Skip to Content
Security & TrustThe TAPP Gateway

The TAPP Gateway

The TAPP Gateway is the device that stands between your critical equipment and everything else. It is what makes it safe to monitor equipment that must never be exposed to a network. This page explains, at a high level, what the TAPP Gateway does and why its one-way design is the foundation of TAPP’s security posture. For the full site topology, see System Architecture.

What It Is

The TAPP Gateway is a one-way data transfer gateway. Equipment control systems connect to its equipment side; TAPP’s cloud connectivity lives on its network side. Equipment data flows from the equipment side out to the network side — and nothing flows back.

A helpful way to picture it is a check valve for data (we call this the Digital Checkvalve): just as a check valve in a piping system lets fluid move in one direction and mechanically prevents it from reversing, the TAPP Gateway lets equipment data move outward and prevents anything from moving back toward the equipment.

How Data Moves Through It

Data flows one direction only — from the equipment side, through the TAPP Gateway, to the network side, with no return path back to the equipment side.

Data moves left to right only. There is no return path from the network side to the equipment side — not for a command, not for a configuration change, not for any signal at all.

Why One-Way Matters

Most monitoring products create a two-way connection to the equipment they watch — which means the same link that carries data out can, in principle, carry something in. The TAPP Gateway removes that possibility by design:

  • No inbound commands. Nothing on the network side — or anything beyond it, including the internet — can send a command, write a value, or change a setting on a connected control system.
  • Independent of software. The one-way behavior is a property of the hardware, not a software setting. It cannot be reconfigured, disabled, or overridden remotely, and it holds regardless of the software’s state.
  • No remote path to controls. The equipment side is reachable only by physical presence at the equipment. There is no network route to it from anywhere.

The TAPP Gateway’s one-way design is what lets TAPP read from safety-critical equipment without becoming a way into it. Even in a worst case where TAPP’s own software were tampered with — which requires physical access at the equipment — there is still no path back toward the equipment side.

What It Does Not Do

  • It does not connect equipment control systems to your network.
  • It does not accept inbound connections of any kind.
  • It does not issue control commands — TAPP reads equipment data using read-only requests (see System Architecture for the Modbus detail).

Where It Fits

The TAPP Gateway handles the controls / critical path. A second device, the Network Router, handles internet egress and the wireless sensor radio. The two-device layout and the full data path are described in System Architecture.

Last updated on