Security & Compliance

Control infrastructure security.

encosa sits between your inverter and the EPEX SPOT market. That position demands a security model designed for operational technology, not just web applications: mutual TLS between edge agent and cloud, hardcoded safety limits that cannot be overridden remotely, and zero command execution without cryptographic consent from the edge device.

Security architecture

Mutual TLS (mTLS)

The edge agent at your site and the encosa cloud exchange X.509 certificates on every connection. Neither side accepts connections without a valid peer certificate. Certificate rotation is automated every 90 days.

Encrypted at rest

All site telemetry, dispatch logs, and account data are encrypted with AES-256-GCM using AWS KMS customer-managed keys stored in eu-central-1 (Frankfurt). Keys are never exported from KMS.

Role-based access control

Dashboard users are read-only by default. Override and configuration changes require an explicit role assignment. Multi-site Enterprise accounts can restrict operators to specific sites.

Immutable audit log

Every API call, dispatch command, and configuration change is written to a tamper-evident, append-only log with timestamp and actor identity. Audit logs are retained for 3 years and exportable on request.

German cloud infrastructure

All cloud services run in AWS eu-central-1 (Frankfurt). No data leaves Germany or the EU. We do not use US-headquartered subprocessors for personal data except where explicitly listed in the DPA and restricted to EU regions.

Security incident response

72-hour GDPR breach notification guaranteed. Our IR playbook covers inverter command isolation (fallback to local-only mode), API key revocation, and certificate re-issuance — all executable without on-site visit.

GDPR compliance details

Data category Retention Legal basis Location
Account credentials (email, hashed password) Duration of account + 90 days Contract (Art. 6(1)(b)) AWS eu-central-1
Battery telemetry (SOC, power flow, temperature) 36 months rolling Contract (Art. 6(1)(b)) AWS eu-central-1
Revenue and dispatch reports 7 years (German commercial law §257 HGB) Legal obligation (Art. 6(1)(c)) AWS eu-central-1
API access logs (IP, endpoint, timestamp) 90 days Legitimate interests (Art. 6(1)(f)) AWS eu-central-1
Analytics cookies (if accepted) 13 months Consent (Art. 6(1)(a)) EU-region analytics provider

Data Processing Agreement (DPA)

If your organisation is subject to GDPR and processes personal data through encosa, you may require a DPA under Art. 28 GDPR. A signed DPA is included in all Pro and Enterprise subscriptions. Request a copy at [email protected].

Security questions before you connect a battery?

Lena (CTO) is available for technical security review calls. Penetration test reports and our AWS Well-Architected Framework assessment are available under NDA. DPA signed on request for Pro and Enterprise subscribers.