Encryption

In Transit

• All API traffic encrypted via TLS 1.2+
• WebSocket connections use WSS (WebSocket Secure)
• Tailscale VPN uses WireGuard encryption for on-premise connectivity

At Rest

• PostgreSQL databases use encrypted storage
• SQLite databases on IoT Adapters should use file-level permissions
• Secrets stored in environment variables or secure secret managers