This document summarizes the security architecture for the Kaiterra platform.
Data in Transit
Once configured, Kaiterra devices do not accept any incoming network connections. Devices communicate with external services via outbound connections only.
Once a Kaiterra device establishes an internet connection over Ethernet or WiFi, all data in transit is encrypted over TLS/SSL connections.
Sensor readings use MQTT TLS 1.2 encryption over port 8884 to Kaiterra’s Cloud. Our customers may use a secondary MQTT broker if they choose, which may be on-prem or internet connected.
A device will also send requests to Kaiterra’s API for configuration and firmware over-the-air (OTA) updates using HTTPS/TLS 1.2 encryption over port 443.
Device HW Security
The root file system on Kaiterra’s sensor is read-only. Sensor data is processed in-memory and not stored. Each device has a unique certificate to authenticate with our cloud.
Web Dashboard Account Security
Kaiterra supports Single Sign-On (SSO) to authenticate customers with their own systems without requiring them to make Kaiterra-specific credentials. 2-Factor Authentication (2FA) can be enabled with configuration.
Kaiterra customers can administer user access to the Web Dashboard.
Password and Credential Storage
Kaiterra uses industry-standard password complexity requirements. Credentials are stored using bcrypt with a cost of 10 and unique per-account salts. Forced password resetting can be enforced with SSO integrations, upon request.
Kaiterra’s API allows our customers to consume their air quality data in external applications. API keys or token authentication are required for access. All requests must be HTTPS.
At Kaiterra, keeping our customers’ data secure is our top priority. We employ rigorous security measures to ensure that your data and applications remain safe. If you have any questions, please don’t hesitate to reach out to firstname.lastname@example.org.