For Self-Hosted / Customer-Owned Cloud or On-Premise Deployments

DeviceBoard is designed with a security-first architecture, enabling organizations to deploy the platform inside their own private cloud, edge data center, or on-premises infrastructure, while maintaining full control over data, access, encryption, and compliance.

This document outlines the security, privacy, and data protection capabilities that DeviceBoard provides by default.

DeviceBoard can be deployed securely in:

• Private Cloud (AWS, Azure, GCP, OCI)
• On-Premise Datacenters
• Virtualized environments (VMware, Proxmox, OpenStack)
• Bare-metal high-availability clusters

Customers maintain full control of:

• Network isolation
• Storage security
• Encryption keys
• Access to logs & audit trails
• Compliance policies

DeviceBoard’s architecture supports:

✔ Role-isolated microservices
✔ Segregated device data pipelines
✔ Secure API communication
✔ Multi-layer firewall architecture
✔ Tenant/Hub-level access boundaries

DeviceBoard includes Secure Device Firmware Update (SDFU):

• Encrypted firmware storage
• SHA-256 checksum verification
• Secure download channels
• PKI-based signature validation
• Audit-tracked firmware rollout
• Staged deployment with rollback
• Role-based approval flows

This prevents unauthorized or malicious firmware updates.

DeviceBoard provides configurable policies for:

• Data retention (per device / model / type)
• Auto-expiration of telemetry
• Archiving to external storage (S3, Azure Blob, NFS)
• Granular backup/restore settings

Customers can satisfy internal regulatory or compliance needs.

DeviceBoard logs:

• User activity (logins, access, permission changes)
• Device commands & RPC execution
• Firmware update actions
• Alarm lifecycle logs
• API access logs
• Configuration changes
• Errors & exceptions
• RulesFlow execution logs

Audit logs are:

• Immutable
• Exportable
• Searchable
• Integratable with SIEM (Splunk, ELK, Azure Sentinel)

DeviceBoard supports multiple segmentation models:

• Hub-level dataset isolation
• Client-level dataset isolation
• Device-group and asset-group isolation
• Multi-role feature visibility
• No cross-access between clients

Perfect for OEMs, service providers, and regulated organizations.

DeviceBoard supports fully redundant deployments with:

• Multi-node clustering
• Load balancing for API & MQTT
• Failover for database clusters
• Hot standby capability
• Automated backups
• External storage replication

All critical components can be backed up and restored by the customer.

DeviceBoard implements multiple privacy principles:

✔ Data Minimization
Store only required telemetry & metadata.

✔ Controlled Data Sharing
No sharing unless configured.

✔ Local-only Data Storage
All data stays inside the customer’s environment.

✔ Configurable Data Masking
Mask sensitive values at:

• Ingestion
• Storage
• Dashboard visualization
• API output

✔ Data Export Monitoring
Export actions recorded in audit logs.

Since DeviceBoard runs in customer infrastructure:

Customers Control:

• Who accesses data
• How long data is stored
• How backups are maintained
• Whether data is encrypted with internal KMS
• Network segmentation
• Security standards & policies

DeviceBoard Does Not:

• Collect telemetry externally
• Backup data outside the customer environment
• Access device information
• Send analytics or AI results externally

DeviceBoard offers enterprise-grade, fully self-hosted IoT security & privacy architecture, providing:

✔ Complete customer control over data
✔ End-to-end encryption
✔ Strong RBAC + ABAC
✔ Secure firmware updates
✔ Device-level authentication
✔ Audit logging & compliance monitoring
✔ Isolation of devices, clients & hubs
✔ No external telemetry flow
✔ Secure connectivity across all protocols
✔ Full on-premise or private cloud deployment

DeviceBoard is designed for organizations requiring maximum security, privacy, and regulatory compliance across large-scale industrial IoT deployments.