Settings

Profile, organization, members, roles, integrations, billing, and security.

OT security posture

Facilis was designed from day one to sit safely on top of OT networks without owning them. This page documents our commitments, certification posture, and public security history so your IT and controls teams can approve the deployment in one review cycle.

OT writes

Read-only by default

Inbound ports

Store-and-forward only

Open CVEs

3 patched in 2026

Last pen-test

Feb 2026

Bishop Fox · clean

Our commitments

Read-only by default for all OT data sources

Default: off

The Facilis edge agent reads from PLCs, SCADA, historians, and sensors. It never writes to a control system unless a per-device scope grant is signed by an authorized operator and explicitly enabled in Settings. Writes are off out of the box.

No inbound network connections to the edge agent

Outbound only

The Facilis edge collector runs store-and-forward replication outbound only. It never exposes an inbound port, never hosts a management interface, and cannot be reached from the internet. Remote administration happens through the central Facilis control plane, never through the plant network.

Edge collector sits on a DMZ, not the controls LAN

DMZ-only

Facilis requires the edge agent be deployed on a DMZ or a dedicated OT historian network segment — never directly on a level-1 controls LAN. We provide a reference architecture and validate network placement during install.

Per-device write scopes with signed approval

Signed scopes

If a customer explicitly enables writes to a specific device (e.g. CMMS or MES, never a PLC control word), the scope is limited to that device, signed by an admin with MFA, recorded in an immutable audit log, and revocable with a single click.

Never writes control setpoints to a PLC

Hard guarantee

Facilis will never, under any configuration, write a control setpoint to a PLC, DCS, or safety system. Agents draft work orders and notifications; humans and downstream systems execute control changes. This is a product-level guarantee, not a toggle.

Data encrypted at rest and in transit

AES-256 / mTLS

All data in the edge buffer is encrypted with AES-256. All connections to the central control plane use mTLS with certificate pinning. Customer data in Facilis cloud is encrypted at rest in AWS KMS with customer-managed keys available on request.

Air-gap and disconnected mode

Air-gap available

Facilis can run fully disconnected from the internet for air-gapped deployments. In this mode, agents run on the local edge with no central telemetry, no software auto-update, and no remote support. Air-gap mode is a licensed configuration, available for regulated industries.

Certifications and compliance

Certification	Standard	Status	Target
SDLA Security Development Lifecycle Assurance — how we build secure software	ISA/IEC 62443-4-1	In progress	Q3 2026
ICSA IIoT Component Security Assurance for the Facilis edge collector	ISA/IEC 62443-4-2	Planned	Q2 2027
SSA SL-2 System Security Assurance at Security Level 2	ISA/IEC 62443-3-3	Planned	Q4 2027
SOC 2 Type II Independent audit of availability, confidentiality, integrity controls	AICPA	In progress	Q2 2026
ISO 27001 Information Security Management System certification	ISO/IEC	Planned	Q1 2027

Facilis is pre-certification for ISA/IEC 62443 component assurance. SDLA (development lifecycle) is our Q3 2026 target. Customers in regulated industries can request our current Security Development Plan under NDA for their own risk assessment.

Reference network placement

┌──────────────────────────┐ │ Facilis Cloud │ central control plane · mTLS only └──────────────▲───────────┘ │ outbound replication, no inbound ═══════════════│═════════════ WAN boundary │ ┌──────────────┴───────────┐ │ DMZ / historian net │ Level 3 (ISA-95) │ │ │ Facilis edge agent │ outbound-only, no listening ports │ (read-only) │ └──────────────▲───────────┘ │ OPC-UA / Modbus / MQTT · read-only ═══════════════│═════════════ OT boundary │ ┌──────────────┴───────────┐ │ Level 2 · SCADA/HMI │ │ Level 1 · PLC / DCS │ Facilis never connects here directly │ Level 0 · sensors/IO │ └──────────────────────────┘

The Facilis edge agent sits at ISA-95 Level 3 on a DMZ or historian network. It reads via standard industrial protocols and never has direct connectivity to Level 1 controllers or Level 0 safety I/O. All replication to the Facilis cloud is outbound-only.

Independent penetration tests

Firm	Scope	Date	Result
Bishop Fox	Full platform + edge agent	Feb 2026	No criticals · 2 medium, resolved
NCC Group	Edge agent binary + firmware	Oct 2025	No criticals · 1 high, resolved
Trail of Bits	OT network boundary	Jun 2025	No criticals · 3 medium, resolved

Full reports and remediation evidence available under NDA.

CVE disclosures

ID	Date	Severity	Title	Status
FAC-2026-003	Mar 14, 2026	Medium	Edge agent: log file permission bypass on restart	Patched in v3.4.1
FAC-2026-002	Feb 02, 2026	Low	Web console: reflected XSS in search query parameter	Patched in v3.3.9
FAC-2026-001	Jan 11, 2026	Medium	OPC-UA adapter: insufficient certificate validation	Patched in v3.3.7

Zero open CVEs. We publish every vulnerability with a coordinated disclosure window. View our disclosure policy.

Details

Hosting: AWS · us-east-1, us-west-2, eu-west-1
Data residency: Selectable per workspace
Encryption at rest: AES-256 (KMS)
Encryption in transit: mTLS with certificate pinning
Customer-managed keys: Available on Enterprise
Backup / DR: Cross-region, 15-min RPO
Incident response SLA: 1h ack, 4h update
Bug bounty: HackerOne private program