Frequently Asked Questions
General
General
System Overview
Getting Started
Installation
Installation
Steps To Success
Creating Building & Deployment
Installing Onboard's Edge Software
Troubleshooting Installation & Working with IT
Managing Deployments
Data Discovery
Data Discovery
What is BACnet?
Connect Your BACnet Devices
What is Modbus?
Connect Your Modbus Devices
Troubleshooting Discovery
Data Modeling with AI
Data Modeling with AI
What is Staging?
Getting Started with Staging
What is an Ontology?
Onboard's Data Model
Data Modeling with AI
Modeling Points
Modeling Equipment
Modeling Locations
Modeling Relationships
Publish-Unpublish Workflow
Bulk Actions
Renaming Equipment
Deleting Equipment
Reviewing Points Selection for Equipment
Status Tracker
Feature Guides
Feature Guides
Exporting Data (CSV, JSON)
Buildings Explorer
Creating Custom Labels [Soon]
Account & Preferences
Account & Preferences
Creating a User Account
Deactivating a User Account
Admin Vs User Permissions [Soon]
Setting Unit Preferences [Soon]
Security
Security
Security Brief

Onboard Security Brief

Onboard Edge Software

  • Built on Linux Ubuntu: Clients benefit from a Linux distribution with enterprise-grade, industry leading security practices, and Ubuntu’s powerful file system permissions, user management, control groups, and firewall.
  • Deploys on Virtual Machines: Onboard’s software runs on a virtual machine, giving clients an isolated environment with easier scaling, stronger security, and consistent alignment with their organization's standards and processes.
  • Read Only: Onboard’s software performs read-only operations on a building's network, it does not write to or modify any building systems.
  • Physical Security: Edge software, regardless of deployment machine, requires physical security as a baseline. Any device connected to a building's network is a potential access point and can be physically tampered with. We strongly recommend keeping all such devices in a secured, locked location

Communication: Network Edge and Cloud

  • Network Traffic: Onboard's edge software pushes building data to Onboard’s cloud servers over HTTPS (TCP port 443), encrypted via TLS. For remote troubleshooting, Onboard uses UDP port 1501 via WireGuard®.
  • VPN & Cryptography: Onboard uses WireGuard® as its secure VPN tunnel for edge software access during troubleshooting. WireGuard® uses state-of-the-art cryptography for end-to-end encryption. This includes the noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKDF. More performant than OpenVPN, WireGuard® is designed as a VPN for running on embedded interfaces as well as supercomputers, and has a minimal attack surface as compared to Swan/IPsec or OpenVPN/OpenSSL.
  • SSH Access: When troubleshooting is required, Onboard accesses deployed edge software remotely via SSH tunneled through the WireGuard® channel. Security settings are set as recommended by SSHAudit. Onboard’s virtual machine software is restricted to prevent tampering. Clients access a web interface hosted by Onboard’s cloud servers to monitor the status of their edge software connection.

Audit

  • Onboard’s Software supports access for vulnerability scans and ongoing monitoring of the edge software, if required by your IT. Access is provisioned by pre-configuring Onboard’s Edge Collector with the public SSH keys of your preferred auditing tool.

Data Storage

  • Encryption at Rest: All data is encrypted at rest. Clients can retain data for up to 2 years, or request full data deletion at any time.
  • Resilience during Outages: Onboard’ Edge software stores time-series data locally during any communication outage, preventing data loss. Depending on data volume, local storage can hold 2–3 weeks of data. Onboard provides hardware recommendations to ensure this capability is maintained.

Multi-Factor Authentication

  • Onboard’s software and APIs are RESTful, JSON-based, and served over HTTPS. Authorization and authentication are handled via JWT tokens or account-linked, resource-scoped API keys. Multi-factor authentication is supported through TOTP and FIDO2 (e.g., hardware security keys). All APIs are documented using the OpenAPI v2 specification.

Activity Tracking

  • Onboard maintains auditable logs of all significant system events, including software and deployment heartbeats, user logins, and data uploads. These logs are retained permanently and available for review upon request.