Data Security
We know that handing over API keys requires trust. Here is exactly how we engineer our systems to keep your home infrastructure safe.
1. Encryption Standards
AES-256 Encryption
Your device credentials (API keys) are secured using AES-256 encryption at rest, using industry-standard cryptographic libraries.
All data in transit between your browser, our servers, and third-party energy APIs is encrypted via TLS 1.2+ (Transport Layer Security).
2. Infrastructure & Compliance
Enterprise-Grade Cloud
Our infrastructure runs on top-tier cloud providers that maintain strict compliance certifications, including ISO 27001 and SOC 2 Type II. Databases are protected behind private networking and strict VPC access controls.
Least Privilege Access: Our systems are designed so that engineers do not routinely access raw API keys. Keys are decrypted only programmatically by the optimisation engine when required to execute authorised actions.
3. Data Residency
As a registered UK company, we prioritise data sovereignty. Your personal data and API credentials are hosted strictly within Tier-1 data centers located in the UK and EEA. We do not transfer your personal data to high-risk third-party countries without explicit safeguards.
4. Payment Security
Stripe Processing
We do not handle your credit card numbers. All payments are processed securely by Stripe, a PCI-DSS Level 1 certified payment processor.
5. Audit & Control
We log system actions for security auditing. If our system detects unusual activity, we may temporarily lock access to protect your data.
Emergency Revocation:You can revoke our access instantly at any time by regenerating your device API keys within your manufacturer's app (e.g., Zappi or Solis). This immediately kills our ability to connect.
6. Incident Response & 72-Hour SLA
In the highly unlikely event of a data breach affecting personal data, we maintain a strict incident response protocol. We commit to notifying affected users and the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in strict accordance with UK GDPR requirements.
7. Vulnerability Disclosure
We welcome responsible disclosure from security researchers. If you believe you have found a vulnerability, please contact us immediately at: security@1app.energy.