Security
Understanding security architecture and features across the Haltian IoT platform
Overview - Security by Design
Haltian IoT is designed with security as a foundational principle, from sensor devices to cloud infrastructure and applications, security controls protect data confidentiality, integrity, and availability throughout the entire data lifecycle.
End-to-End Security Architecture
The following diagram illustrates how security is implemented across all layers of the Haltian IoT platform:
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#F6FAFA', 'primaryTextColor': '#143633', 'primaryBorderColor': '#143633', 'lineColor': '#143633', 'secondaryColor': '#C7FDE6', 'tertiaryColor': '#73F9C1', 'clusterBkg': '#ffffff', 'clusterBorder': '#143633', 'edgeLabelBackground': '#ffffff'}}}%%
graph BT
subgraph Devices["Device Layer"]
Sensors["Sensors<br/>(Locators, Tags, Sensors)"]
GW["Haltian IoT Gateway"]
Sensors -->|Wirepas Mesh<br/>AES-128| GW
end
subgraph Cloud["Cloud Layer (AWS)"]
subgraph APIs["APIs"]
GatewayAPI["Gateway API<br/>(REST/MQTT)"]
ServicesAPI["Services API<br/>(GraphQL)"]
StreamAPI["Stream API<br/>(MQTT)"]
DataAPI["Data API<br/>(Parquet)"]
end
subgraph Database["Encrypted Database"]
Orgs["Organizations"]
SpacesDB["Spaces"]
DevicesDB["Devices"]
DataDB["Measurements"]
end
subgraph Storage["Encrypted Storage"]
Files["Files"]
end
APIs -->|Organization scope| Database
DataAPI -->|Organization scope| Storage
end
subgraph Apps["Clients Layer"]
Studio["Haltian IoT Studio"]
ClientApps["Client Apps"]
ClientServices["Client Services"]
end
GW -->|X.509 authentication| GatewayAPI
Studio -->|Organization scope<br/>RBAC| ServicesAPI
ClientApps -->|Organization scope<br/>RBAC| ServicesAPI
ClientServices -->|Organization scope<br/>API key| StreamAPI
ClientServices -->|Organization scope<br/>API key| DataAPICore Security Principles
Privacy by Design
- No Personal Data Collection: Haltian IoT does not collect or store personal information. All devices use anonymous identifiers.
- Clients can optionally add metadata to devices (names, external identifiers, photos), but this is not required for basic operation
- Any additional metadata is stored within the organization’s own data scope
- Customer Data Ownership: Organizations maintain full ownership and control of their data.
- The Services API provides the same full data access that Haltian’s own applications use
- No data is locked behind proprietary interfaces
- Tenant Isolation: Multi-tenant architecture ensures data segregation between organizations.
Encryption Everywhere
- Data in Transit: All network communication is encrypted using TLS or AES-128 (Wirepas mesh)
- Data at Rest: All data stored in databases and object storage is encrypted
- End-to-End: Data remains encrypted from device to application
Zero Trust Architecture
- Certificate-based Authentication: Gateways authenticate using X.509 certificates
- Gateways include factory-provisioned credentials from the manufacturing process
- A bootstrapping process establishes secure communication with the cloud on first connection
- Token-based Authorization: Applications use JWT tokens with short lifetimes
- Least Privilege Access: Role-based access control limits permissions to minimum required
Security Features by Layer
Device Layer
- Wirepas mesh AES-128 encryption for all wireless traffic
- Flexible network credential options:
- Haltian-wide shared Wirepas network credentials for easy deployment
- Organization-specific Wirepas credentials for dedicated network isolation
Cloud Layer
- Multi-tenant AWS deployment with tenant isolation
- Keycloak identity management with per-organization realms
- Encryption at rest for all databases and storage
- Role-based access control (RBAC) with hierarchical permissions
- Viewer and Installer roles can be restricted to specific spaces (building sites), limiting user access to only their assigned locations
Clients Layer
- JWT-based authentication with short-lived access tokens
- API key authentication for machine-to-machine integrations
- GraphQL API introspection based on user roles