Compliance And Security

ISO 27001 Certification

Turbit is currently undergoing certification according to ISO/IEC 27001, expected to be completed in the first quarter of 2026. Internal policies, controls, and audits are already in place to align with this standard.

Critical Infrastructure

Almost all Turbit customers are classified as operators of critical infrastructure. Verification for these customers has been completed through detailed infrastructure and security plans. Turbit does not have direct access to control systems of wind or solar parks, which limits security exposure and simplifies verification processes.

Documentation for Customers

Security overview and infrastructure plans are available on request.

Data Scope

• Operational data like SCADA, status codes, sensor signals, performance and maintenance information
• Customer data: Only essential business contact details are stored

Encryption

• In transit: TLS for all interfaces.
• At rest: encrypted storage on EU-hosted infrastructure.

Data Residency

• All storage and processing are in the European Union.

Provider and Location

Our server are positioned in European bare-metal servers in EU data centers that meet ISO 27001. Only Turbit has access to them.

Architecture

Production services and databases run redundantly, at least three services across distinct data centers. Private networking, segmentation, and firewalls protect all interfaces.

• Structured SDLC with security reviews on changes.
• Changes tracked via RFCs and Architectural Decision Records.
• Weekly automated updates of services and operating systems.
• Only packages vetted by the cybersecurity team are permitted.
• Continuous monitoring of security advisories with rapid patching.

Account Lifecycle

• Manual user creation, immediate revocation available.
• Semi-automated periodic access reviews.
• Planned controls: automatic deactivation of inactive accounts and enforced password rotation for critical services.

Authentication and Interfaces

• Multi-factor authentication supported
• API access via API keys, OAuth 2.0, or certificates.
• Remote access via 2FA, SSH key authentication, OpenVPN, and OAuth.

Least Privilege

• Role-Based Access Control for employees, customers, and suppliers.

• Connections to external facilities are provisioned through the Turbit support ticket system.
• Only trained and authorized personnel may access these environments.
• Passwords are exchanged via secure one-time transfer system (Share a secret - One Time).

Prevention and Detection

• Network segmentation and firewalls in place.
• WORM log storage and monitoring with fraud-detection analytics, SIEM, and IDS.

Patch and Vulnerability Process

• Continuous monitoring of cybersecurity alerts.
• Vulnerabilities triaged in the internal ticket system and remediated according to criticality.

• Hot backups at least weekly.
• Quarterly offline cold backups, stored offsite.
• Monthly automated restore tests and semi-annual manual exercises.

Comprehensive audit logging is being rolled out for ISO alignment, capturing logins, access, configuration changes, and admin actions in WORM storage.

Turbit's AI for monitoring is classified as minimal/limited risk without autonomous safety-critical control. We implement transparency, explainability, and human oversight throughout our AI products in accordance with GDPR and the EU AI Act.