Security for building environments

Trust & Security for Building Deployments

ClimaMind is designed for secure deployment in customer building environments, with controlled edge-to-cloud communication, customer-approved BAS connectivity, and auditable operating records.

Download security overview Contact engineering

Deployment Architecture

The architecture separates customer users, ClimaMind cloud services, the edge device, and the customer BAS while keeping every production path explicit.

Rendering architecture diagram...

Component	Boundary	Responsibility
Customer Users	Internet Boundary	Authorized customer users access the dashboard over TLS.
ClimaMind Dashboard	ClimaMind Cloud	Customer-facing application for authorized site views and security review materials.
ClimaMind Internal Services	ClimaMind Cloud	Backend services that support authentication, site data processing, audit records, and controlled update packaging.
Secure Cloud Gateway	ClimaMind Cloud	Validates edge device communication, telemetry upload, and approved update delivery.
Site Data Store	ClimaMind Cloud	Encrypted production store for customer-approved site data and operating records.
ClimaMind Edge Device	Customer Site	Customer-site device that communicates outbound to ClimaMind services and runs local optimization logic.
Customer BAS	Customer Site	Customer building automation system; connectivity uses approved paths, point mappings, reads, and allowlisted writes.

Data Protection

Deployment security focuses on site data, dashboard access, operational configuration, and edge telemetry.

Public website and published security overview material are treated as public information.
Non-public operational notes and implementation details are treated as internal information.
Customer site metadata, building telemetry, dashboard data, diagnostics, support context, and customer configuration are treated as confidential information.
Credentials, certificates, API tokens, and signing material are treated as restricted secrets.
Internal and confidential application or system transmission uses encrypted transport.
Restricted secrets are held in AWS Secrets Manager.
Production access is role-based and limited to operational need.

Data classification and handling
Classification	Examples	Encrypt at rest	Encrypt in transit	Handling
Public	Public website content, published marketing materials, public documentation	-	-	Approved for external distribution.
Internal	Non-public operational notes, implementation details, non-customer internal planning	-	✓	Limited to ClimaMind personnel and approved collaborators; encrypted transport is used for application and system-to-system transmission.
Confidential	Customer site metadata, building telemetry, dashboard data, diagnostics, support context, customer configuration	✓	✓	Access-controlled; encrypted in transit and at rest; used only for customer delivery, support, operations, and approved analysis.
Restricted	Credentials, secrets, device identity material, BAS access details, control-write authorization data	✓	✓	Stored in AWS Secrets Manager; encrypted in transit where transmitted; access is tightly restricted.

Edge Device Security

The edge device uses outbound, authenticated cloud communication and a narrow update path.

The edge device uses outbound-only communication to approved ClimaMind cloud endpoints.
TLS and certificate validation protect cloud communication.
Telemetry upload uses authenticated and signed communication.
Update delivery is versioned and uses an authenticated path.
Local runtime configuration limits services to the deployment role required at the customer site.
Versioned model and configuration updates retain a rollback path.

Edge operating model

Outbound cloud channel

Edge device initiates authenticated communication to approved ClimaMind endpoints.

Telemetry upload

Operational telemetry is authenticated and signed before cloud ingestion.

Validated update path

Model and configuration updates are versioned, validated, and retain rollback.

Local runtime limit

The device runs only the services required for its customer-site deployment role.

Building Control Safety

BAS connectivity is limited to customer-approved paths and points, with bounded control behavior.

Connectivity is limited to customer-approved BAS endpoints and point mappings.
BAS point mapping is reviewed before control is enabled.
Read-first deployment supports validation before any control action.
BAS writes are allowlisted and constrained to approved points.
Control actions preserve local BAS authority, operator workflows, and customer-defined operating constraints.
Rollback and fail-safe behavior preserve existing building operation.

BAS control boundary

Approved BAS path

Connectivity follows customer-approved BAS endpoints and point mappings.

Read-first validation

Read paths support validation before control actions are enabled.

Allowlisted writes

Writes are constrained to approved points and bounded control behavior.

Fail-safe posture

Rollback preserves existing BAS authority and normal building operation.

Remote Support Access

Remote support is explicit, time-bounded, and aligned with customer site policy.

No standing remote administration tunnel is required for normal deployment.
No default standing VPN, SSH, or RDP path is required for deployment.
Support uses customer approval and can rely on fixed source IP, certificate validation, or on-site access.
Support sessions are approved for the task and time window.
Remote support activity is logged with the same operating evidence model as other security-relevant events.

Support access mode

Customer approval

Support access is approved for a defined task and time window.

Access method

Support can use fixed source IP, certificate validation, or on-site access.

No standing tunnel

Normal deployment does not require a default standing VPN, SSH, or RDP path.

Session evidence

Support activity is logged as a security-relevant operating event.

Audit Records

Security-relevant events are recorded in ClimaMind cloud systems or a customer-designated evidence location when required by deployment.

Audit records are organized around event categories that matter to IT and OT review.
Dashboard authentication and administrative access.
Deployment configuration changes and model or configuration updates.
Telemetry upload status, update delivery events, and edge-to-cloud authentication events.
BAS write attempts, approved control actions, and remote support sessions.
Records are stored in ClimaMind cloud systems or exported to a customer-designated evidence location when required by deployment.

Audit evidence categories

Access events

Dashboard authentication and administrative access are recorded.

Change events

Deployment configuration changes and model or configuration updates are recorded.

Edge events

Telemetry upload, update delivery, and edge-to-cloud authentication events are recorded.

Evidence location

Records are stored in ClimaMind cloud systems or exported to a customer-designated location.

Review Packet

The Customer Security Overview PDF provides a compact review artifact for IT and OT stakeholders.

The PDF is a review artifact for customer IT, OT, security, and facilities stakeholders.
Covers deployment boundary, data protection, edge device controls, BAS safeguards, audit records, and remote support access.
Summarizes what is customer-facing without exposing internal implementation workflows.
Supports security intake, vendor review, and deployment planning conversations.
Built for customer security review without exposing internal implementation process.

Review artifact coverage

Review artifact

The PDF is prepared for customer IT, OT, security, and facilities stakeholders.

Deployment boundary

The packet summarizes cloud, edge, site data, and BAS separation.

Operating controls

The packet covers data protection, edge controls, BAS safeguards, and audit records.

Customer-facing scope

The packet supports review without exposing internal implementation workflows.

Download PDF

Back to deployment overview