Skip to content
Turbit

Compliance And Security

Turbit is committed to maintaining the world's highest standards of data security, regulatory compliance, and operational integrity across all its products. As part of our mission to build the intelligent risk infrastructure for renewable energy, we ensure that our technology and processes exceed your expectations of global compliance and quality standards.

Jurisdiction:
Federal Republic of Germany
Data residency:
European Union
Hosting:
EU bare-metal · ISO 27001 DCs
Encryption
TLS in transit · at rest
Data residency
EU only
Hosting
ISO 27001 EU data centers

How we operate

The controls, processes and architecture behind every Turbit product.

Quality And Certifications

We implement strict quality management systems to ensure reliability and trust in our AI solutions for monitoring, data management, and insurance integration.

ISO 27001 Certification

Turbit is currently undergoing certification according to ISO/IEC 27001, expected to be completed in the first quarter of 2026. Internal policies, controls, and audits are already in place to align with this standard.

Critical Infrastructure

Almost all Turbit customers are classified as operators of critical infrastructure. Verification for these customers has been completed through detailed infrastructure and security plans. Turbit does not have direct access to control systems of wind or solar parks, which limits security exposure and simplifies verification processes.

Documentation for Customers

Security overview and infrastructure plans are available on request.

Subprocessor list

A current subprocessor list is available under NDA — request it together with our DPA via the contact form below.

Customer Data Protection and Encryption

Data Scope

  • Operational data like SCADA, status codes, sensor signals, performance and maintenance information
  • Customer data: Only essential business contact details are stored

Encryption

  • In transit: TLS for all interfaces.
  • At rest: encrypted storage on EU-hosted infrastructure.

Data Residency

  • All storage and processing are in the European Union.

Hosting and Storage

Provider and Location

Our server are positioned in European bare-metal servers in EU data centers that meet ISO 27001. Only Turbit has access to them.

Architecture

Production services and databases run redundantly, at least three services across distinct data centers. Private networking, segmentation, and firewalls protect all interfaces.

Secure Development Practices

  • Structured SDLC with security reviews on changes.
  • Changes tracked via RFCs and Architectural Decision Records.
  • Weekly automated updates of services and operating systems.
  • Only packages vetted by the cybersecurity team are permitted.
  • Continuous monitoring of security advisories with rapid patching.

Access Controls

Account Lifecycle

  • Manual user creation, immediate revocation available.
  • Semi-automated periodic access reviews.
  • Planned controls: automatic deactivation of inactive accounts and enforced password rotation for critical services.

Authentication and Interfaces

  • Multi-factor authentication supported
  • API access via API keys, OAuth 2.0, or certificates.
  • Remote access via 2FA, SSH key authentication, OpenVPN, and OAuth.

Least Privilege

  • Role-Based Access Control for employees, customers, and suppliers.

Corporate Security

  • Connections to external facilities are provisioned through the Turbit support ticket system.
  • Only trained and authorized personnel may access these environments.
  • Passwords are exchanged via secure one-time transfer system (Share a secret - One Time).

Personnel

  • All employees complete annual security training and phishing drills.
  • NDAs signed on hire.

Threat and Vulnerability Management

Prevention and Detection

  • Network segmentation and firewalls in place.
  • WORM log storage and monitoring with fraud-detection analytics, SIEM, and IDS.

Patch and Vulnerability Process

  • Continuous monitoring of cybersecurity alerts.
  • Vulnerabilities triaged in the internal ticket system and remediated according to criticality.

Breach notification

We notify affected data controllers within 72 hours of a confirmed personal-data breach, in line with GDPR Article 33.

Responsible disclosure

Found a vulnerability? Report it via the contact form below — every submission is triaged by our engineering team.

Backup, Recovery, and Business Continuity

  • Hot backups at least weekly.
  • Quarterly offline cold backups, stored offsite.
  • Monthly automated restore tests and semi-annual manual exercises.

Logging and Auditability

Comprehensive audit logging is being rolled out for ISO alignment, capturing logins, access, configuration changes, and admin actions in WORM storage.

EU AI Act Compliance

Turbit's AI for monitoring is classified as minimal/limited risk without autonomous safety-critical control. We implement transparency, explainability, and human oversight throughout our AI products in accordance with GDPR and the EU AI Act.

NIS2 support for operators

Turbit's documentation, audit logs and breach-notification commitments support our customers' NIS2 obligations under Annex I — risk analysis, incident handling and supply-chain security.

Security questions during evaluation?

Our team partners with your security and procurement leads to share Data Processing Agreements, security overviews and infrastructure plans, and to work through any vendor questionnaire.