Security & Data Ownership
Your data and control path stay on-site —
within a defined operating boundary.
This page is written for the person who has to say yes: OT, IT, controls, procurement. It states what Modulink does, what it deliberately does not do, and where the line between our responsibility and yours sits. No certification theater — the “what we do not claim” section is below, in writing.
Architecture & Data Flow
Everything runs on an on-site Base Station.
One ARM64 server on your premises runs the entire stack. There is no vendor cloud in the loop — not for storage, not for dashboards, not for control.
Data flows Terminal → Base Station → (only if you configure it) your systems. Never Terminal → internet.
No phone-home
The platform makes no outbound connections on its own. No telemetry sharing, no usage analytics, no license check-ins over the internet.
Air-gap capable
Designed to run with no internet connection at all. Normal operation requires zero outbound connectivity.
Single-tenant
One Base Station per site, serving only your site. Your data never shares a database with anyone else’s.
Local historian
Every reading is stored on the Base Station, on your premises, on hardware you own. Retention is your policy, on your disk.
Full component breakdown on the Platform page. Commissioning flow on the Deployment page.
Identity & Access
Who can do what, and a record of what they did.
JWT authentication
Token-based auth with refresh cookies on the operator UI and API. Optional OIDC lets you plug the Base Station into your existing identity provider.
Role-based access control
Three roles — Admin, Operator, Viewer. Control actions and configuration changes are gated by role, not by convention.
Audit log
Configuration changes and control actions are recorded on the Base Station, where your team can review them — not in a vendor cloud.
There is no built-in vendor remote-access channel. If you want us to support the system remotely, that happens over access you provide and control — and can revoke.
Transport
Encryption where it exists,
trust decisions where they exist.
Most vendors answer the transport question with a wall of acronyms. Here is ours, hop by hop — including the hop that is a decision about your network rather than a cipher.
TLS on the web interface, served by the Base Station on your network.
AES-128 encryption on the LoRa radio link (LoRaWAN, US915), Terminal to Base Station.
Terminal Indi traffic rides your private on-site network (2.4 GHz Wi-Fi or LAN) to the Base Station broker. Broker transport on the local network is a site-network trust decision: we recommend a dedicated, segmented VLAN or SSID for Modulink devices, and we do not claim mutual TLS on every internal hop.
Updates
Operator-controlled. Nothing updates itself.
The Base Station does not auto-update and does not call home to check for updates. Software updates are applied on your schedule, by your team or with our support, as a deliberate maintenance action. Terminal firmware updates are likewise operator-initiated — never a background process. In an air-gapped deployment, updates become an offline procedure you run.
Backups & Recovery
Backup scripts ship with the Base Station. You run them.
Backup and disaster-recovery scripts for the Base Station ship with the system. They are operator-run: you decide the schedule, where copies live, and how often you test a restore. We do not hold a copy of your data, so we cannot restore it for you — that is the point of self-hosting, stated honestly.
The Control Boundary
Non-safety-critical control only. The radio is never in the safety path.
Safety trips execute locally in Terminal firmware in under 500 ms. Communications are never in the safety path.
Modulink performs monitoring and non-safety-critical control: opening a valve, adjusting a motor, sequencing a cleaning stage. Safety logic — overpressure, overtemperature, and similar trips — lives in the Terminal’s firmware and executes on the device itself, without waiting on the radio link or the Base Station. If communications drop, the trip still fires.
What this means for your evaluation: Modulink is not a safety instrumented system, does not claim a SIL rating, and must not replace one. If a failure mode on your process requires a certified safety function, that function stays where it belongs — in dedicated safety equipment — and Modulink monitors alongside it.
Shared Responsibility
What we provide. What your site owns.
A self-hosted system moves control to you — and some responsibilities with it. Here is the split, so nobody discovers it during an incident.
The full Base Station stack — ingest, historian, dashboards, alerting — plus JWT auth, optional OIDC, RBAC, and the audit log.
Account lifecycle, credential policy, role assignments, and offboarding when people leave.
Documented ports and protocols, and a platform that makes no outbound connections on its own.
Network segmentation (VLAN/SSID for Modulink devices), firewall rules, and Wi-Fi credentials for the site network Indi rides on.
TLS on the operator UI; AES-128 on the LoRa link for Agri.
The trust posture of your local network, which carries Indi and broker traffic between segments you control.
Installation and commissioning documentation for Terminals and the Base Station.
Physical access control to the Base Station and Terminals — a server on your premises is protected by your locks.
Backup scripts that ship with the Base Station.
Running them: schedule, off-device copies, and restore drills are operator-run, on your terms.
Software releases and a documented update procedure.
When — and whether — updates are applied. Nothing updates itself.
What We Do Not Claim
Read this section before your vendor questionnaire does.
- No IEC 62443 certification. No NIST certification. We do not claim compliance frameworks we have not been independently assessed against.
- No claim of mutual TLS on every internal network hop. Transport on your local site network is a trust decision you make, with segmentation we recommend.
- No claim of suitability for safety-critical control. Modulink is not a safety instrumented system.
- No penetration-test badge or uptime SLA marketing numbers.
- What we do commit to: a security review of your specific site — network layout, segmentation, access model — is part of every deployment.
If a claim matters to your evaluation and it is not on this page, assume we do not make it — then ask us. We would rather answer a hard question in diligence than have you find the gap in production.
FAQ
The questions your security review will ask.
Does any telemetry leave my site?
No. The Base Station is an on-site server that runs the entire stack — telemetry ingest, historian, dashboards, alerting, user accounts. There is no vendor cloud and no phone-home. Data leaves your site only through egress interfaces you deliberately configure: MQTT, REST, Prometheus, or Modbus TCP at the Base Station.
Can Modulink run air-gapped?
Yes. The platform is designed to operate with no internet connection. Nothing in normal operation requires outbound connectivity. In an air-gapped deployment, software updates become an operator-managed offline procedure rather than a download.
Does Modulink have remote access to my system?
No. There is no built-in vendor remote-access channel and no backdoor. If you want us to provide remote support, that access happens over a mechanism you provide and control — such as your own VPN — and you can revoke it at any time.
Is Modulink certified to IEC 62443 or a NIST standard?
No. We hold no IEC 62443 or NIST certification and do not claim one. What we offer instead is an honest architecture description, a shared-responsibility model, and a security review of your specific site as part of every deployment.
Can Modulink perform safety-critical control?
No. Modulink is for non-safety-critical monitoring and control only. Safety trips — for example overpressure or overtemperature — execute locally in Terminal firmware in under 500 ms; the radio link and the Base Station are never in the safety path. Modulink is not a safety instrumented system and must not replace one.
Who owns the data?
You do. Every reading is stored on a Base Station you own, on your premises. Open egress interfaces (MQTT, REST, Prometheus, Modbus TCP at the Base Station) mean you can take your data anywhere, at any time, without asking us.
Put your OT and IT questions to us directly.
We’ll walk your team through the architecture, the data flow, and the shared-responsibility split for your specific site — a security review of your site is part of every deployment.