Security
Security architecture and data privacy in Thingsee IoT platform
Thingsee IoT platform is designed with security and data privacy as fundamental principles, ensuring your IoT deployment meets enterprise security requirements.
Data Privacy Principles
Privacy by Design
- No personal data - Thingsee devices don’t collect personal information
- Anonymous identifiers - Devices use serial numbers as the only identity
- Customer-controlled - You decide what data leaves your premises
Data Ownership
All sensor data belongs to you:
- Thingsee Cloud acts as a secure transit point
- Data is forwarded to your designated endpoints
- No data mining or secondary use by Haltian
Cloud Security
Single Tenant Deployment
Every customer receives an isolated cloud environment:
%%{init: {'theme':'base','themeVariables':{'primaryColor':'#73F9C1','primaryTextColor':'#143633','primaryBorderColor':'#143633','lineColor':'#143633','secondaryColor':'#C7FDE6','tertiaryColor':'#F6FAFA','clusterBkg':'#F6FAFA','clusterBorder':'#143633'}}}%%
flowchart TB
subgraph AWS["AWS Infrastructure"]
subgraph Tenant1["Customer A Tenant"]
A1[IoT Core]
A2[Lambda]
A3[DynamoDB]
end
subgraph Tenant2["Customer B Tenant"]
B1[IoT Core]
B2[Lambda]
B3[DynamoDB]
end
end
Tenant1 ~~~ Tenant2Benefits:
- Complete isolation - No shared resources between customers
- Custom configuration - Tailored security policies
- Compliance ready - Meet regulatory requirements
Customer Controlled Data Pipeline
You control where your data flows:
| Control Point | Options |
|---|---|
| Endpoint | Your MQTT broker, Azure IoT, AWS IoT, custom REST |
| Protocol | MQTT, HTTPS, WebSocket |
| Authentication | Certificates, API keys, OAuth |
| Encryption | TLS 1.2+, custom encryption |
AWS IoT Competency
Thingsee Operations Cloud is built on AWS with security best practices:
- AWS IoT Core for device connectivity
- AWS Lambda for serverless processing
- AWS DynamoDB for data storage
- AWS KMS for key management
- AWS WAF for API protection
Device Security
Manufacturing Security
Security begins at the manufacturing process:
- Secure provisioning - Unique credentials per device
- Hardware security - Secure boot, encrypted storage
- Identity binding - Device identity linked to hardware
Secured IoT Mesh Connections
Wirepas mesh network security features:
| Feature | Description |
|---|---|
| Network encryption | AES-128 encryption for all mesh traffic |
| Authentication | Only authorized devices join the network |
| Anti-replay | Protection against message replay attacks |
| Key rotation | Automatic security key updates |
Secured IoT Gateway
Gateway security architecture:
- NuttX RTOS - Security-focused real-time operating system
- Secure boot - Verified firmware execution
- Certificate-based auth - mTLS to cloud
- Encrypted storage - Sensitive data protection
Network Security
Certificate-Based Authentication
All cloud connectivity uses certificate-based authentication:
%%{init: {'theme':'base','themeVariables':{'primaryColor':'#73F9C1','primaryTextColor':'#143633','primaryBorderColor':'#143633','lineColor':'#143633','secondaryColor':'#C7FDE6','tertiaryColor':'#F6FAFA','actorBkg':'#73F9C1','actorBorder':'#143633','noteBorderColor':'#FF8862','noteBkgColor':'#FFCFC0','signalColor':'#143633'}}}%%
sequenceDiagram
participant G as Gateway
participant T as Thingsee Cloud
G->>T: TLS Handshake + Client Certificate
T->>T: Validate certificate
T->>T: Check certificate chain
T->>T: Verify device identity
T-->>G: Connection established
Note over G,T: All traffic encrypted with TLS 1.2+Firewall Configuration
Gateways require minimal outbound connectivity:
| Service | Port | Protocol | Purpose |
|---|---|---|---|
| MQTT | 8883 | TLS | Data upload |
| HTTPS | 443 | TLS | API, firmware updates |
No inbound ports required.
Compliance and Certifications
Security Certifications
- ISO 27001 - Information security management
- SOC 2 Type II - Security, availability, confidentiality
- GDPR - European data protection compliance
Industry Standards
- OWASP - Web application security guidelines
- NIST - Cybersecurity framework alignment
- IEC 62443 - Industrial communication security
Best Practices
For Deployment
- Use dedicated integration credentials - Never share API keys
- Enable logging - Audit all device operations
- Regular updates - Keep firmware current
- Network segmentation - Isolate IoT traffic
For Development
- Secure credential storage - Use secrets management
- Input validation - Validate all Thingsee messages
- Error handling - Don’t expose internal errors
- Access control - Implement least privilege
Incident Response
If you suspect a security incident:
- Contact Haltian Support immediately
- Document - Preserve logs and evidence
- Isolate - Disconnect affected devices if needed
- Review - Audit recent changes and access
Security Contact
Report security vulnerabilities to: security@haltian.com