ResourcesPartnersSensorsPricingSavings CalculatorInvestorsDashboard Login
Security & Trust

Built for security-conscious environments.

This page is written for your IT and security team: how data moves through the platform, how it’s protected, and exactly where we are on formal certifications. No security theater.

mTLS device authTLS 1.2+ everywhereAES-256 at restNo consumer PII
Architecture

How data moves. And what it never touches.

Four hops from the walk-in to your phone — and not one of them runs through your systems.

Sensors
LoRaWAN — low-power wireless to the gateway
Gateway
Cellular or ethernet · mutual TLS with per-device X.509 certificates
ConnectedFresh Cloud
AWS · encrypted · multi-AZ redundancy
Your dashboard & alerts
Web dashboard, alerts, reports, data exports

Fully segmented from your network. Sensors talk to the gateway over LoRaWAN — not your Wi-Fi — and on cellular, the gateway carries its own connection, so nothing touches your network at all. Ethernet is available if you prefer it.

We’re a seed-stage company that takes this seriously — here’s exactly where we are.

You won’t find badge-wall logos for certifications we don’t hold yet. What you’ll find below is what we actually run today — and what’s planned as we scale.

The details

Security practices, topic by topic.

Cloud architecture

  • Cloud-native on AWS with multi-AZ redundancy
  • Containerized services
  • Web application firewall (WAF) on all public endpoints
  • Databases in private subnets with no direct internet access

Edge & device security

  • Every gateway authenticates with a unique per-device X.509 certificate over mutual TLS
  • Sensors talk to the gateway over LoRaWAN, a low-power wireless protocol
  • On cellular, nothing touches your network
  • Gateways buffer up to 72 hours of readings locally through connectivity outages

Encryption

  • TLS 1.2+ on every connection, end to end
  • AES-256 encryption at rest with managed keys
  • Encrypted backups

Access control

  • Role-based access control with least-privilege defaults
  • Audit logging on administrative actions
  • Rotating API keys with per-key rate limits

Data practices

  • We monitor environments, not people — no consumer PII is collected or stored
  • Sensor payloads contain readings and device IDs only
  • Strict per-customer data isolation, enforced at the row level
  • Retention per contract — typically 2 years — purged on termination
  • Export your data anytime

Testing & assurance

  • Annual third-party penetration testing
  • Automated dependency and container scanning on every release
  • Architecture aligned to SOC 2 Type II control objectives, with formal certification planned as we scale
  • Supports our customers’ FSMA compliance requirements

Incident response

  • 24-hour customer notification commitment for confirmed data incidents
  • Documented containment and recovery playbooks

Found something? Tell us.

If you believe you’ve found a security vulnerability in ConnectedFresh, we want to hear about it — and we’ll respond quickly.

security@connectedfresh.com

Have a security questionnaire? Send it over.

Security reviews shouldn’t stall a food safety rollout. You’ll get answers from the people who built the platform — not a sales deck.

Talk to us
Ask us anything