Security & Compliance
SOC 2 Type II certified.
Cellular architecture.
No corporate network dependency.
SAM4's security architecture is designed for one thing: passing your IT/OT review. Certified, audited, and built so that your corporate network is never involved.
Certifications
Audited. Certified. Documented.
These aren't logo badges. Each certification has a defined scope, an independent auditor, and documentation you can hand directly to your security team.
SOC 2 Type II
Independent auditor assessment of security, availability, and confidentiality controls — evaluated over a sustained period, not a single snapshot. Covers the SAM4 platform, data processing pipeline, and cloud infrastructure.
Scope: SAM4 platform, data pipeline, cloud infrastructure
ISO 27001
Information security management system certification. Covers risk assessment, access control policies, incident management, and continuous improvement of security practices across the organisation.
Scope: Organisation-wide information security management
ISO 9001
Quality management system certification. Ensures consistent processes for product development, service delivery, and customer support. Relevant for enterprise procurement that requires QMS compliance.
Scope: Product development, service delivery, customer operations
NIS2 Compliance
Aligned with the EU Network and Information Security Directive (NIS2). Relevant for customers in critical infrastructure sectors — water, energy, chemicals — where NIS2 compliance is mandatory for suppliers.
Scope: Critical infrastructure supply chain requirements
Network architecture
Cellular, not corporate. The single most important architectural decision.
SAM4 data travels over cellular networks (4G/LTE) from the gateway to the cloud. Your corporate network — WiFi, LAN, SCADA, OT — is never touched. This is the point that changes the security conversation.
No firewall changes
The gateway communicates outbound over cellular. No inbound connections to your network. No firewall rules to create, no ports to open, no VPN tunnels to configure.
No corporate WiFi or LAN
The data path is entirely separate from your IT and OT networks. There is no logical or physical connection between the SAM4 gateway and your corporate infrastructure.
No IT involvement for deployment
Because the network is cellular, your IT team doesn't need to provision anything. No network architecture review (for connectivity), no change requests, no IT project timeline to manage.
OT network isolation preserved
SAM4 never connects to the OT network. The CT/VT clamps are passive sensors — they read current and voltage. They do not inject signals, send commands, or interact with motor controllers.
The cellular architecture isn't just a convenience — it's the reason SAM4 can be deployed in weeks instead of the months that IT/OT convergence projects typically require.
Data security
Encrypted in transit. Encrypted at rest. Audited continuously.
The specifics your security review will ask for — addressed directly.
Encryption in transit
All data transmitted from the gateway to the cloud uses TLS 1.2+ encryption over the cellular connection. API communications between SAM4 components use mutual TLS authentication.
Encryption at rest
All stored data is encrypted using AES-256. This covers raw signal data, processed analytics, diagnostic reports, and customer configuration data. Encryption keys are managed through a dedicated key management service.
Data residency
SAM4 cloud infrastructure is hosted in the EU (primary) with configurable data residency options for customers with specific geographic requirements. Data sovereignty requirements are addressed during onboarding.
Access controls & audit logging
Role-based access control (RBAC) with SSO integration. All access events are logged and auditable. Administrative actions are tracked with full audit trails. Session management includes automatic timeout and re-authentication.
Security documentation
Download the docs your review requires
Request the specific documents you need. They download immediately — no waiting for a sales follow-up.
Available documents
- SOC 2 Type II Report
- ISO 27001 Certificate
- Architecture Diagram
- NIS2 Compliance Summary
Request documents
Regulatory alignment
Built for regulated industries
SAM4 operates in water utilities, chemical plants, oil & gas facilities, and critical infrastructure. The platform's security posture reflects the regulatory requirements of these sectors.
NIS2 Directive
The EU Network and Information Security Directive requires entities in essential sectors to manage cybersecurity risk across their supply chain. SAM4's certifications and cellular architecture support customer NIS2 compliance obligations.
OFWAT / Water industry
UK water utilities face regulatory requirements around operational resilience, pollution prevention, and data protection. SAM4's monitoring data supports regulatory reporting while meeting Ofwat's expectations for supplier security.
ATEX / Hazardous environments
SAM4 hardware installs in the safe zone (MCC), not in ATEX-classified areas. No ATEX certification is required for the monitoring hardware because it never enters the hazardous zone.
GDPR / Data protection
SAM4 processes industrial equipment data, not personal data. Where user account data is involved, Samotics complies with GDPR requirements including data minimisation, right to access, and right to deletion.
Questions about our security architecture?
If the documentation above doesn't cover your specific requirements, our team can walk through the architecture in detail. We're used to IT/OT security reviews.