Architecture
How data moves. And what it never touches.
Four hops from the walk-in to your phone — and not one of them runs through your systems.
Sensors
LoRaWAN — low-power wireless to the gateway
Gateway
Cellular or ethernet · mutual TLS with per-device X.509 certificates
ConnectedFresh Cloud
AWS · encrypted · multi-AZ redundancy
Your dashboard & alerts
Web dashboard, alerts, reports, data exports
Fully segmented from your network. Sensors talk to the gateway over LoRaWAN — not your Wi-Fi — and on cellular, the gateway carries its own connection, so nothing touches your network at all. Ethernet is available if you prefer it.
We’re a seed-stage company that takes this seriously — here’s exactly where we are.
You won’t find badge-wall logos for certifications we don’t hold yet. What you’ll find below is what we actually run today — and what’s planned as we scale.
The details
Security practices, topic by topic.
Cloud architecture
- Cloud-native on AWS with multi-AZ redundancy
- Containerized services
- Web application firewall (WAF) on all public endpoints
- Databases in private subnets with no direct internet access
Edge & device security
- Every gateway authenticates with a unique per-device X.509 certificate over mutual TLS
- Sensors talk to the gateway over LoRaWAN, a low-power wireless protocol
- On cellular, nothing touches your network
- Gateways buffer up to 72 hours of readings locally through connectivity outages
Encryption
- TLS 1.2+ on every connection, end to end
- AES-256 encryption at rest with managed keys
- Encrypted backups
Access control
- Role-based access control with least-privilege defaults
- Audit logging on administrative actions
- Rotating API keys with per-key rate limits
Data practices
- We monitor environments, not people — no consumer PII is collected or stored
- Sensor payloads contain readings and device IDs only
- Strict per-customer data isolation, enforced at the row level
- Retention per contract — typically 2 years — purged on termination
- Export your data anytime
Testing & assurance
- Annual third-party penetration testing
- Automated dependency and container scanning on every release
- Architecture aligned to SOC 2 Type II control objectives, with formal certification planned as we scale
- Supports our customers’ FSMA compliance requirements
Incident response
- 24-hour customer notification commitment for confirmed data incidents
- Documented containment and recovery playbooks
Found something? Tell us.
If you believe you’ve found a security vulnerability in ConnectedFresh, we want to hear about it — and we’ll respond quickly.
security@connectedfresh.comHave a security questionnaire? Send it over.
Security reviews shouldn’t stall a food safety rollout. You’ll get answers from the people who built the platform — not a sales deck.
Talk to us