256 bit

Data Encryption

AES-256 at rest. TLS 1.3 in transit. Always.

Your owners' energy data travels through secure channels and rests behind military-grade encryption. Every byte is protected - from the moment it leaves their device until it's safely stored in our infrastructure.

At Rest AES-256

In Transit TLS 1.3

Backups Encrypted

Legacy Disabled

Why Encryption Is Non-Negotiable

Energy data is intimate. It reveals when owners are home, their daily routines, and their financial standing. Payment information is sensitive. Personal details are private. This isn't data that can afford to be exposed in a breach.

Encryption transforms readable data into indecipherable noise. Even if an attacker somehow gained access to our storage systems, they'd find nothing but scrambled bits - useless without the encryption keys we guard separately. It's the difference between a burglar finding your valuables versus finding an impenetrable safe.

How Your Data Stays Protected

Owner's Device

Data encrypted before leaving

TLS 1.3

In Transit

Encrypted tunnel to servers

TLS 1.3

Our Servers

Decrypted only for processing

Internal

Storage

AES-256 encrypted at rest

Encryption in Transit

When data moves between systems - from an owner's phone to our servers, between our services, or to third-party integrations - it travels through encrypted tunnels that prevent eavesdropping.

Supported

TLS 1.3 Preferred

TLS 1.2 Compatible

Blocked

TLS 1.0

TLS 1.1

SSLv2 / SSLv3

What This Covers

API calls Web sessions Mobile apps Webhooks Email

Encryption at Rest

When data is stored - in our databases, file systems, or backup archives - it's encrypted with AES-256, the same standard used by the U.S. government for classified information.

AES 256

Advanced Encryption Standard with 256-bit keys

2²⁵⁶ possible combinations - more than atoms in the observable universe

Computationally infeasible to break with current or foreseeable technology

What's Encrypted

Owner personal data Payment information Documents & files Communication logs Audit trails

Keys Guarded Separately

Encryption is only as strong as the protection of its keys. If encrypted data and keys are stored together, an attacker who breaches one has breached both. That's why we separate them.

Our encryption keys live in AWS Key Management Service (KMS) - a dedicated, hardened service backed by hardware security modules (HSMs). Keys never leave this protected environment. When data needs encryption or decryption, the operation happens inside KMS; the raw key is never exposed to our application code.

Keys rotate automatically on schedule. Access to key operations is logged and audited. No individual can directly retrieve a key - the system enforces separation of duties at every level.

AWS KMS

HSM-Backed

Auto Rotation

Full Audit Log

No Direct Access

Backups Are Encrypted Too

A backup that isn't encrypted is a liability. All Firm App backups receive the same AES-256 protection as live data, with additional safeguards.

Encrypted at Rest

AES-256 encryption on all backup archives - the same standard protecting live data.

Geographically Distributed

Backups stored across multiple US regions, 2,000+ miles apart, for disaster resilience.

Immutable Storage

Once written, backups cannot be modified or deleted - protection against ransomware.

US-Based Only

All backup storage remains within United States borders for data sovereignty.

Session 1

Session 2

Session 3

Each session uses a unique, temporary key

Perfect Forward Secrecy

Traditional encryption uses the same key over time. If that key is ever compromised - even years later - an attacker could decrypt all historical communications they've captured.

Perfect Forward Secrecy eliminates this risk. Each connection negotiates a unique, temporary session key. When the session ends, the key is discarded. Even if our long-term keys were somehow exposed, previously recorded traffic would remain unreadable.

Our TLS configuration prioritizes ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) key exchange, which provides forward secrecy for every connection.

What Encryption Stops

Data Breach Impact

If attackers breach storage systems, they find only encrypted data - indecipherable without keys stored separately. Your owners' information remains protected even in worst-case scenarios.

Man-in-the-Middle

TLS encryption prevents attackers from intercepting data in transit. They can't read, modify, or inject malicious content into communications between users and our servers.

Insider Threats

Even internal team members can't read raw customer data. Encryption ensures that database administrators see only encrypted blobs, not the sensitive information within.

Physical Theft

If storage hardware were physically stolen, encryption renders the data useless. Without access to our key management systems, the drives contain only random noise.

Technical Specifications

TLS Cipher Suites

TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

Prioritizing authenticated encryption with forward secrecy

Certificate

Provider: Sectigo (PositiveSSL) Key: 2048-bit RSA Signature: SHA-256 Renewal: Automated

Database Encryption

Engine: MongoDB Algorithm: AES-256-CBC Key Management: AWS KMS Rotation: Automatic

Password Handling

Passwords are hashed, not encrypted - using bcrypt with high work factor. Even we cannot retrieve original passwords; verification works by comparing hashes.

Questions About Our Encryption?

Our security team is available to discuss encryption standards, provide technical documentation, or answer compliance questions.

Schedule a Demo Contact Security Team