Security

Security designed for grid infrastructure.

Community solar programs operate within NERC-adjacent regulatory environments. Nexwatt's security architecture reflects that context.

Architecture Principles

Security architecture principles

Encrypted Telemetry

All asset telemetry data encrypted in transit (TLS 1.3) and at rest (AES-256). Telemetry ingestion endpoints require mutual TLS for DER hardware integrations.

Role-Based Access

Multi-tenant program isolation with RBAC. Program operators see only their subscriber data. ISO enrollment documents scoped to authorized users.

API Security

OAuth 2.0 with scoped tokens for all API integrations. Webhook signatures for dispatch event delivery. Audit log of all API calls.

Compliance-Oriented Design

Built with NIST Cybersecurity Framework controls in mind. Data residency in US East regions. No customer data used for model training.

Data Handling

How we handle subscriber and asset data

Nexwatt handles personally-identifiable subscriber data (account information, meter IDs, billing addresses) on behalf of program operators. Data is isolated per program, never shared across operator accounts, and retained only as needed for ISO compliance documentation.

Subscriber PII is processed under data processing agreements with program operators, who are the data controllers for their subscriber information. Nexwatt acts as a data processor and does not independently access, use, or disclose subscriber data for purposes beyond ISO compliance operations.

Asset telemetry data (inverter readings, storage state-of-charge, meter intervals) is treated as operational data. It is retained for the duration of the program agreement plus 24 months for audit trail purposes, then purged.

Responsible disclosure

We maintain a responsible disclosure program for security researchers. Contact [email protected] with the subject "Security Disclosure" for our coordinated disclosure process. We commit to acknowledging reports within 5 business days and providing a remediation timeline within 30 days.

Questions about our security posture?

We're happy to discuss our security architecture, data handling practices, and compliance posture in more detail.

Contact Us