Haltless is built multi-tenant on a SOC 2-ready audit chain. PostgreSQL Row-Level Security pins every query to the current tenant, MFA is enforced at the application layer, and a HMAC-SHA256 audit log retained for seven years gives auditors a tamper-evident trail. We do not currently hold SOC 2 or ISO 27001 certifications, and we will not claim them on the site until an auditor has signed off.
The edge agent sits inside your network and reads from PLCs and historians locally. Connections are outbound only: from the agent to the controllers, and from the agent to our cloud over TLS 1.3. No reverse tunnel, no inbound exposure of your OT network. Raw protocol frames are parsed locally; only normalised metrics ship to the cloud.
Haltless is not yet ISO 27001 certified. Our information security management system follows the controls defined in the standard, with documented risk assessments, access reviews, vendor due diligence, and change management. Certification status will appear here only after an external auditor has signed off.
Haltless is not yet SOC 2 Type II certified. We do operate against the Trust Services Criteria for security, availability, and confidentiality, with documented logging, alerting, and incident response procedures reviewed continuously and exercised through tabletop drills. The certification status will appear here only after an external auditor has signed off.
How the platform protects tenant data at rest and proves nothing has been tampered with.
Every audit log row carries a monotonic sequence number and an HMAC-SHA256 hash chained to the previous row. Mutations, deletions, and reordering all produce mismatches the system detects automatically. An append-only database trigger blocks deletes without an explicit retention flag. Your audit trail is cryptographically immutable.
Every tenant-scoped table carries a PostgreSQL row-level security policy that pins queries to the current tenant. Combined with transaction-scoped tenant context middleware and API-layer scoping, a tenant administrator physically cannot reach another tenant’s data. Isolation enforced from query to endpoint.
A signed Data Processing Addendum, lawful-basis tracking, and US and EU data residency are available out of the box. You retain full ownership of Customer Data and can request export or deletion at any time. The full DPA, including the EU Standard Contractual Clauses, UK IDTA, and China Standard Contract, is published on the site.
Traffic between edge agents and our backend is protected with TLS 1.3 and per-tenant key material. Customer Personal Data at rest is encrypted with AES-256, MFA secrets are encrypted with a separate key, and Customer telemetry stays in the EU region by default.
How users prove who they are, with or without your corporate identity provider.
12-character password minimum, 90-day rotation with reuse prevention, login throttling per IP and per user, and TOTP-based MFA with secrets encrypted at rest. Email verification is mandatory before first sign-in.
OAuth 2.0 with PKCE for Google and Microsoft sign-in at the application level. Tenants can additionally configure SAML or OIDC against their corporate identity provider. Provision once, control everywhere.
Centralized logging, anomaly detection, and continuous vulnerability scanning feed a 24/7 monitoring stack. On-call engineers triage alerts within minutes and follow a documented incident response playbook.
How issued credentials are scoped, refreshed, and revoked at scale.
Access tokens are kept in memory only, never in localStorage. Refresh tokens live in HttpOnly cookies with SameSite=Lax. Sessions are revocable per device, and rotations are routine, not exceptional.
A single database write invalidates every issued token for a user or tenant. Triggered automatically on password change, MFA enrolment, or suspicious activity. No scattered session cleanup required.
DATA SOVEREIGNTY
Customer Data is stored in the European Union by default. Cross-border transfers are covered by the EU Standard Contractual Clauses Module 2, the UK Information Commissioner's IDTA, the China Standard Contract for Cross-border Transfer of Personal Information, or the EU-US Data Privacy Framework, depending on the recipient. The current sub-processor list, with the actual processing region per provider, is published in Annex III of the Data Processing Addendum.
Read the Data Processing AddendumConnect Haltless to your existing PLCs, validate the explainable health score on your own equipment, and we come back with a tailored quote. No new hardware, no proprietary sensors, no consultants.
