Skip to Content
Security & TrustSecurity FAQ

Security FAQ

Pre-filled answers to the questions a security reviewer is most likely to ask, in the format of a vendor self-assessment.

Can TAPP send commands to or modify equipment control systems?

No. TAPP reads equipment data using Modbus TCP read function codes (FC3/FC4) only. Write function codes (FC6/FC16) are never issued. Beyond that, the TAPP Gateway is a one-way data transfer gateway: data travels only outward from the equipment side, and there is no return path for any signal to reach a control system. That one-way behavior is built into the hardware, not a software setting, and cannot be overridden remotely.

Are equipment control systems connected to the customer network?

No. A control system’s only connection is a direct wired link to the equipment side of the TAPP Gateway. The equipment side is isolated from the customer network by the one-way TAPP Gateway. There is no path from the customer network to any connected control system — whether it’s a boiler, a chiller, a water chemistry controller, or other critical equipment.

What happens if the TAPP Gateway is compromised?

The equipment side stays isolated regardless of software state. The gateway’s one-way data transfer is a property of the hardware, so even if the TAPP software were modified (which requires physical access at the equipment), no signal can travel back toward the equipment side. The controls side cannot be reached remotely under any circumstances.

Does TAPP require any inbound firewall rules?

No. All TAPP traffic is outbound-initiated. The Network Router establishes outbound connections to AWS IoT Core (TCP 8883) and to Tailscale for remote management (TCP 443 or UDP 41641). No inbound rules are required, and TAPP does not listen for inbound connections.

What does TAPP’s remote access tunnel do exactly? Can TAPP reach our network?

TAPP uses Tailscale  (a WireGuard-based mesh VPN) to remotely access the Network Router only — for configuration and diagnostics. The tunnel is outbound-initiated from the router and does not expose any inbound port on the customer network. TAPP’s access is scoped to the Network Router itself using Tailscale access controls ; the tunnel cannot cross the one-way TAPP Gateway or reach any other device on the customer network. If required, the tunnel can be configured to run exclusively over the cellular backup uplink so it never touches the customer network at all. See Remote Access for full details.

What data does TAPP transmit off-site?

Equipment performance telemetry only — controller data (for a boiler, that includes combustion data, operational state, faults and alarms), plus wireless sensor readings (vibration, temperature, pressure/current) from other equipment. No process recipes, no control logic, no personnel data, no IT system data. See Data & Telemetry for the full category list.

Where is TAPP data stored?

AWS (US region). Sub-processor: Amazon Web Services. Data is encrypted in transit (TLS) and at rest per AWS default encryption.

Who owns the data TAPP collects?

Data ownership and permitted use are defined in the data agreement executed as part of the customer contract. Contact your TAPP project manager for the current data agreement template.

How does the wireless sensor network work?

TAPP’s wireless sensors form a 900 MHz XBee radio network (Digi sub-GHz radio). Each sensor is a self-contained measurement node that reports vibration, temperature, or pressure/current readings to a receiving radio on the Network Router. The network is used to instrument tanks, motors, pumps, and other rotating or process equipment where running wire is impractical. The 900 MHz ISM band is chosen for industrial environments because it offers longer range and much better penetration through walls, metal, and dense equipment than 2.4 GHz. The entire wireless network lives on the network side of the TAPP system — it has no connection to any equipment control system or to the equipment side of the TAPP Gateway.

Does TAPP use Zigbee for wireless sensors?

No. TAPP uses 900 MHz XBee radio (Digi sub-GHz protocol). Zigbee operates at 2.4 GHz and is a different protocol. The 900 MHz band provides better range and wall penetration in industrial environments.

The wireless sensors run on an isolated 900 MHz XBee radio network that is physically confined to the network side of the TAPP system — it has no path to the equipment side or to any control system. Because the sensors are read-only and carry only equipment-health telemetry, the worst-case impact of interference or jamming is a false or missing sensor reading; it cannot affect equipment operation or safety. Radio-level encryption is evaluated on a per-deployment basis for sensitive environments.

What network segment should TAPP be placed on?

The BMS or building-management VLAN. TAPP does not require access to corporate IT infrastructure. It presents as a single device with one MAC address and accepts DHCP or static IP assignment.

Does TAPP have a SOC 2 report or other compliance certification?

TAPP is an OT/IIoT system, not a SaaS business application. Its security posture is built around hardware-enforced isolation (the one-way TAPP Gateway), encrypted data transmission, and a minimal network footprint — appropriate to its role as an edge monitoring device. Formal cloud-compliance certifications (SOC 2, ISO 27001) are not currently applicable to this product category. AWS, as the cloud sub-processor, maintains its own compliance certifications.

What is the patch and update process for TAPP devices?

TAPP Gateway software updates are applied via USB by a TAPP technician during scheduled maintenance. Remote configuration changes to the Network Router are made via the Tailscale management tunnel. No automatic or unattended software updates are pushed to site without coordination with the customer.

Last updated on