Security & Trust
Built for the most sensitive
infrastructure on earth.
Synestra sits at the intersection of cooling, power, compute, and network — the most consequential systems in a hyperscale facility. Every design decision reflects that trust position. Operational telemetry only. Read-only on control systems. No inbound ports. On-prem available.
Data ingested
Telemetry only
Operational metrics and events. No workload data, no customer data, no PII.
Control systems
Read-only
Synestra never writes to BACnet, Modbus, or any industrial control system.
Inbound ports required
Zero
All connections are outbound from your network. No firewall rule changes needed.
Deployment options
3 models
Cloud-hosted, hybrid edge, or fully air-gapped on-prem for the most sensitive sites.
Data classification
What Synestra sees — and what it doesn't.
Synestra processes operational telemetry. It has no visibility into workloads, user activity, or the data your tenants are computing on. That boundary is architectural, not just policy.
Cooling system telemetry — temperature, airflow, CDU stats
Power metrics — PDU load, UPS state, PUE, stranded capacity
GPU thermal and power readings (aggregate, not per-job)
Network fabric utilization — bandwidth, latency, port state
BMS and CRAC event streams — alarms, state changes
Scheduler queue depth and resource allocation signals
EA baseline and consequence chain metadata
Workload content — what tenants are computing, training, or storing
Network packet payloads or application-layer traffic
Tenant identity, user accounts, or access credentials
Financial or billing data
GPU memory contents or model weights
Control plane commands — Synestra reads only, never actuates
Personnel data or physical access records
Network architecture
No inbound exposure. Ever.
The Synestra edge agent runs inside your perimeter and initiates all connections outbound over TLS 1.3. No inbound ports, no VPN tunnels into your OT network, no changes to your existing firewall posture.
Your perimeterOT / Facility network
BACnet / Modbus
→ read-only poll →
Synestra Edge Agent
READ ONLY
SNMP / syslog
→ receive →
Synestra Edge Agent
READ ONLY
NVIDIA DCGM / IPMI
→ REST poll →
Synestra Edge Agent
READ ONLY
Outbound onlyTLS 1.3 egress
Synestra Edge Agent
→ outbound TLS 1.3 →
Synestra Cloud (deployment-dependent)
No inbound ports. No VPN.
Your existing stackUnchanged
BMS / SCADA
DCIM
Observability
Ticketing
Custom integration
The edge agent requires outbound access on port 443 only. It runs as a containerized service (Docker or Kubernetes) and can be deployed in an isolated subnet with no inbound rules. For air-gapped sites, the agent operates fully on-prem with no cloud egress — see deployment options below.
Encryption & access controls
Standard controls, enforced consistently.
Encryption in transit and at rest across every layer. Role-based access down to the zone level. All actions logged and attributable.
🔒
Encryption in transit
TLS 1.3 enforced on all connections — edge agent to API, webhook delivery, console access. TLS 1.2 rejected. Certificate pinning available for edge agent deployments.
🗄️
Encryption at rest
AES-256-GCM for all stored telemetry and consequence chain data. Encryption keys are managed per deployment. On-premises deployments retain full key custody.
🔑
Access controls
Role-based access control with scoped permissions. Tenant data is isolated from operator data at the architectural level — not through policy. No cross-tenant data access is possible.
👥
Role-based access
RBAC down to the zone level. Roles: Viewer, Operator, Site Admin, Fleet Admin. SSO via SAML 2.0 and OIDC. MFA enforced on all console access. Provisional patent pending on RBAC architecture.
📋
Audit logging
All API calls, console actions, and configuration changes are logged with user, timestamp, IP, and change delta. Logs are immutable and exportable to Splunk, Datadog, or S3.
🔄
Data retention
Configurable per site — 90 days default, up to 5 years for EA baseline archival. Customers can trigger verified deletion at any time. Deletion confirmed within 30 days across all replicas.
Deployment options
From cloud-native to fully air-gapped.
Synestra supports three deployment models. The most sensitive sites — government-adjacent, classified workloads, or zero-trust mandates — can run entirely on-prem with no data leaving the facility.
Cloud-hosted
Standard
Edge agent on-prem. Consequence processing and console in Synestra cloud. Best for operators prioritizing time to value.
Edge agent in your subnet, outbound only
Consequence processing in Synestra multi-tenant cloud
Console at console.synestra.io
Data residency: US or EU selectable
SOC 2 Type II coverage applies
Hybrid edge
On-prem processing
Consequence engine runs on-prem. Only structured intelligence (EA scores, chain metadata) egresses to Synestra cloud for reporting.
Full consequence engine on customer hardware
Raw telemetry never leaves the facility
Structured consequence metadata egresses over TLS
Console can be self-hosted or cloud
Recommended for hyperscale operators
Air-gapped
Fully on-prem
Complete Synestra stack runs inside the customer perimeter. No data egress of any kind. For classified, government-adjacent, or zero-trust mandated sites.
All processing fully on-prem, no egress
Console deployed inside customer network
Updates delivered via signed offline package
No Synestra cloud dependency at runtime
Available for qualified enterprise agreements
OT / ICS security
Designed for the Purdue Model.
Synestra was built with industrial control system security principles from the ground up. It reads from OT layers — it never writes to them, never bridges Level 0/1 to the enterprise network, and carries no credentials that could actuate physical systems.
Purdue Model — Synestra positioning
IEC 62443 reference architecture for industrial cybersecurity
Level 4–5Enterprise / DMZ
Business systems, cloud, external integrations Synestra cloud sits here
Synestra consequence intelligence is published to enterprise platforms (Palantir, ServiceNow, PagerDuty) at this level. No OT credentials, no OT network access at this layer.
Level 3Site operations
DCIM, SCADA, historian, site dashboards Edge agent deployed here
The Synestra edge agent is deployed at Level 3 — the standard integration tier for DCIM and operational monitoring systems. It uses the same read-only access paths that existing DCIM tools use.
Level 2Supervisory control
BMS, SCADA HMI, CRAC controllers Read-only via Level 3
Synestra reads from Level 2 systems (BACnet/IP, Modbus TCP) via the Level 3 integration layer. Read-only. No write credentials provisioned. No direct network path from Synestra to Level 2 required.
Level 1Process control
PLCs, RTUs, physical actuators Synestra never touches
Synestra has no integration path into Level 1 or Level 0. Physical control systems are not accessible, not readable, and not in scope. The consequence engine recommends actions — it never actuates them.
Level 0Physical process
Sensors, motors, physical plant Out of scope entirely
Physical plant equipment. No integration, no visibility, no path.
Compliance & certifications
Where we are and where we're going.
We are committed to meeting the certification requirements of hyperscale operators. Below is our current status and roadmap. Security documentation packages are available under NDA for qualified prospects.
Penetration testing
Third-party pen test completed on API and edge agent. Report available under NDA.
COMPLETED — Q2 2026
Provisionals — IP protection
Three provisional patents filed: EA method, RBAC architecture, closed-loop optimization. Gunderson Dettmer counsel.
FILED — Q2 2026
SOC 2 Type II
Audit initiated. Covers Security, Availability, and Confidentiality trust service criteria.
IN PROGRESS — audit period Q3 2026, report expected Q1 2027
GDPR / Data Processing Agreements
DPA template available for EU-based operators. Data residency selectable to EU-West.
DPA AVAILABLE NOW — full assessment Q4 2026
ISO 27001
Information security management system certification. Scope includes cloud platform and edge agent.
PLANNED — Q3 2027
IEC 62443 self-assessment
Formal self-assessment against IEC 62443-2-4 (service provider security requirements) for OT integration environments.
PLANNED — Q4 2027
FedRAMP Moderate (conditional)
For operators supporting US government or DoD-adjacent workloads. Scoped to air-gapped deployment model.
PLANNED — dependent on government customer qualification
NIST CSF alignment
Full mapping of Synestra controls to NIST Cybersecurity Framework 2.0 Identify / Protect / Detect / Respond / Recover functions.
PLANNED — Q2 2027
Security documentation — Penetration test summary, architecture security review, data flow diagrams, and vendor security questionnaire responses are available under NDA for qualified enterprise prospects. Contact us via the form below or through your account team.
Security questions? We'll answer them directly.
No security questionnaire too long. Our team responds to enterprise security reviews within 48 hours.