Skip to main content

Cybersecurity

This document outlines our approach to cybersecurity for the VOLO cloud-based access control system. VOLO combines physical security hardware (controllers and readers) with a cloud platform for centralized management.

What This Means for You

VOLO's security approach ensures your access control system remains protected, compliant, and operational even during connectivity issues or security threats. We handle the complex security infrastructure so you can focus on managing your physical security.

Overview & Security Architecture​

VOLO is a cloud-based access control system that combines physical security hardware (controllers and readers) with a secure cloud platform for centralized management. Our cybersecurity approach encompasses both the physical devices and the cloud infrastructure to ensure end-to-end security.

Multi-Layer Security Model​

Think of VOLO's security like a high-security building with multiple layers of protection. Our defense-in-depth approach ensures that even if one layer is compromised, others continue to protect your system:

  1. Physical Security Layer - Secure hardware controllers with tamper detection
  2. Application Security Layer - Secure web interface and API access
  3. Data Security Layer - AWS-managed security for cloud infrastructure
  4. Access Control Layer - Role-based authentication and authorization

Minimized Attack Surface​

A key principle within the VOLO architecture is to ensure that only servers and application interfaces that are required to be public facing are exposed. This significantly reduces the risk of unauthorized access:

  • Public Access: Only web servers, communication brokers and load balancers are publicly accessible
  • Private Infrastructure: The majority of infrastructure is not publicly accessible
  • Secure Access: Databases and internal systems are only accessible from within the VOLO cloud or via secure VPN
  • VPN Monitoring: Administrator access is restricted, authenticated with MFA and is both monitored and logged

Cloud Infrastructure Security​

Our cloud platform is hosted on AWS in an EU region with enterprise-grade security. This means your data benefits from the same security infrastructure that protects major financial institutions and government agencies:

  • Data Centers: AWS-managed facilities with redundant power, cooling, and network connectivity
  • Network Security: AWS security services and infrastructure protection
  • Physical Security: AWS-managed physical security and access controls
  • Access Control: Cloud infrastructure is only accessible to authorized personnel, requiring VPN access
  • Security Groups: AWS security groups ensure only required ports and protocols are enabled for each server
  • Platform Reviews: Scheduled, regular platform reviews for OS versions, server security patches, and AWS Security Hub recommendations
  • Architecture Review: We have worked with an approved AWS partner to review our development and architectural design approach
  • AWS Best Practices: We strive to follow AWS recommendations and utilize their proactive monitoring services
Why AWS Matters

AWS provides enterprise-grade security that would be cost-prohibitive for most organizations to implement independently. This includes 24/7 physical security, redundant infrastructure, and continuous security monitoring.

Data Protection & Privacy​

Your data security is our top priority. We classify and protect different types of information based on their sensitivity and regulatory requirements.

Data Classification​

We classify data based on sensitivity and regulatory requirements:

  • Critical Data: Access credentials, system configurations, firmware files
  • Sensitive Data: User information, access logs, audit trails
  • Operational Data: System metrics, performance data, diagnostic information

Encryption Standards​

  • Data in Transit: TLS 1.2+ for web interface (AWS TLSv1.2_2021 configuration)
  • Data at Rest: The majority of operational data is not encrypted at rest
  • API Communications: HTTPS for all API endpoints
Important Note

While operational data isn't encrypted at rest, it's stored in a private, isolated network with no public internet access. This provides security through network isolation rather than encryption.

Data Residency and Sovereignty​

Your data stays where you expect it to be, with clear policies on retention and deletion:

  • Primary Storage: Data is stored in an AWS EU region
  • Backup Strategy: Automated backup and recovery capabilities
  • Data Retention: Backup files are deleted according to our retention policy. Live, system data is retained indefinitely
  • Data Deletion: Handled on a case-by-case basis
  • Data Subject Rights: Handled on a case-by-case basis

Regulatory Compliance​

  • GDPR: General Data Protection Regulation compliance
Compliance Confidence

Our GDPR compliance means you can be confident that your data handling meets European privacy standards, reducing your regulatory burden.

However, we need to work together to achieve full compliance - be sure to consider how you use the data within the VOLO system. What data you input to the system, how it is used and how it is shared.

Access Control & Authentication​

Your system's security is only as strong as its weakest access point. That's why we implement multiple layers of authentication and authorization.

Role-Based Access Control (RBAC)​

Our permission system gives you granular control over who can access what in your system:

  • Permission Matrix: Web-based permission system allowing granular control
  • Principle of Least Privilege: Users can select relevant permissions for each operator
  • Access Reviews: Permission-based access control with dynamic validation
  • Flexible Authorization: Role-based access control with comprehensive security
Security Best Practice

Always follow the principle of least privilege when setting up operator permissions. Only grant access to what's absolutely necessary for each user's role.

Password Policy​

We enforce strong password policies to protect your system from unauthorized access:

  • Minimum Length: Passwords must be at least 10 characters long
  • Security Validation: Passwords are checked against a list of commonly used (and insecure) passwords
  • Policy Enforcement: Automated validation of password requirements
  • Password Storage: Passwords are never stored in plain text - only salted hash outputs are stored
  • Hashing Method: Unique salt generated for each password during hash creation
  • Account Lockout: Account lockout implemented after consecutive invalid login attempts
  • NCSC Guidance: Approach based on guidance from the National Cyber Security Centre

API Security​

Our API implements sophisticated protection mechanisms to prevent abuse and ensure secure access:

  • Application Authentication: Unique application tokens with rate limiting
  • User Authentication: Session-based authentication with secure token management
  • Request Validation: Nonce tokens prevent replay attacks
  • Brute Force Protection: Account locking mechanisms in place
  • Rate Limiting:
    • Concurrent Request Limiting: Per-user limits on simultaneous requests
    • Time-Based Throttling: Service-specific intervals (1-10 seconds)
    • Flexible Configuration: Different limits for different user types
    • Automatic Cleanup: Request counting with proper cleanup
  • Security Headers: Custom headers for application authentication, user session authentication and prevention of replay attacks
Rate Limiting in Action

If a user attempts to make 100 requests in 10 seconds, our system will automatically throttle their access, ensuring fair usage for all customers while protecting against potential attacks.

Network & Communications Security​

Secure Communications​

  • Web Interface: HTTPS-only access with TLS 1.2+
  • API Access: HTTPS encryption for all API communications
  • Cellular Failover: Optional cellular modem for primary or failover communication

Network Monitoring​

We continuously monitor network activity to detect and respond to potential threats:

  • AWS Network Monitoring & Alerts: All IP traffic in and out of the VOLO cloud is logged and monitored, providing proactive alerts for unusual behaviors or interactions
  • AWS Secure Infrastructure Scanning: Infrastructure security monitoring and issue highlighting
  • Regular Review: Working through security issues identified by AWS Security Hub
  • Vulnerability Scanning: Regular security assessments
  • System Performance Monitoring: Continuous monitoring of system performance and behavior to identify anomalies
  • Proactive Scanning: Various AWS services scan all resources and highlight non-compliance with best practices
  • Prioritized Remediation: Security issues are provided in a prioritized list for review and action alongside development roadmap
Proactive Protection

Our monitoring systems can detect unusual patterns before they become security incidents, giving us time to respond and protect your system.

Offline Operation​

One of VOLO's key advantages is that your access control continues working even when internet connectivity is lost:

  • Local Operation: Controllers continue to operate locally when cloud connection is lost
  • Event Storage: Local event storage during connectivity issues
  • Reconnection: Automatic reconnection when network is restored
  • Configuration Sync: Configuration changes queued until connection restored
Important

While controllers operate offline during connectivity issues, configuration changes are queued until connection is restored.

Development & Operational Security​

We maintain high security standards throughout our development process to ensure the code running your system is secure and reliable.

Secure Development Practices​

Every line of code goes through rigorous security checks:

  • Code Analysis: Static analysis tool for quality and security issue identification
  • Baseline Management: Strict policy on maintaining security baseline
  • Code Changes Policy: Code changes must not introduce new quality or security issues
  • Gradual Improvement: Backlog reduction based on severity over time
  • Static Analysis: All code goes through static analysis to identify potential bugs, vulnerabilities, or non-best practice coding
  • Peer Review: All Pull Requests (code changes) must be peer-reviewed before they can be deployed
  • Code Quality Monitoring: Regular review of analysis results with proactive work towards ideal scores
  • Team Alerts: Development team is alerted to any anomalies or security issues
  • Build and Deployment: Well-defined build and deployment process managed through GitHub
  • Version Control: Secure code management and deployment pipeline

Vulnerability Management​

We continuously scan for and address potential security vulnerabilities:

  • Vulnerability Scanning: Regular security assessments
  • Infrastructure Security: AWS Security Hub monitoring
  • Code Security: Automated code analysis with static analysis tool
  • Regular Assessment: Regular vulnerability assessment and remediation
Continuous Security

Our development team is constantly working to improve security, with automated tools helping identify potential issues before they can affect your system.

Monitoring & Incident Response​

When security incidents occur, we have robust systems in place to detect, respond to, and recover from them.

Security Monitoring​

Our monitoring systems provide 24/7 protection:

  • AWS Security Services: Continuous, automated security monitoring and issue identification
  • Code Analysis: Static analysis of all code for security issues
  • Baseline Management: Policy that code changes must not introduce new issues into baseline
  • Security Posture Monitoring: Regular security posture monitoring via AWS Security Hub

Continuous Improvement​

We never stop improving our security posture:

  • Security Enhancement: Ongoing security improvements and feature development
  • Infrastructure Security: AWS security service utilization
  • Continuous Review: Regular review of cybersecurity approach to ensure continual improvement
  • Static Analysis Baseline: Static analysis baseline maintenance and improvement

Customer Security & Support​

Your security is a partnership between our technical measures and your operational practices.

Customer Responsibilities​

While we handle the technical security, you play a crucial role in maintaining system security:

  • Data Responsibility: Customers are responsible for data entered into the VOLO system and how they choose to share this data (in reports or exports)
  • Permission Management: Appropriate use of operator permissions (minimum necessary permissions)
  • Configuration: Correct configuration of access levels and timezones for physical security
  • System Usage: Sensible and considered use of the system

Contact Information​

For security-related inquiries, incidents, or questions:

note

This document is reviewed and updated regularly to reflect our evolving security practices and the changing threat landscape. Last updated: 2025-08-02