Security practices.

How to read this page

This is a public summary of GreenTech's security practices. The detailed security pack — including penetration test summaries, sub-processor list, and certification artefacts — is available under NDA at the contract stage. For a deeper architectural view aimed at clients, see the Trust & security page.

Data residency & ownership

Encryption

• In transit (radio): AES-128 over LoRaWAN, sensor to gateway.
• In transit (web): TLS 1.3 with HSTS, gateway to platform and platform to browser.
• At rest: SHA-256 hashed treatment records; underlying storage encrypted at AWS-managed key level (AES-256).
• Key rotation: Quarterly for application secrets; LoRaWAN device keys per provisioning policy.

Access control

Authentication is via SSO using SAML 2.0 or OIDC. Role-based access control distinguishes FM director, operator, technician, and auditor roles, with custom roles available for client-specific deployments. Multi-factor authentication is required for any administrative role.

Every action a human takes in the platform is logged into the same append-only chain as sensor data — including data exports, role changes, and configuration edits.

Certification roadmap

We list our security certifications honestly. Statuses are updated as audits complete.

• Cyber Essentials — Live. Annual renewal in place.
• Cyber Essentials Plus — In progress. Q3 2026 target.
• SOC 2 Type I — In progress. 2026.
• ISO/IEC 27001 — Target. 2027.

We will not describe a certification as "live" until it has been issued and the artefact is verifiable.

Sub-processors

Current sub-processors:

• AWS — UK-region cloud hosting (eu-west-2)
• ThingsBoard PE — IoT platform layer (deployed on AWS London)
• Make.com — workflow integrations and dispatch routing
• Google Workspace — productivity, email, internal docs
• GoCardless — payment processing
• DocuSign / HelloSign — contract execution
• Email-delivery provider — transactional and subscription mailings

Material changes to this list are notified to active clients in writing within 14 days. Each sub-processor operates under a written data processing agreement with appropriate technical and organisational measures.

Penetration testing

We commission an annual third-party penetration test against the platform and the sensor-to-platform path. The summary is available under NDA at the contract stage. Material findings are tracked to remediation through our internal issue management process and reviewed at board level.

Incident notification

If we identify a security incident affecting your data, we will notify your registered contacts within 24 hours of confirmation, with a written summary inside 72 hours. Where an incident triggers obligations under UK GDPR Article 33 or 34, we co-operate with the controller's notification process and timelines.

Coordinated vulnerability disclosure

Independent security researchers and white-hat testers can report vulnerabilities to security@greentech.co.uk. We commit to acknowledging reports within two working days and to a 90-day responsible-disclosure window before publication.

We do not currently operate a public bug bounty programme but will consider monetary recognition for impactful, well-documented reports on a case-by-case basis.

Sub-resource policy

The marketing website embeds Google Fonts as its only third-party asset. The application platform embeds no third-party scripts on authenticated pages. Where this changes, the change is documented in the security pack.

Contact

Security questions: security@greentech.co.uk

Privacy questions: privacy@greentech.co.uk

For coordinated disclosure, please use security@greentech.co.uk rather than the general mailbox.