwareag-cumulocity-soc-3-audit-report.pdf

https://www.softwareag.com/content/dam/softwareag/global/marketing-material/en/terms-and-conditions/business-continuity-and-cloud-certificates/ISO-27001-ICloud-Information-Management-System-Certified-by-DQS-(English).pdf

Software AG are happy to share further details of this under NDA.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Within alignment of Software AG's cloud vulnerability management program, the core procedures include:

- Anti-malware and endpoint detection & response.
- Automatic real-time detection and removal of publicly known
malware types.
- Threat intelligence, detection of suspicious and potentially
malicious activities related to users, processes, and network
communication.
- Vulnerability scanning on all customer production cloud
instances (monthly).
- Hardening controls based on industry best practices for
customer production cloud instances.
- External penetration testing on cloud products (annually).
- Internal Application/Network security testing before each cloud
product release.
- Patch Management as part of every release (every 3
months).
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Software AG supplier-defined controls have been used for protective monitoring processes. These include the required procedures to address protective monitoring.

All services are monitored 24/7 by the cloud operations team. Security incidents are also monitored by the SOC team of Software AG. The actual detection happens by several mechanisms such as:

- Endpoint protection
- Mechanisms inside the used hyperscaler

The processes for reaction are regularly reviewed as part of ISO27001 and SOC2. Reactions are usually immediate after detection as operations is available 24/7. Software AG is happy to provide further details on this topic upon request.
Incident management type
Supplier-defined controls
Incident management approach
Cumulocity IoT has defined processes for common events which are also e.g. for DR regularly trained. Users report incidents via the 'Support Portal', for customers there will be updates provided in tickets and generally on statuspage.io where updates for planned maintenance, and Incidents & problems are published and updated.

Software AG is happy to provide details upon request to meet compliance for bespoke projects for incident management.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

Fighting climate change

Sustainability and responsible action are guiding principles in Software AG’s business operations. We are certain that ethically correct behaviour and economic success belong together. To protect future generations and our planet, Software AG is committed to creating not only economic, but also ecological and social value.
Software AG is actively striving to reduce its environmental footprint. To mitigate the effects of its business activities on the planet, we are working toward a plan to become climate-neutral as quickly as possible by setting targets in the environmental area. With the help of its technology and solutions, Software AG will join forces with its customers and partners to tackle the most significant environmental challenges of the modern world and help mitigate the climate crisis, ultimately shaping a more sustainable future.

Covid-19 recovery

Since the beginning of the COVID-19 pandemic in 2020, four years have passed, and the global economy is still recovering from the adverse effects of multiple lockdowns in most countries of the world. Fortunately, the freezing of companies, postponed or extended investment activities, and extensive restrictions on business travel only had minor effects on Software AG’s business operations. We implemented a hybrid working model with many business meetings, trainings, and other operations being conducted online. Today, this has become the default working model, which not only has not hindered business operations but allowed for greater flexibility and increased efficiency for employees and business partners alike.
The COVID-19 crisis shed light on the lack of digitalization in business processes worldwide. This resulted in additional business opportunities for Software AG, particularly in the Digital Business segment, which would compensate, or even overcompensate, for the negative effects on the global economy.

Tackling economic inequality

Sustainable economic growth is of key significance to Software AG's business since it contributes to our long-term stability and positive impact on our employees, investors, and customers. Software AG’s leadership is convinced that having a sustainable business strategy not only promotes economic growth but is also essential to live up to the Company's own requirements pertaining to ESG matters.
Software AG recognizes the need to address economic inequality on a global scale and within the UK. We are committed to tackling the issue through various initiatives aimed at creating new jobs and business opportunities, while simultaneously increasing the resilience of its supply chain and sustainable practices therein. To achieve this goal, Software AG would prioritize job creation initiatives, training and development of employees’ skills, and vital partnerships with local communities and organizations to enhance the development of less privileged individuals. To enhance its supply chain, we would work towards expanding our sourcing options and fostering partnerships with local suppliers in the UK.

Equal opportunity

A company’s corporate culture, encompassing its values and norms, serves as the glue that holds it together. This culture not only influences employee performance, but also facilitates the achievement of business objectives. It is supported by a framework that outlines the expectations for individual behaviour, beliefs, actions, and decisions. In March 2022, Software AG introduced its Culture Framework, which is focused around three core Ps: people, passion, and products, serving as the backbone of Software AG’s operations. The Culture Framework establishes inclusion, integrity, and innovation as the fundamental values guiding leadership practices. These values unite Software AG as a company and offer practical guidance on communication, interaction, and decision-making. Diversity, equity, and inclusion (DE&I) are an integral part of Software AG’s Culture Framework. Recognizing the interconnectedness of corporate culture, employee satisfaction, and engagement, Software AG has implemented a variety of initiatives to better understand these principles and positively influence its corporate culture. The dedication shown by Software AG's employees, coupled with their professional and personal abilities, decisively contributes to our success. Overlooking employee concerns poses a fundamental risk of (generally indirect) negative impacts on business performance. Examples of this include situations when low employee satisfaction leads to attrition and a loss of company-specific expertise, or when a lack of diversity in the corporate environment hampers innovation. For this reason, Software AG deploys a variety of initiatives aimed at fostering high employee satisfaction and nurturing an innovative and diverse corporate culture while actively monitoring employee engagement. Since 2020, Software AG has been a member of The Valuable 500, a global business collective of companies dedicated to innovation in disability inclusion. Software AG is also a member of the Initiative Women into Leadership (IWiL), a non-profit association that facilitates long-term mentoring and promotion of women at the top level.

Wellbeing

Software AG is committed to fostering a corporate culture grounded in respect, transparency, and inclusion. The company continues to focus on attracting and retaining the best talent, nurtured through employee engagement and an inclusive and equitable working environment— where all employees can thrive and unleash their full potential.
Software AG offers an Employee Assistance Program (EAP), which provides employees with around-the-clock professional counselling free of charge. Yet, Software AG not only takes care of its own employees but is actively involved in improving community integration. For instance, our own Give Back to the World initiatives engages in several projects in the UK with an environmental or social value, tackling issues such as prevention of domestic violence, mitigation of deforestation, and promoting a healthy and active lifestyle.

Pricing

Price
£860 an instance a month
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Cumulocity IoT free trial edition enables basic IoT solutions to be created quickly who can use everyday office productivity apps. This allows your business to adopt a low-effort and agile approach to IoT solution creation. https://signup.softwareag.cloud/#/?product=cumulocity

Account for a free trial of Cumulocity IoT is available for 30 days
Link to free trial
https://cumulocity.com/pages/free-trial/

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at maurice.hancock@softwareag.com. Tell them what format you need. It will help if you say what assistive technology you use.