Four Non-Negotiable Rules
Every architectural decision we make follows these four principles. They're not aspirations — they're hard constraints.
Read-Only Access
Upstream AI never writes back to your SCADA system. Ever. We pull data via read-only protocols (OPC UA, MQTT). Your controls remain fully under your direct control at all times.
Air Gap Preserved
Your OT network remains air-gapped. Our Edge Agent sits in the OT-DMZ with one-way data flow outbound only. The internet cannot reach back into your SCADA.
End-to-End Encryption
All data in transit is encrypted with TLS 1.3. Data at rest in AWS is encrypted with AES-256. Your SCADA data never touches unencrypted storage or transmission.
Zero Vendor Lock-In
Your data is yours. Export it anytime as CSV, JSON, or SQL dump. Terminate service and the Edge Agent simply stops pulling data — zero impact on your SCADA operations.
How We Connect Without Compromising Security
Upstream AI uses industry-standard OT-DMZ segmentation — a buffer zone between your operational network and the internet. This is the same architecture recommended by EPA, CISA, and NIST for critical infrastructure.
Zero Trust Network Segmentation
What This Means in Practice
- Zero inbound connections: The internet cannot initiate any connection to your facility. All communication is initiated outbound from your network.
- No remote access: We don't use VPN, RDP, SSH, or any form of remote desktop. We can't "log in" to your systems.
- No open ports: Your firewall only needs to allow HTTPS (port 443) outbound to our AWS servers. No inbound ports are opened.
- IP allowlisting: You can restrict outbound traffic to our specific AWS IP ranges for additional security.
How We Protect Your Data
Encryption
Every byte of your SCADA data is encrypted at rest and in transit:
- In Transit: TLS 1.3 with perfect forward secrecy for all HTTPS connections between your Edge Agent and our cloud
- At Rest: AES-256 encryption using AWS KMS (Key Management Service) with per-utility encryption keys
- Database: All time-series data stored in encrypted RDS/TimescaleDB instances with automatic key rotation
Access Control
- Multi-tenant isolation: Your utility's data is logically isolated from all other customers in our database
- Role-based access control (RBAC): Only your designated users can access your utility's dashboard and data
- Multi-factor authentication (MFA): Required for all admin accounts
- Audit logging: Every data access is logged with timestamp, user, and IP address
Data Retention & Deletion
- Real-time data retained for 90 days, then compressed and archived
- You can request full deletion of all your data at any time — we execute within 30 days
- Export your full dataset as CSV/JSON/SQL at any time
Built to Meet Federal Guidelines
Upstream AI's architecture aligns with federal cybersecurity mandates for water utilities.
America's Water Infrastructure Act (AWIA)
AWIA requires utilities serving more than 3,300 people to conduct cybersecurity risk assessments. Our read-only, OT-DMZ architecture directly addresses the key risks identified in EPA guidance:
- Unauthorized access to control systems (we have zero write access)
- Malware infiltration via internet connections (air gap preserved)
- Data exfiltration (all data encrypted in transit and at rest)
CISA Critical Infrastructure Guidance
We follow CISA's recommendations for OT security:
- Segment and segregate networks and functions
- Limit unnecessary lateral communications
- Harden network devices
- Implement secure remote access methods
- Use multi-factor authentication
📄 Request Our Full Security White Paper
For a detailed technical review of our architecture, penetration testing results, and compliance documentation, contact our team. We provide full security documentation under NDA for enterprise customers.
What Happens If Something Goes Wrong
Our Responsibilities
- 24/7 monitoring: AWS CloudWatch alerts on any anomalous activity in our cloud infrastructure
- Incident response team: Dedicated security team on-call for any suspected breach or vulnerability
- Breach notification: If we detect unauthorized access to your data, we notify you within 24 hours
- Transparency: We publish a public changelog of all security updates and patches
Edge Agent Failsafe
If the Edge Agent loses connectivity to our cloud, it continues running locally and buffers up to 7 days of data. When connectivity resumes, it backfills the missed time-series data. If you terminate service, simply stop the Docker container — your SCADA continues operating normally with zero interruption.
Security FAQ
Can Upstream AI turn off my pumps remotely?
No. We have zero ability to write commands to your SCADA system. We only read sensor data via OPC UA or MQTT in read-only mode. Your operators maintain full manual and automated control at all times.
What if the Edge Agent gets compromised?
The Edge Agent sits in the OT-DMZ, not your OT network. Even if compromised, it cannot access your control systems because there's no network path from the DMZ back into the OT network. The worst-case scenario is data exfiltration of time-series sensor readings — which are already being sent to our cloud anyway.
Do you support on-premise deployment?
Not currently. Our cloud-first architecture enables us to deliver rapid ML model updates, real-time monitoring, and a better user experience. For utilities with strict data sovereignty requirements, we're exploring private cloud deployments on a case-by-case basis.
What data do you collect?
We collect only operational time-series data from your SCADA historian: sensor readings (flow, pressure, pH, chlorine, etc.), pump states (on/off, Hz, current draw), and alarm events. We do not collect customer billing data, personally identifiable information (PII), or network traffic logs.
Can I audit your security practices?
Yes. Enterprise customers can request our SOC 2 report (when available), penetration testing results, and security white paper. We're also open to third-party security audits for large deployments.