Data Security
Our Position
When you connect critical operational infrastructure to any external platform, security is not a feature — it is a prerequisite. Our platform was designed from the ground up with security and data sovereignty as core architectural principles, not afterthoughts.
Every layer of the system — from data transmission to user access to model ownership — is governed by explicit security controls and aligned with current European regulatory requirements.
Core Architecture
Security built into every layer
Data Ownership
Your data belongs to you, not to us. Every digital twin model built on our platform is your intellectual property. We have no access to your operational data without your explicit authorisation.
EU Data Residency
Cloud deployments are hosted exclusively on servers within the European Union, ensuring full compliance with EU data residency requirements and eliminating exposure to extra-territorial data access legislation.
End-to-End Encryption
All data transmission between connected sources, platform engines, and end-user interfaces is encrypted end-to-end. No unencrypted data transfer occurs across any network boundary within the platform.
Role-Based Access
Role-based access control is administered entirely by the customer. The platform enforces strict separation of data access by stakeholder group with granular permissions down to individual objects and dashboards.
Open Source & Auditable
The platform backend is built on open source components — Linux, Docker, PostgreSQL, Apache. No proprietary black-box dependencies. Every component can be independently audited.
On-Premises Deployment
For organisations with strict data localisation requirements, the platform can be deployed entirely on-premises within your own infrastructure, with no data leaving the organisational boundary.
Protocols & Standards
Secure communications
Web & API communications — all traffic encrypted in transit via TLS on every endpoint.
Secure WebSockets — real-time data streams protected with the same transport-layer security.
Encryption algorithms standard — applied to all data transmission across the platform, including AES-256 and RSA-2048.
IoT device communication — encrypted message transport for all connected sensors and edge devices.
Constrained device environments — lightweight but fully secured protocol for resource-limited hardware.
Industrial system integration — built-in security profiles for machine-level data exchange across industrial networks.
Authorisation
Access control
Role-based access control is administered entirely by the customer. Third parties — including GOLEM — have no access to customer data or models without a documented, customer-initiated authorisation.
Multi-level role hierarchy configurable per deployment
Granular permissions down to individual objects, indicators, and dashboards
Session management with secure authentication
Full audit log of all user access and actions
No default access — every permission must be explicitly granted
Operators, managers, executives, partners, and public — each role sees only explicitly authorised data
Infrastructure Security
Built to be inspected
No vendor lock-in means security vulnerabilities can be addressed without waiting for a third-party update cycle. The absence of proprietary black-box dependencies is itself a security property.
Open Source Foundation
Linux · Docker · PostgreSQL · Apache · standard C++ and JavaScript libraries. Every component can be independently audited by your own security team or a third party.
Containerised Deployment
All platform engines run in Docker containers, providing process isolation, reproducible deployment environments, and clear separation between customer instances.
Edge & On-Premises Options
For critical infrastructure operators, healthcare providers, and government agencies — full on-premises deployment with no data leaving the organisational boundary. Edge deployment on local micro-datacentres provides real-time processing with complete data sovereignty.
Operations
Incident response
The platform maintains continuous operational logging across all engines and data flows. Any anomaly is detected automatically and escalated through defined response procedures.
Continuous Logging
All engines and data flows produce continuous operational logs. Every access, action, and state change is recorded with tamper-evident timestamps.
Automated Anomaly Detection
Unauthorised access attempts and data integrity events are detected automatically through behavioural monitoring and rule-based alerting.
Immediate Customer Notification
Customers are notified immediately of any security event affecting their deployment, with full incident context and remediation guidance.
Defined Response Procedures
Structured escalation paths ensure no security event is handled ad hoc. Response playbooks are maintained and reviewed continuously.
Regulatory Alignment
Aligned with the EU regulatory framework
Digital twin systems operate within one of the most complex regulatory environments in the world. We track regulatory developments continuously and update our architecture accordingly.
General Data Protection Regulation
Data minimisation, purpose limitation, access rights, and breach notification procedures are built into platform operations. EU data residency is maintained for all cloud deployments.
Network and Information Security Directive 2
Our platform architecture addresses NIS2 requirements for IoT and industrial monitoring systems — risk management controls, incident detection, and supply chain security.
Cyber Resilience Act
Our design principles align with CRA requirements for connected industrial systems, ensuring confidentiality, integrity, authenticity, and availability of IoT devices and data flows.
EU Data Act
Our data ownership model — where customers retain full rights over their data and models — is structurally aligned with Data Act obligations on data access and portability.
Encryption Algorithms Standard
Applied to all data transmission across the platform. AES-256 for symmetric encryption, RSA-2048 for key exchange — both compliant with the international standard.
Regulatory Landscape Tracking
We monitor overlapping obligations across data governance, privacy, cybersecurity, transparency, and interoperability — and update our architecture before deadlines, not after.
Summary
Security principles at a glance
Data ownership remains entirely with the customer
End-to-end encryption on all communications
EU-only cloud infrastructure — no extra-territorial data exposure
Role-based access control administered by the customer
Open source components — fully auditable, no black-box dependencies
On-premises and edge deployment available for full data localisation
Aligned with GDPR · NIS2 · EU Cyber Resilience Act · EU Data Act · ISO/IEC 18033-3
Continuous operational logging and automated anomaly detection