The TAPP Gateway
The TAPP Gateway is the device that stands between your critical equipment and everything else. It is what makes it safe to monitor equipment that must never be exposed to a network. This page explains, at a high level, what the TAPP Gateway does and why its one-way design is the foundation of TAPP’s security posture. For the full site topology, see System Architecture.
What It Is
The TAPP Gateway is a one-way data transfer gateway. Equipment control systems connect to its equipment side; TAPP’s cloud connectivity lives on its network side. Equipment data flows from the equipment side out to the network side — and nothing flows back.
A helpful way to picture it is a check valve for data (we call this the Digital Checkvalve): just as a check valve in a piping system lets fluid move in one direction and mechanically prevents it from reversing, the TAPP Gateway lets equipment data move outward and prevents anything from moving back toward the equipment.
How Data Moves Through It
Data moves left to right only. There is no return path from the network side to the equipment side — not for a command, not for a configuration change, not for any signal at all.
Why One-Way Matters
Most monitoring products create a two-way connection to the equipment they watch — which means the same link that carries data out can, in principle, carry something in. The TAPP Gateway removes that possibility by design:
- No inbound commands. Nothing on the network side — or anything beyond it, including the internet — can send a command, write a value, or change a setting on a connected control system.
- Independent of software. The one-way behavior is a property of the hardware, not a software setting. It cannot be reconfigured, disabled, or overridden remotely, and it holds regardless of the software’s state.
- No remote path to controls. The equipment side is reachable only by physical presence at the equipment. There is no network route to it from anywhere.
The TAPP Gateway’s one-way design is what lets TAPP read from safety-critical equipment without becoming a way into it. Even in a worst case where TAPP’s own software were tampered with — which requires physical access at the equipment — there is still no path back toward the equipment side.
What It Does Not Do
- It does not connect equipment control systems to your network.
- It does not accept inbound connections of any kind.
- It does not issue control commands — TAPP reads equipment data using read-only requests (see System Architecture for the Modbus detail).
Where It Fits
The TAPP Gateway handles the controls / critical path. A second device, the Network Router, handles internet egress and the wireless sensor radio. The two-device layout and the full data path are described in System Architecture.