This document summarizes the security architecture for the Kaiterra platform.
Data At Rest
At Kaiterra, we care about your data security as much as your air quality. That’s why we use the industry standard AES-256 algorithm to encrypt everything we store: sensor data and metadata, account information, and logs.
Encryption at rest includes the underlying storage for database instances, automated backups, read replicas, snapshots, and all stages of the processing pipeline.
Data In Transit
Once configured, Kaiterra devices do not accept any incoming network connections. Devices communicate with external services via outbound connections only.
Once a device establishes an internet connection over Ethernet or WiFi, all data in transit is encrypted over TLS/SSL connections.
Sensor readings use MQTT TLS 1.2 encryption over port 8884 to Kaiterra’s Cloud. Our customers may use a secondary MQTT broker if they choose, which may be on-prem or internet connected.
A device will also send requests to Kaiterra’s API for configuration and firmware over-the-air (OTA) updates using HTTPS/TLS 1.2 encryption over port 443.
Device HW Security
The root file system on Kaiterra’s sensor is read-only. Sensor data is processed in-memory and not stored. Each device has a unique certificate to authenticate with our cloud.
Web App (Dashboard) Account Security
Kaiterra supports Single Sign-On (SSO) to authenticate customers with their own systems without requiring them to make Kaiterra-specific credentials. 2-Factor Authentication (2FA) can be enabled with configuration.
Kaiterra customers can administer user access to the Web App Dashboard.
Password and Credential Storage
Kaiterra uses industry-standard password complexity requirements. Credentials are stored using bcrypt with a cost of 10 and unique per-account salts. Forced password resetting can be enforced with SSO integrations, upon request.
Kaiterra’s API allows our customers to consume their air quality data in external applications. API keys or token authentication are required for access. All requests must be HTTPS.
At Kaiterra, keeping our customers’ data secure is our top priority. We employ rigorous security measures to ensure that your data and applications remain safe. Our security policy and documentation are continuously assessed and reviewed annually to reflect any changes. If you have any questions, please don’t hesitate to contact email@example.com.