Live
Energy Manager
Operate portfolios with live data
Enterprise Security
Security
Enterprise-grade controls designed for multi-tenant energy portfolios. Encryption, access control, auditability, and governance aligned with modern enterprise security expectations.
Encryption in transit
TLS 1.2+
(TLS 1.3 where supported)
Encryption at rest
AES-256
(Google Cloud default encryption)
Compliance coverage
ISO 27001
SOC 1 / SOC 2 / SOC 3 (via Google Cloud / Firebase services)
AI Governance
Human-in-the-loop · No customer data used for model training · Purpose-limited processing
In Short
The estidami platform, applications and Services are built on Google Cloud infrastructure with enterprise-grade encryption, access controls, and auditability. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
We implement role-based access control (RBAC), maintain comprehensive audit logs, and follow zero-trust principles. Our security controls are designed to align with ISO 27001 and SOC standards.
Read our Privacy Policy for information about data collection and processing.
Introduction
Security is fundamental to how we build and operate estidami software, applciations and Services. This page outlines the security controls, technical safeguards, and compliance posture that protect your data and operations.
Our security approach is designed for multi-tenant energy portfolios where confidentiality, integrity, and availability are critical business requirements.
1. Core Security Controls
The foundational layers that protect data within the estidami platform:
Encryption in Transit & at Rest
All data transmitted between your browser and our services uses TLS 1.2 or higher (TLS 1.3 where supported). Data stored in our databases and file storage is encrypted at rest using AES-256 encryption by default.
Role-Based Access Control (RBAC)
Access to facilities, projects, and data is governed by granular role-based permissions. Users only see and access data within their assigned scope. Administrative privileges are separated from operational roles.
Auditability & Logging
Critical operations are logged and retained for audit purposes. Logs capture user actions, data access events, and system changes with timestamps and user identity. Logs are retained in accordance with security and compliance requirements.
Zero-Trust Principles
Authentication is required for all platform access. Session tokens have defined expiration policies. Security rules enforce data isolation between tenants and projects at the database level.
Privacy by Design
We minimize data collection to what is necessary for service delivery. Personal data processing follows GDPR principles. Customer data is logically isolated by facility and project boundaries. Data retention and deletion policies are honored upon request or contract termination.
2. Technical Safeguards
The underlying platforms and controls supporting security and resilience:
Google Cloud Infrastructure
The estidami platform, application, and services are deployed on Google Cloud Platform (Firebase and Cloud Functions). Customer deployments can be provisioned in multiple regions including US, EU, or Middle East depending on contractual requirements.
Customer-Managed Encryption Keys (CMEK) (Enterprise tier)
For customers requiring additional control over encryption keys, CMEK can be enabled to allow key management through Google Cloud KMS or a supported external key manager.
Privileged Operations Isolated Server-Side
Sensitive operations such as data extraction, normalization, and reporting are executed server-side in Cloud Functions. Client browsers never have direct access to raw uploaded files or privileged database operations.
Client Integrity Protection
Firebase App Check is enabled to verify that requests to backend services originate from authentic app instances and not abusive traffic or automated bots.
Backup & Recovery
Firestore databases are backed up daily, with weekly snapshots retained for 14 weeks. Point-in-time recovery (PITR) is available for the past 7 days.
Note: Backup and recovery controls are resilience mechanisms and do not replace or override customer data-retention or deletion policies.
3. AI & Automated Processing Controls
The estidami platform, applications, and Services include AI-assisted features designed to support analysis, not replace human judgment. AI capabilities are governed by strict security, privacy, and control principles.
Purpose-Limited AI Usage
AI is used for specific, bounded tasks such as document parsing, data normalization, anomaly detection, and draft insights. AI does not autonomously execute actions, modify customer systems, or make binding operational or financial decisions.
Human-in-the-Loop
All AI-generated outputs are reviewable, overrideable, and contextualized. Final decisions remain with the user or an assigned expert.
Data Handling & Training
Customer data processed by AI features is:
- • Used only to deliver the requested functionality
- • Not used to train or fine-tune public or shared models
- • Retained only as required for processing and auditability
Where third-party AI services are used, data handling is governed by contractual restrictions consistent with enterprise privacy and confidentiality expectations.
Access Control & Isolation
AI processing runs within the same secured cloud environment as the core platform. Access is controlled through service accounts and role-based permissions, and processing is logged for traceability.
No Autonomous Decision-Making
The applications do not perform fully automated decision-making with legal or material business impact as defined under GDPR Article 22. AI outputs are advisory in nature.
4. Platform Scope & Data Flow
Security controls are applied at every stage of the data lifecycle:
Ingestion
- - Utility bills & meter data
- - Operational system exports
- - Building controls & sensors
Processing
- - OCR & data extraction
- - Normalization & validation
- - Analytics pipelines
Storage
- - Firestore (encrypted)
- - Cloud Storage (encrypted)
- - Tenant-isolated collections
Access & Analytics
- - Dashboards & visualizations
- - Report generation
- - RBAC-enforced access
Data is hosted on Google Cloud Platform (Firebase / Firestore)
Customer deployments are provisioned in US, EU or Middle East regions depending on contractual and data-residency requirements. Data does not leave the configured region.
5. Compliance Clarity
Important
The estidami platform, applications, and Services operate on Google Cloud infrastructure that has completed ISO 27001 and SOC 1/2/3 evaluations. These certifications apply to the underlying cloud services. estidami's organizational security controls are designed to align with these standards and customer contractual requirements.
6. Security FAQ
Answers to common questions about our security implementation:
Where is data hosted?
Data is hosted on Google Cloud Platform (Firebase / Firestore). Customer deployments are provisioned in US, EU or Middle East regions depending on contractual and data-residency requirements. Data does not leave the configured region.
How often is data backed up?
Firestore databases are backed up daily, with weekly snapshots retained for 14 weeks. Point-in-time recovery is available for the past 7 days. These backups are for resilience and disaster recovery—they do not extend or override customer data-retention or deletion policies.
Do you support SSO (SAML / OIDC)?
Yes, we use Firebase Authentication, which supports Google Identity Platform for SAML and OIDC integrations. SSO setup is available for Enterprise customers and can be configured to work with your corporate identity provider.
Do you process personal data?
We process limited personal data (names, email addresses, roles) required for account management, access control, and service delivery. Energy consumption and facility data typically do not constitute personal data unless explicitly tied to named individuals. We process all data in accordance with applicable privacy laws, including GDPR where relevant. See our Privacy Policy for full details.
Penetration testing and assurance?
We perform code reviews, maintain monitoring and alerting, and align with the Firebase Security Checklist. Third-party penetration testing is available for Enterprise customers under mutual NDA and coordinated timing. Contact us if you require additional security assurance activities.
Last updated: January 4, 2026
For security concerns or to report vulnerabilities, please contact us at hello@estidami.com.
