Developer Portal
Documentation
Tools
Connector Guides
Gateway Setup & Administration
Support & Policies
Getting Help
Support Policy
API Use Policy
Security Whitepaper
API ReferenceConsole

Security Whitepaper

Introduction

Mapped provides a single point of control for all your IoT data, which provides significant benefits to data management and control compared to having many vendors sending your data to a variety of unknown locations. The Mapped platform, gateway, and API are all designed from the ground up with security as a top priority. We take our data custodial responsibility seriously and do everything we can to ensure you control where your data goes and who has access to it. Compromised IoT data is a valid and ever-growing concern, and we’re dedicated to ensuring your risks are mitigated to the absolute lowest levels possible.

We are committed to using the latest, strongest encryption technologies, and also run frequent audits of our systems to ensure we protect against both emerging and existing threats. Mapped is also committed to upholding the highest level of privacy and confidentiality. We work to protect your data from unauthorized access and proactively monitor for any attempts to compromise our systems. All of our security is handled in-house, including code and product reviews by our CEO, CTO, engineering team, and operations personnel – all of whom are dedicated to maintaining the security of your data.

Application security

Governance of information and data security is a shared responsibility and starts at the top – both the CEO and CTO, along with senior engineering, are responsible for proactive review and audit of all products and processes to ensure the highest level of security possible. This includes code review as well as less engineering-oriented areas like employee hiring and onboarding.

Architecture & development process

The Mapped platform, gateway, and API architecture are all structured to segment the presentation layer from data storage. Mapped follows well established industry best practices for development, with all source code stored in a repository with versioning control. Access to repositories is restricted, with rights granted only to personnel with a clear need for access. All code check-ins are reviewed to ensure all necessary security measures are in place prior to merging. Our automated and manual testing processes include not just feature validation and regression testing, but security best practices such as static source code analysis, fuzz testing, and periodic penetration tests as well.

Our deployment processes are fully automated and follow secure processes to avoid the risk of human error through manual deployments. If a critical error makes it to production, we have fall back mechanisms in place to easily return to a stable release.

Internal tooling

All of our internal tools, processes, and data access points have security at the forefront. We use two-factor authentication and restrictive role-based access controls that default to deny-all. Only employees with valid access needs receive the necessary role to access data or perform actions that can impact customer records (such as the ability to edit user and organization information, including resetting passwords). Anyone that does not need access, does not receive the role(s) necessary and do not have avenues to retrieve or manipulate customer data.

Data security

Data in transit & at rest

All communication between a user’s browser and our API or the Mapped Console (through our website) utilizes TLSv1.2+. All data transmitted from our in-building gateway to the Mapped Cloud utilizes Mutual Transport Layer Security (mTLS) and only mTLS. More on Mutual Authentication can be found here. The Mapped Gateway has no open ports, no remote access capabilities, and utilizes only necessary root Certificate Authorities. The Mapped Gateway also utilizes a hardware root of trust to secure client certificates used for Mapped Cloud authentication; more information on hardware root of trust can be located here.

All Mapped data storage utilizes Microsoft Azure’s multilayered security for protection while at rest. Additionally, Mapped uses Azure’s multiple availability zones and multiple regions for full redundancy, and data is backed up daily at minimum.

Authentication

All user authentication to the Mapped Console is processed through Auth0. Mapped API access is authenticated through Personal Access Tokens (“tokens”). Only authenticated users are able to generate tokens for use with the API, and once generated, tokens can not be accessed a second time. Tokens can be generated with limited scope to reduce potential for harm if a token is exposed and can be revoked at any time by the authenticated user that created them. Additionally, internal tooling exists to revoke tokens as needed if compromised or unusual/abusive traffic patterns are detected.

User & Organization administration

The Mapped Console utilizes role-based access control to provide organization admins with the ability to self-manage their users and org information, including creating users and granting them roles/permissions.

Network security

Network segmentation & redundancy

The Mapped network infrastructure segments the development environment from the production environment to prevent any changes to unreleased builds from affecting live applications. The network is also set up for redundancy, with each environment available in different zones and regions through our hosting provider.

Monitoring & logging

All Mapped environments are monitored 24x7x365 with multiple established alerts and probes to ensure issues are identified quickly, with paging schedules to reach on call engineers in the event of an incident.

Physical security

All Mapped services run on industry leading cloud hosting providers, which inherently provide threat detection and multi-layered security. This includes built in security controls and embedded protections against threats like DDoS.

Conclusion

Mapped provides a single point of control for all your IoT data, as opposed to having many vendors sending your data to a variety of unknown locations. We provide clear role-based access control and data flow visibility to ensure you know how your data is being accessed and by who. Our platform, gateway, and API are all designed from the ground up with security as a top priority, and we will utilize the latest and strongest security protocols available to prevent unauthorized access to your data whether in transit or at rest. We consistently audit our product to proactively eliminate security risks and monitor for any attempts to compromise our platform. Mapped is committed to the safety of your data at every level of the company, and we are confident in our ability to protect it.