Connecting data

How your credentials are stored

Encryption, storage and data residency for connection credentials.

Quick answer

Connection credentials are moved into AWS Secrets Manager encrypted with a KMS key dedicated to your organisation, hosted in the EU (eu-west-1). The platform database keeps only a reference to the secret, never the credential itself. API responses always mask sensitive fields.

Storage model

  • When a connection is created its credentials are used once to verify and discover the source.
  • They are then written to AWS Secrets Manager under a per-customer encryption key (AWS KMS) and removed from the connection record, which keeps only the secret reference.
  • All secret storage lives in the EU (eu-west-1 region). Secrets are not replicated to other regions.
  • Connection details returned by the API mask tokens, passwords and keys.

Access and revocation

Only the server-side polling and discovery services can read secrets, and only for the connection they belong to. You can rotate credentials at the vendor at any time and update the connection; deleting a connection deletes its secret. We recommend using read-only or monitoring-scoped vendor accounts wherever the vendor supports them.

Frequently asked questions

See also

See this on your own plants

NuraVolt turns your SCADA and BMS data into early fault detection, degradation-aware BESS analytics, and audit-ready reporting. A fixed-scope audit shows you what we’d find on your portfolio.