Telemetry2U: Data Security Policy – Protecting Your IoT Data

Password Management and Authentication

Passwords are never stored in plaintext and are hashed using HMAC-SHA512 with a 128-bit salt, a 256-bit subkey, and 100,000 iterations. Authentication via external OAuth 2.0 is also supported for some providers. Initial sign-up does not require divulging passwords to any third party, and password reset requests require authentication via email. The password policy requires that passwords contain an uppercase character, a lowercase character, a digit, a non-alphanumeric character, and be at least six characters long.

Data Encryption at Rest

All customer textual data is encrypted at rest using AES-256 encryption via a locally installed FIPS-certified encryption provider. This includes sensitive information such as company names, contact names, phone numbers, dashboard names, and sensor names.

Data Replication and Cloud Hosting

Data replication is performed hourly to a cloud provider, with transfers secured using TLS encryption. The replicated database remains encrypted at rest as described above. Our current provider is Microsoft Azure (South East Australia region). Their privacy policy is available at https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy.

Alert Security: SMS and Voice

When alerts are sent via SMS or voice call, the message text is transferred via TLS to our messaging provider, who will have access to the unencrypted message. Our current provider is Twilio Inc. You can view their privacy policy at https://www.twilio.com/en-us/privacy. However, the contents of these messages do not contain any potentially sensitive information beyond the recipient number, the sensor name, and the current reading or sensor state.

Alert Security: Email

Email alerts are sent from an internal email server using SMTP over TLS (when supported by the remote server), without using a third-party service. Depending on your email configuration, the message may pass through multiple mail servers with or without encryption. However, the contents of these emails do not include sensitive information beyond the recipient's email address, the sensor name, and the current reading or sensor state.

Web Application Security

Telemetry2U uses a modern development framework that is resistant to SQL injection and cross-site scripting (XSS) attacks. All pages define a Content Security Policy (CSP) to further reduce the risk of web-based threats.

Transport Security

Telemetry2U enforces HTTP Strict Transport Security (HSTS) to ensure all connections use TLS (HTTPS).

System and Server Updates

The operating systems of all servers and networking devices are regularly updated to apply the latest security patches.

Firewall Configuration

All servers are configured with OS-level firewalls to restrict access to sensitive resources—such as database and network servers—to internal systems that require them.

A hardware firewall prevents direct external access to database and network servers. Only a minimal number of incoming ports are allowed, including HTTPS for web access and several data transport ports required for device protocols such as LoRaWAN, NB-IoT, and LTE. Data received on these ports is heavily validated and authenticated to ensure only authorised access is allowed. The software that receives this data is developed using languages and frameworks resistant to buffer overflow and similar attacks.

Threat Detection and Intrusion Prevention

The hardware firewall is configured to automatically detect and block threats such as port scanning and flooding attacks.

An active threat detection system scans for penetration attempts, including SQL injection and unauthorised port access. When such attempts are detected, the source IP address is automatically blocked via the hardware firewall. The system logs and reports events in case further escalation is required, such as blocking IP address ranges.

User Roles and Permissions

Telemetry2U allows administrators to assign specific roles to users, each providing access to different features within the platform. Roles include Actions Admin, Add Annotations, Alert Admin, and others. For example, the Actions Admin role enables users to create downlink command lists that can be triggered by sensor events or schedules. This ensures each user only has access to the functions relevant to their role.

Node Access Control

Users can only be granted access to nodes that are already available under the administrator's account. Node-level access is controlled manually, and additional access can only be added by an authorised administrator. This limits visibility and control over devices to approved users only.

Default Access Restrictions

When a new user is invited to join an account, they are not given access to any nodes or features by default. Administrators must explicitly assign roles and permissions before the user can interact with platform data or functions. This approach helps ensure that access is intentional and controlled.

User Responsibilities

All users are responsible for maintaining the security of their login credentials and ensuring their account is not shared. Suspicious activity should be reported to the account administrator or Telemetry2U support. Users must comply with the platform’s acceptable use policies at all times.

Audit Logging

If 21CFR Part 11 has been enabled, Telemetry2U maintains detailed audit logs of user actions, including logins, configuration changes, and administrative events. These logs are can be downloaded reviewed by administrators to ensure compliance and detect potential misuse or unauthorised activity.