Back to Trust Center

Security & Responsible Disclosure

Our approach to product security, vulnerability reporting, and incident response.

Contact and reporting

To report a potential vulnerability or security concern, please reach out via our Contact page. Include as much detail as possible so we can investigate promptly.

Data security and encryption

  • Encryption in transit (TLS) and at rest across core services and storage.
  • Wireless and device data transmissions are protected using modern, industry‑standard cryptography.
  • We do not store payment card data; billing is handled by our payment provider. Typical customer data we store is minimal (e.g., business contact info such as email).

Access controls

  • Least‑privilege, role‑based access; SSO/MFA enforced where supported.
  • Customer data access is siloed and restricted to personnel with a business need; access is reviewed and auditable.
  • Credential rotation and secret management practices are in place.

Key management & secrets

  • Provider KMS used for encryption keys with scoped access and periodic rotation.
  • Secrets stored in a managed vault; access is logged and reviewed.

Operational logging and change management

  • Robust system logs across infrastructure and application layers for security, performance, and auditability.
  • Device‑level records are maintained for fielded units (e.g., configuration, firmware version, and relevant events).
  • Infrastructure‑as‑code and change workflows provide review/approval trails for system modifications.

Backups, disaster recovery, and continuity

  • Regular encrypted snapshots and backups with off‑region redundancy.
  • Defined RPO/RTO targets; periodic restore tests and fire‑drill exercises.
  • Maintenance windows announced with reasonable notice; emergency maintenance when required for security/stability.

Incident response

  • Documented playbooks for triage, containment, remediation, and post‑incident review.
  • Customer communications align with our SLA and contractual obligations.

Subprocessors and shared responsibility

We rely on trusted infrastructure and service providers and apply security controls across our integrations. Our overall security posture depends in part on those providers—see Subprocessors for a current list.

Third‑party risk management

  • Vendor onboarding includes security and privacy review appropriate to risk.
  • Active vendor list is maintained and reviewed; material changes are communicated per our DPA.

Firmware & OTA security / compatibility

  • Signed firmware, staged rollouts, and safe rollback paths; secure boot where applicable.
  • Backward compatibility commitments with semantic versioning and deprecation windows to protect integrations.
  • See Quality & Manufacturing for lifecycle testing, SBOM, and compatibility practices.

Assurance for regulated deployments

For government or mission‑critical deployments with geographic or regulatory requirements, additional documentation may be provided upon request under appropriate confidentiality.

Data residency

Regional deployment options may be available depending on product and capacity. Contact us to discuss geographic requirements.

Security certifications

We are actively maturing our security program. Public attestations (e.g., SOC/ISO) may be published here when available.

Data retention and deletion

  • We retain customer data only as long as necessary to deliver the service or as required by law.
  • Upon request or contract termination, data is deleted or anonymized per policy, subject to legal/backup constraints.

Vulnerability management

  • Automated dependency and container scanning; periodic SAST/DAST where applicable.
  • Patch SLAs based on severity and exposure; SBOM available upon request.
  • Periodic third‑party penetration testing with tracked remediation.