Security & Trust

Built for network data you can't afford to expose.

TekFidelityIQ handles sensitive Wi-Fi credentials, multi-tenant customer data, and AI-generated network intelligence. Here's how we protect it.

Security Controls

Six layers of protection, deployed and verified.

These aren't aspirational controls — they're the actual deployed architecture, backed by database migrations, middleware guards, and role-enforcement code.

Multi-tenant data isolation

Your clients' data never touches each other.

  • Row-level security (RLS) enforced on all database tables
  • Org-scoped queries — no cross-tenant SELECT is possible
  • Customer portal shows only that customer's sites and data
  • Engineer access scoped to assigned organizations only

Credential vault

SSID passwords and network credentials stay locked.

  • AES-256-GCM encryption at rest — key never stored with ciphertext
  • Decryption is server-side only — never exposed in API responses
  • Every reveal attempt fires 4 audit events: requested, approved, denied, or failed
  • Reveal requires password re-auth + TOTP/aal2 if MFA is enrolled; engineers cannot access

Append-only audit log

Every sensitive action is recorded and permanent.

  • Audit log is INSERT-only — no UPDATE or DELETE is permitted
  • Covers authentication, staff changes, billing, credential reveals, role changes
  • IP address and timestamp recorded for every sensitive operation
  • Full bilingual audit UI for non-English-speaking MSP operators

Human-approved AI outputs

AI surfaces findings. Humans approve actions.

  • RCA findings require explicit approval before engineer action
  • Low-confidence AI outputs are flagged — never auto-acted upon
  • No autonomous network change execution path exists
  • Remediation requests route to a human review queue, not direct execute

Edge Connector security

On-site agents use zero-knowledge token design.

  • Registration tokens are SHA-256 hashed — raw token shown once, then unrecoverable
  • Agent operates outbound-only via HTTPS — no inbound listener on your LAN
  • Token revocation via admin UI disables the agent immediately
  • Deployment supports containerized installation through a controlled image publishing path

Rate limiting & abuse prevention

API and authentication endpoints are protected against abuse.

  • Distributed rate limiting on all authentication and sensitive routes
  • Demo session cookies are HMAC-signed — tamper resets to no-session
  • Tighter per-IP limits on credential reveal and token endpoints
  • Middleware-level route guards — bypassing UI does not bypass auth

Enterprise AI: Bring Your Own LLM (BYO)

Enterprise customers can configure their own OpenAI or Azure OpenAI key in place of the platform default. BYO keys are encrypted at rest with AES-256-GCM and decrypted server-side only — they are never returned to the browser or logged. Managed by Platform Owners only; self-service is not available in this release.

AES-256-GCM encryption — same scheme as SSID vault
Key never returned to browser or written to logs
Per-org provider routing with explicit fallback policy
Health check endpoint — test without revealing key
Full audit trail: configured, rotated, disabled, health-checked
Silent fallback requires explicit opt-in per org

AI that surfaces findings. Humans who approve actions.

TekFidelityIQ's RCA engine and predictive analytics run on real telemetry only — never on simulated or fabricated data. Every AI output carries a confidence level. Low-confidence findings are flagged and require approval before an engineer can act. There is no auto-execute path. Network changes require a human in the loop, always.

RCA runs on verified telemetry only
Confidence scoring on every finding
Approval-required flag on low-confidence outputs
No autonomous network change execution

Compliance Readiness

Architecture that maps to major frameworks.

SOC 2 Type II prep
Audit log, access controls, and data isolation map directly to SOC 2 Trust Service Criteria.
NIST CSF 2.0 alignment
Controls span Identify, Protect, Detect, Respond, and Recover functions.
OWASP ASVS L1
Input validation, authentication, session management, and access control verified.
MSP data contracts
Per-tenant isolation architecture supports MSP customer data processing agreements.
Honest disclosure. TekFidelityIQ is an active product with a growing security program. The controls described here are deployed in production. Open items are tracked and disclosed proactively — current open items: BYO LLM self-service for customer admins (deferred; Platform Owner managed only in v1). Enterprise buyers requesting a full security review packet or shared evidence can contact us at the contact page.

Questions about our security posture?

We walk enterprise buyers and MSPs through our security architecture before any contract. No surprises, no boilerplate — just the actual controls.