How Celaxis connects to your building — and what it can and cannot touch.
Celaxis connects to your BMS via BACnet/IP or REST API — outbound-only, no inbound ports opened, no hardware installed on your network. Control-mode write access is available but must be explicitly enabled zone by zone, after your team approves the thermal model.
Celaxis connects outbound from your BMS. No inbound ports, no hardware to install.
Celaxis connects to your BMS via BACnet/IP or REST API from the BMS host or supervisory controller — the same network layer your BMS operator workstation occupies. All Celaxis traffic is outbound: your BMS's supervisor sends telemetry and receives setpoint commands over an encrypted HTTPS connection to Celaxis Cloud. There is no inbound connection from the internet to your OT network, no VPN tunnel, and no hardware to procure or install.
We are not a BMS replacement and we are not a parallel control layer — Celaxis sits at the operator-command level, issuing BACnet Write Property requests at priority 10. If our cloud connection drops, BACnet priority 10 expires and your BMS schedule resumes unchanged. Your existing BMS logic is always the fallback.
Celaxis integrates at the BMS supervisor layer — not at the PLC or field device layer.
The Celaxis software connects at the same network level as a BMS operator workstation — your BAS/BMS supervisory controller. It does not communicate with PLCs, field controllers, fire safety systems, or utilities infrastructure. The data it reads and writes (zone temperature, setpoints, occupancy booleans) are standard BMS operator data, not critical infrastructure commands.
Your OT network segmentation remains intact. Celaxis does not bridge OT and IT traffic — it uses the existing supervisory network path your BMS already exposes for operator access, and transmits only normalized telemetry outbound over HTTPS.
Your IT team does not need to open inbound firewall rules. The connection initiates from your BMS network outbound — standard practice for cloud-connected supervisory software.
Data handling and certification status
SOC 2 Type II
We are not currently SOC 2 Type II certified. We are designing our data handling and access controls toward that framework. If your procurement requires SOC 2 certification, we will provide a written security assessment and discuss timeline. We don't claim compliance we don't have.
Data isolation
All building telemetry is stored in isolated, tenant-specific data stores. Portfolio plan customers with multiple buildings have building-level isolation within their account.
Encryption
All data in transit via TLS 1.3. All data at rest encrypted with AES-256. Gateway local buffer encrypted with a device-specific key generated during provisioning.
Security review before the pilot?
Send us your IT security questionnaire — we complete it. We can also provide a full architecture diagram, connection credential documentation, and a direct conversation with our engineering team before the BMS connection is established. OT systems warrant that level of review and we expect it.
Contact us