Security

How Celaxis connects to your building — and what it can and cannot touch.

Celaxis connects to your BMS via BACnet/IP or REST API — outbound-only, no inbound ports opened, no hardware installed on your network. Control-mode write access is available but must be explicitly enabled zone by zone, after your team approves the thermal model.

Default connection posture
Sensor reads Enabled by default
Schedule writes Opt-in per building
Setpoint writes Opt-in per zone
Manual override respected Always

Celaxis connects outbound from your BMS. No inbound ports, no hardware to install.

Celaxis connects to your BMS via BACnet/IP or REST API from the BMS host or supervisory controller — the same network layer your BMS operator workstation occupies. All Celaxis traffic is outbound: your BMS's supervisor sends telemetry and receives setpoint commands over an encrypted HTTPS connection to Celaxis Cloud. There is no inbound connection from the internet to your OT network, no VPN tunnel, and no hardware to procure or install.

We are not a BMS replacement and we are not a parallel control layer — Celaxis sits at the operator-command level, issuing BACnet Write Property requests at priority 10. If our cloud connection drops, BACnet priority 10 expires and your BMS schedule resumes unchanged. Your existing BMS logic is always the fallback.

BMS JCI / Siemens Honeywell / Trane Niagara N4 supervisor layer Celaxis BACnet priority 10 setpoint reads/writes HTTPS outbound no hardware install Celaxis Cloud Thermal model Tariff intelligence Schedule engine AWS us-west-2 BACnet/IP operator level HTTPS outbound no inbound

Celaxis integrates at the BMS supervisor layer — not at the PLC or field device layer.

The Celaxis software connects at the same network level as a BMS operator workstation — your BAS/BMS supervisory controller. It does not communicate with PLCs, field controllers, fire safety systems, or utilities infrastructure. The data it reads and writes (zone temperature, setpoints, occupancy booleans) are standard BMS operator data, not critical infrastructure commands.

Your OT network segmentation remains intact. Celaxis does not bridge OT and IT traffic — it uses the existing supervisory network path your BMS already exposes for operator access, and transmits only normalized telemetry outbound over HTTPS.

Your IT team does not need to open inbound firewall rules. The connection initiates from your BMS network outbound — standard practice for cloud-connected supervisory software.

Connection security posture
Inbound ports required None
Traffic direction Outbound HTTPS only
Hardware to install None
BMS access level Operator (not admin)
Setpoint write scope BACnet priority 10, zone objects only

Data handling and certification status

SOC 2 Type II

We are not currently SOC 2 Type II certified. We are designing our data handling and access controls toward that framework. If your procurement requires SOC 2 certification, we will provide a written security assessment and discuss timeline. We don't claim compliance we don't have.

Data isolation

All building telemetry is stored in isolated, tenant-specific data stores. Portfolio plan customers with multiple buildings have building-level isolation within their account.

Encryption

All data in transit via TLS 1.3. All data at rest encrypted with AES-256. Gateway local buffer encrypted with a device-specific key generated during provisioning.

Security review before the pilot?

Send us your IT security questionnaire — we complete it. We can also provide a full architecture diagram, connection credential documentation, and a direct conversation with our engineering team before the BMS connection is established. OT systems warrant that level of review and we expect it.

Contact us