We use cookies on this website to give you the best experience. To find out more, read our Privacy Policy.

Professional SolutionsMap

Information Security Policy

Information Security Policy

This policy defines the minimum security controls we apply to its customer-facing services and internal operations.

The security approach supports our product principles: open hardware, open source where appropriate, data ownership, privacy by default, repairability, no unnecessary lock-in, and public-interest air quality data.

Scope

This policy applies to:

  • AirGradient website, dashboard, API, public map, app, support, notification, and data services.
  • Production, staging, development, source code, deployment, and monitoring systems.
  • AirGradient monitors, firmware, provisioning, and cloud connectivity where AirGradient controls the implementation.
  • Staff and contractor accounts used to access AirGradient systems.
  • Third-party services that process AirGradient or customer data.

Customer-managed networks, customer accounts, local monitor placement, and public/private sharing decisions remain the customer's responsibility unless agreed otherwise.

Security Objectives

AirGradient security controls are designed to:

  • Protect private customers, users, support, order, and monitor data from unauthorized access, disclosure, alteration, or loss.
  • Preserve the integrity of measurements, calibration metadata, public data feeds, and customer dashboard data.
  • Keep customer-facing services reliable and recoverable.
  • Prevent secrets from entering firmware, public repositories, logs, screenshots, support messages, or documentation.
  • Keep public-data sharing transparent, attributable, and controlled by user or customer settings.
  • Support timely detection, containment, investigation, recovery, and communication for incidents.

Governance

AirGradient assigns operational ownership for security, privacy, production operations, access reviews, vendor review, backup and recovery, and incident response.

Staff and contractors must:

  • Protect credentials and customer data.
  • Use approved systems for company and customer data.
  • Avoid copying production personal data unless necessary and approved.
  • Report suspected security, privacy, data integrity, or availability incidents promptly.
  • Follow secure development and change-control practices.

Access Control

AirGradient applies least privilege to systems and data.

Minimum controls:

  • Unique user accounts for staff access where supported.
  • MFA for email, source control, production hosting, domain/DNS, payment/shop systems, support tooling, analytics, CI/CD, and password managers where supported.
  • Role-based access for support, engineering, operations, and administrative functions.
  • Production database and shell access limited to authorized technical staff.
  • Support access limited to the tickets, customer records, and monitor information needed to resolve requests.
  • Access reviews for production, source control, support, domain/DNS, payment, and customer-facing admin systems.
  • Prompt offboarding when a staff member or contractor leaves or changes roles.
  • Service accounts with named owners, scoped permissions, and documented rotation or revocation steps.

Authentication and Secrets

AirGradient protects passwords, session tokens, API keys, OAuth credentials, deployment keys, signing keys, and other secrets.

Minimum controls:

  • Passwords must be stored only as strong one-way hashes.
  • Passwords, raw OAuth tokens, session cookies, API keys, reset tokens, and private keys must not be logged.
  • Password reset and account verification tokens must expire.
  • Session cookies must use secure attributes appropriate to the application.
  • Authentication endpoints must be rate-limited or monitored for abuse where practical.
  • Production secrets must be stored in approved secret stores or environment-management systems, not in source code.
  • Production, staging, and development secrets should be separated.
  • High-impact credentials should be rotated after suspected exposure, staff offboarding risk, or vendor incident.

Infrastructure and Network Security

AirGradient production services must:

  • Use TLS for public HTTP endpoints and API traffic.
  • Expose only required ports.
  • Keep databases and caches off the public internet unless explicitly approved with compensating controls.
  • Use firewalls, security groups, or equivalent host/network controls.
  • Apply security patches to operating systems, containers, runtimes, databases, and dependencies according to risk.
  • Run production services with least-privileged runtime users where practical.
  • Separate production from staging and development where practical.
  • Protect domain registrar, DNS, and certificate-management accounts with MFA where supported.
  • Monitor uptime and service health for customer-facing services.

AirGradient maintains a public server status page for service availability information:

AirGradient Server Status

Databases, Storage, and Backups

AirGradient protects databases and storage containing monitor data, support data, account data, configuration, and operational records.

Minimum controls:

  • Access to production databases and file storage is limited to authorized personnel.
  • Backups are encrypted at rest where supported by the relevant provider or storage system.
  • Backup access is limited to authorized operations personnel.
  • Live production personal data should not be used in local development unless necessary, approved, and minimized.
  • Sanitized or synthetic data should be used for tests and demos where feasible.

Backup scope, recovery testing, and restore practices are covered in the Backup and Disaster Recovery Procedure.

Secure Development

AirGradient engineering must:

  • Use source control for application, firmware, and infrastructure code.
  • Review material changes before production release.
  • Keep secrets out of source code and public repositories.
  • Test changes before production deployment where practical.
  • Patch security-relevant issues according to risk.
  • Review dependencies and third-party libraries where practical.
  • Avoid exposing internal tools, debug endpoints, or administrative interfaces publicly.
  • Preserve the integrity of firmware, calibration logic, measurement pipelines, and public data feeds.

Firmware and Device Security

AirGradient monitors are air quality sensors and do not contain microphones or cameras.

AirGradient publishes open-source firmware and hardware where available. Firmware and device practices must support secure provisioning, appropriate update handling, and clear customer deployment guidance.

Customers deploying monitors in managed environments should use appropriate network segmentation and local IT controls.

Related Documentation

Contact

Security, privacy, incident, reliability, or deployment questions can be sent to support@airgradient.com.

Your are being redirected to AirGradient Dashboard...