Trust & Security
Secure monitoring without opening your OT network
ISO 27001 certified. ISO 9001 certified. NIS2 aligned.
SAM4 is designed for industrial environments where IT/OT separation matters. Devices can send encrypted outbound data over cellular, so monitoring does not require inbound access, open ports, or a connection into your OT network. Ethernet or Wi-Fi can be used where your security team approves it. SAM4 reads current and voltage for monitoring; it does not control equipment or send commands to assets.
Certified, tested, and aligned
Three different kinds of evidence sit behind this page: independent certifications, an annual independent test, and a self-assessed framework alignment. We show them separately so reviewers can judge each on its own terms.
ISO 27001 — Information security management
Certified ISMS covering data handling, access control, incident response, supplier management, and software delivery.
Evidence available: certificate, security documentation, control summary.
↓ Download certificate (PDF)ISO 9001 — Quality management
Certified quality management system covering hardware production, software development, customer operations, and service delivery.
Evidence available: certificate and quality scope.
↓ Download certificate (PDF)Annual penetration testing
Conducted annually by Secura, a CREST-accredited independent security firm. The most recent test found no outstanding critical or high vulnerabilities.
Evidence available: executive summary under NDA.
NIS2 alignment
SAM4's architecture, network isolation, access control, incident response, supplier processes, and operational controls are mapped against NIS2 expectations for essential and important entities.
Evidence available: NIS2 alignment summary and security questionnaire.
What data leaves your site, and what does not
SAM4 uses a narrow data architecture by design. It collects three-phase current and voltage waveforms from the motor control cabinet, plus the device and asset metadata needed to operate the service. It does not collect process variables, SCADA tags, PLC data, production data, video, or personal data. Data is digitised at the cabinet, encrypted, and transmitted outbound to Samotics' EU cloud infrastructure.
Motor supply
SAM4 / NOVAQ gateway
Encrypted outbound connection
Samotics EU cloud
Customer access
PLC logic · SCADA tags · process variables · production data · video · personal data
What SAM4 collects
Three-phase current and voltage waveform data from the motor supply, plus the device and asset metadata required to operate the service: asset ID, timestamp, gateway status, and configuration state.
Not collected: process variables, PLC logic, production data, video, or personal data.
Where it is stored
SAM4 data is stored in AWS EU data centres in Ireland. Processing is GDPR-compliant. Customers retain control over their data and can request export or deletion according to contract and retention policy.
How it gets there
The NOVAQ gateway initiates outbound connections to the Samotics platform. Data is encrypted in transit (TLS 1.2) and at rest (AES-256). No inbound ports need to be opened on the customer network.
Connectivity options
Three paths from cabinet to cloud. Cellular-first deployment keeps SAM4 off your OT network entirely.
4G/5G Cellular (recommended)
NOVAQ uses its own SIM card and cellular modem. Traffic never enters your IT or OT network. No firewall rules, no VLAN configuration, no IT involvement. This is the default for remote and difficult sites.
Ethernet (customer network)
NOVAQ connects to a dedicated monitoring VLAN on your network. HTTPS (port 443). All connections initiated by the gateway. No open inbound ports. Suitable where cellular coverage is limited or IT prefers network visibility.
WiFi
Where Ethernet and cellular are impractical. Same gateway-initiated protocol. Same encryption. No open inbound ports.
SAM4 in your IT estate
Where the gateway sits and how alerts reach the people and systems that act on them.
Security controls from cabinet to cloud
SAM4 is designed around a narrow, outbound-only data path. The device measures current and voltage, sends encrypted data to the Samotics platform, and does not control plant equipment. Security starts with separation at the site and continues through encryption, access control, monitoring, and vulnerability management.
MCC measurement
SAM4 device
Outbound encrypted connection
EU cloud platform
Customer access
No PLC writes · No inbound ports · No process-control access · No video · No personal data
Passive measurement only
SAM4 measures electrical signals only. It does not write to PLCs, issue control commands, change setpoints, or interact with process control systems.
Read-only by design and by physics.
Network isolation
SAM4 devices can use cellular or a segregated network path. No inbound access is required. No open inbound ports. No bridge into OT control systems.
Encrypted transport and storage
Data is encrypted in transit and at rest. Device authentication uses certificates rather than shared secrets.
EU cloud infrastructure
SAM4 data is processed in AWS EU data centres in Ireland. Infrastructure is managed as code, monitored continuously, and reviewed against Samotics' security controls.
Access control and audit logging
Role-based access control, SSO support, session controls, and audit logs help restrict and trace access to customer data.
Vulnerability and incident management
Samotics uses automated vulnerability scanning, secure development practices, code review, threat modelling, annual penetration testing, and incident response procedures.
These controls are covered by Samotics' ISO 27001-certified information security management system and supported by annual independent security testing.
Security controls overview
How SAM4 maps to enterprise security requirements.
| Domain | Control | Standard | Last reviewed |
|---|---|---|---|
| Identity & Access | Role-based access, least privilege, regular access reviews | ISO 27001 | January 2026 |
| Encryption | TLS 1.2 in transit, AES-256 at rest | ISO 27001 | January 2026 |
| Network | Separate VLAN or cellular, gateway-initiated connections, no open inbound ports | ISO 27001 | January 2026 |
| Infrastructure | Infrastructure as code (Terraform), compliance scanning, no internet-facing admin | ISO 27001 | January 2026 |
| Application | Code reviews, automated builds, threat modelling, vulnerability scanning | ISO 27001 | January 2026 |
| Monitoring | VPC flow logs, event log analysis, 24/7 infrastructure monitoring | ISO 27001 | January 2026 |
| Personnel | Background checks, NDA clauses, managed endpoints, access reviews | ISO 27001 | January 2026 |
| Penetration Testing | Annual tests by Secura. No outstanding critical or high vulnerabilities. | ISO 27001 | March 2025 |
Regulatory compliance
SAM4 meets EU cybersecurity and data protection requirements.
NIS2 Directive
Gateway-initiated architecture, network isolation, and incident response procedures align with NIS2 requirements for essential and important entities in energy, water, and manufacturing.
GDPR
All customer data processed and stored in EU AWS data centres (Ireland). Data processing agreements available. Customer data is owned by you and can be exported or deleted on request.
IEC 62443
Security controls map to IEC 62443 principles for industrial automation security. Network segmentation, access control, and secure-by-default device configuration.
SAM4 analytics are cloud-based. The NOVAQ gateway initiates all connections: it transmits measurement data outbound and retrieves configuration updates by polling the cloud. No open inbound ports exist on your network. The system is designed so that the cloud cannot push commands to the gateway or to plant equipment.
How security review works
The typical path from first conversation to approved deployment. We support your IT and security team at every step.
Request documentation
Download our ISO 27001 certificate, architecture diagram, and security overview. Available immediately.
Internal review
Your security team reviews the documentation package. We provide a pre-filled security questionnaire covering common enterprise requirements.
Technical session
Our solutions engineers walk through the architecture with your IT, OT, or network security team. We address specific deployment questions for your environment.
Deployment planning
Select the connectivity path (cellular, Ethernet, or WiFi). Define VLAN configuration if applicable. Confirm data residency and access controls.
Approved
SAM4 is installed in the motor control cabinet. The average time from documentation request to approved deployment is 4 to 6 weeks.
IT/OT checklist
The questions your security team will ask, and the answers they need to approve SAM4.
| Question | Answer |
|---|---|
| Does it touch the control network? | No. Separate VLAN or cellular. All connections gateway-initiated. |
| Can it control plant equipment? | No. Passive current measurement only. Read-only by physics. |
| Where is data stored? | AWS EU data centres (Ireland). GDPR-compliant. |
| Is data encrypted? | TLS 1.2 in transit. AES-256 at rest. |
| Does it require open firewall ports? | No. All connections are gateway-initiated. No open inbound ports. |
| Is it independently audited? | ISO 27001 certified. Annual penetration testing by Secura (CREST-accredited). |
| Can we restrict user access? | Yes. RBAC with SSO. |
| What data does it collect? | Electrical current and voltage waveforms only. No process data. |
| Can it avoid our OT network? | Yes. 4G/5G cellular uses a separate path entirely. |
| What connectivity options are supported? | Cellular (default), Ethernet, or WiFi. |
Request security documentation
Select the documents you need. We deliver them immediately. No sales follow-up unless you want it.
Available documents:
- ISO 27001 Certificate
- Penetration Test Summary
- Architecture Diagram
- Data Processing Agreement
- NIS2 Compliance Summary
- Pre-filled Security Questionnaire
All documents shared under NDA. Work email required.
Security FAQ
SAM4 analytics run in the cloud. The NOVAQ edge device collects and transmits data. No processing happens on your network. For enterprise customers with regulatory requirements that prevent cloud deployment, on-premise options are available. Contact our team to discuss.
No. SAM4 measures electrical current through passive current transformers. It has no physical or logical connection to control systems, PLCs, or SCADA networks. The measurement is passive and read-only by design.
Yes. With 4G/5G cellular connectivity, the NOVAQ gateway uses its own SIM card and modem. Traffic never enters your IT or OT network. This is the default for remote sites and the recommended path for organisations with strict OT network policies.
The NOVAQ device buffers data locally and resumes upload when connectivity returns. No data is lost. The monitored asset continues running normally. SAM4 never affects plant operations.
Our ISO 27001 ISMS includes a documented incident response procedure. Customers are notified within 24 hours of any confirmed security incident affecting their data. We conduct post-incident reviews and publish findings to affected customers.
ISO 27001 certificate, architecture diagram, data processing agreement, NIS2 compliance summary, and a pre-filled security questionnaire. All available under NDA. We also offer direct sessions with our solutions engineers for your IT or security team.
The NOVAQ device buffers data locally before each outbound transmission. Data is always stored temporarily on the device. For environments that require extended local retention before cloud upload, contact our technical team.
Start the security review
ISO 27001 certificate, architecture diagram, security questionnaire. Everything your IT team needs to approve SAM4.