How Scadable Protects Your Data
Security isn't a feature you enable in Scadable. It's on by default the moment your gateway connects. Every connection is encrypted, every certificate is managed automatically, and every action is logged for compliance. You don't configure any of this. It just works.
Encryption in transit
Every gateway connects to the cloud over mTLS-encrypted MQTT. Both sides present certificates and verify each other. No plaintext ever leaves the gateway. No shared passwords or API keys for device authentication.
Certificate lifecycle
The full lifecycle is automated. No human touches a certificate:
- Enrollment: the gateway generates a key pair on first boot, sends a CSR to the EST server, and receives a signed certificate
- Authentication: every MQTT connection uses mutual TLS with the enrolled certificate
- Rotation: before expiry, the gateway requests a new certificate using its current one
- Revocation: revoke a compromised gateway from the dashboard and it can no longer connect
Offline resilience
If the internet drops, data buffers locally on the gateway and forwards when connectivity returns. No data is lost. The gateway continues operating independently until the connection is restored.
Audit logging
Every action is logged and immutable:
- Gateway connections and disconnections
- Certificate enrollments and rotations
- SSH sessions (who, when, duration)
- OTA updates (version, status, rollback events)
- API key creation and revocation
- Configuration changes
- User logins and permission changes
- Command dispatches and responses
Query logs by time range, gateway, user, or event type through the API or dashboard. Logs are retained for compliance.
Access control
Users authenticate through Auth0 with password or Google OAuth. Each user gets a role per project:
- Owner: full access, manage members, API keys, gateways, and settings
- Member: view gateways, telemetry, and logs, create API keys
- Guest: read-only access to telemetry and status
SSH access is granted per-user from project settings. API keys are scoped to specific projects and can be revoked at any time.
Vulnerability scanning
Scadable scans gateway firmware and OS packages against known CVE databases. The dashboard shows a security summary per gateway: installed packages, known vulnerabilities, and severity. Critical vulnerabilities are flagged. Push patches fleet-wide through OTA without waiting for a maintenance window.
What's coming
- HSM support for storing private keys in TPM
- Signed firmware images with cryptographic verification
- Network anomaly detection for unusual traffic patterns
- SOC 2 compliance documentation
Next steps
- Your First Gateway: get your first gateway online in 3 minutes
- How Scadable Moves Your Data: the full device-to-cloud pipeline
- API Reference: REST API for telemetry, commands, and fleet management
Updated about 3 hours ago