Security at a Glance

Security Overview
This overview describes Connectiware-managed appliances and software in general, not any single SKU. Product-specific security documentation, hardening details, and compliance materials are provided through Certified Integration Partners or under non-disclosure agreement.

Security Overview
  • Purpose-built software and appliance solutions.
  • Deployed and supported by Certified Integration Partners.
  • Hardened baseline configurations applied by default.
  • Least-privilege execution model enforced.
  • Application allowlisting implemented where supported.
  • Secure boot and disk encryption enabled on supported platforms.
  • No consumer telemetry or unauthorized data collection
Deployment & Operation

  • Runs as a Windows service during normal operation.
  • Configuration performed via authorized local application.
  • No always-on interactive user sessions required.
  • No remote command-and-control functionality.
  • Customer-owned infrastructure and network.
Data & Network Security
  • Explicit inbound and outbound communication model.
  • Encrypted communications using industry-standard protocols.
  • No inbound internet exposure by default.
  • Network behavior fully documentable and restrictable.
Identity & Access
  • Dedicated non-administrator service account.
  • Separation of runtime & configuration roles.
  • No shared or hard-coded credentials.
  • Local access restricted to authorized personnel.
Logging & Auditability
  • Windows Event Log integration.
  • Application-level logging enabled.
  • Log retention configurable to customer requirements.
Compliance Alignment
  • Security controls aligned with SOC 2 principles.
  • Hardening informed by NIST guidance.
  • Software Bill of Materials (SBOM) maintained.
  • Detailed security documentation available under NDA.

Security in Depth

Connectiware products are designed as purpose-built software components and appliances intended to operate as part of a controlled enterprise or operational technology environment. Depending on the product, functionality is delivered through one or more of the following components:

  • A background service or agent responsible for runtime operation.
  • local configuration or management application, used only when authorized
    configuration or maintenance is required.
  • Optional appliance hardware provided by the integrator or vendor.

Runtime Operation
During normal operation, Connectiware products execute as a non-interactive background service or agent. They do not require an active user session, desktop interaction, or continuous administrative access.
The runtime component is designed to:

  • Start automatically with the operating system.
  • Operate without user intervention.
  • Continue functioning independently of local user logins.

This model reduces attack surface and aligns with enterprise expectations for unattended infrastructure components.

Configuration and Maintenance Model
Configuration, programming, and administrative tasks—where applicable—are performed through a separate local application or interface. This configuration capability:

  • Is not required for normal runtime operation.
  • Is intended for use by authorized personnel only.
  • May require elevated privileges depending on system configuration.
  • Is typically used during installation, commissioning, or planned maintenance.

This separation ensures that operational runtime remains isolated from configuration activities.

Service Health Endpoints
Connectiware and Connectimon expose local-only health endpoints to support external monitoring and service supervision.
These endpoints:

  • Bind exclusively to the local loopback interface (localhost).
  • Are not accessible remotely or over the network.
  • Provide read-only health and readiness information.
  • Do not expose configuration, credentials, or control functionality.

Health endpoints are intended solely for use by local monitoring tools and supervisory processes to verify service liveness, readiness, and operational status.

Remote Access Characteristics
Connectiware products do not include embedded remote command-and-control functionality. Remote access, if required, is:

    • Provided by customer-approved tools and processes.
    • Governed by customer security policy.
    • External to the Connectiware product itself.

    This design ensures that customers retain full control over how, when, and whether remote access is permitted.

    Deployment Context
    Connectiware products are deployed:

    • On customer-owned or customer-approved infrastructure.
    • By Certified Integration Partners.
    • Within environments governed by customer security controls.

    They are designed to coexist with enterprise security tooling such as endpoint protection, firewall enforcement, logging infrastructure, and monitoring systems.

    Security Implications of the Architecture
    This operating model:

    • Minimizes interactive attack surface.
    • Supports least-privilege execution.
    • Separates configuration authority from runtime behavior.
    • Enables customers to layer additional security controls without functional impact.

    The specific data processed by Connectiware is defined entirely by customer configuration and the systems being integrated.

    Connectiware products are deployed on supported operating systems and platforms using a baseline hardening approach intended to reduce attack surface while maintaining operational reliability. Where the platform supports it, hardening measures are applied prior to delivery or commissioning and are designed to align with common enterprise security expectations.

    Baseline Hardening Principles
    Platform hardening is guided by the following principles:

    • Reduce exposure to unnecessary services and interfaces.
    • Enforce secure boot and startup integrity where supported.
    • Protect data at rest.
    • Preserve compatibility with enterprise security tooling.
    • Avoid introducing controls that conflict with customer policy.

    This approach ensures that systems arrive in a secure default state while remaining adaptable to customer-specific requirements.

    Platform Configuration Controls
    Depending on the operating system and deployment context, baseline controls may include:

    • Secure boot enabled on supported hardware.
    • Disk or volume encryption enabled where supported.
    • Operating system firewall enabled with a default-deny inbound posture.
    • Removal or disabling of non-essential services and features.
    • Restriction or disabling of legacy or insecure protocols.

    These controls are intended to minimize exposure without impeding normal system operation.

    Endpoint Protection Compatibility
    Connectiware products are designed to operate alongside customer-approved endpoint protection solutions, including:

    • Built-in operating system protections.
    • Enterprise antivirus or EDR platforms.
    • Host-based firewall enforcement.

    No proprietary or conflicting security agents are required for normal operation, allowing customers to apply their standard endpoint security controls.

    Update and Patch Model
    Operating system updates and patching are typically managed by the customer in accordance with their internal policies.
    Connectiware:

    • Supports customer-managed update strategies.
    • Avoids modifying platform update mechanisms.
    • Provides application updates as signed, vendor-controlled packages.

    This separation ensures that customers retain full control over platform lifecycle management.

    Hardening Scope and Responsibility
    Baseline hardening performed by Connectiware is intended to establish a secure starting posture.
    Additional hardening—such as domain policy enforcement, centralized update management, or advanced endpoint controls—may be applied by the customer or integrator without impacting product functionality.

    Security Implications of Platform HardeningThis approach:

    • Reduces default attack surface.
    • Protects system integrity and stored data.
    • Aligns with common enterprise hardening standards.
    • Allows further security layering by customer IT teams.

    Connectiware products are designed to operate with a restricted execution model that limits the ability for unauthorized or unintended software to run on supported platforms.
    Where supported by the underlying operating system, application execution controls are used to reduce the risk of code execution outside of the intended product scope.

    Execution Model Overview
    Connectiware software components are delivered as vendor-signed executables and are intended to operate within a controlled execution environment. The execution model is designed to:

    • Permit only required operating system components.
    • Permit vendor-signed Connectiware binaries.
    • Prevent execution from user-writable or untrusted locations.
    • Avoid reliance on unrestricted script execution.

    This model helps ensure that the system performs only its intended function.

    Application Allowlisting
    On supported platforms, application allowlisting mechanisms may be used to restrict execution to approved software components.
    Allowlisting controls are designed to:

    • Allow execution of operating system–required binaries.
    • Allow execution of Connectiware application and service components.
    • Block or restrict execution of unauthorized third-party executables.
    • Reduce the risk of lateral movement or post-exploitation abuse.

    The specific implementation may vary depending on platform capabilities and customer requirements.

    Runtime vs Configuration Controls
    Connectiware products distinguish between: 

    • Runtime components, which operate continuously as services or agents.
    • Configuration or management tools, which are used only during authorized configuration or maintenance activities.

    This separation allows:

    • Runtime operation with minimal privileges.
    • Restricted access to configuration capabilities.
    • Reduced exposure of administrative functionality during normal operation.

    Configuration tools are not required for continuous runtime and may be subject to additional access controls.

    Privilege Management
    Connectiware runtime components are designed to execute using dedicated service or agent accounts with only the privileges required for operation.
    This approach:

    • Limits the impact of potential compromise.
    • Avoids unnecessary administrative access.
    • Aligns with least-privilege principles.

    Script and Interpreter Controls
    Where scripting or automation functionality is supported as part of product operation, it is constrained to explicitly defined behaviors and does not provide unrestricted access to system-level scripting engines.
    This helps prevent misuse of scripting capabilities as a general-purpose execution vector.

    Security Implications of Execution Controls
    This execution model:

    • Reduces the risk of unauthorized code execution.
    • Limits exposure to common malware techniques.
    • Supports enterprise application control strategies.
    • Complements operating system and endpoint protection controls.

    Email Handling and Integration Capabilities
    Connectiware is a general-purpose integration platform that supports email (SMTP) as one of several supported transport mechanisms.
    Depending on configuration, Connectiware may:

    • Generate email messages as part of defined workflows.
    • Receive email messages from external systems.
    • Forward, transform, or route email messages to downstream destinations.

      Email content is processed only as required to perform configured integration logic, such as routing, transformation, or delivery. The platform does not impose semantic meaning on email content and does not determine the purpose of customer-defined email workflows.

      Connectiware products are designed with a deliberate and documentable network communication model that allows enterprise customers to understand, restrict, and monitor network behavior in accordance with their security policies.
      Network communication is treated as an explicit dependency, not an implicit capability.

      Network Communication Model
      Each Connectiware product implements a defined set of network behaviors appropriate to its function. These behaviors are:

      • Purpose-specific and limited in scope.
      • Configurable based on deployment requirements.
      • Fully documentable for enterprise review.

      No undocumented or opportunistic network communications are required for normal operation.

      Inbound Network Exposure
      By default, Connectiware products are designed to operate with no inbound internet exposure. Inbound network communication, where required by product function, is:

      • Limited to explicitly defined ports and protocols.
      • Intended for operation within trusted networks.
      • Configurable or restrictable by customer firewall policy.

      No inbound connectivity from external networks is assumed or required unless explicitly configured by the customer or integrator.

      Outbound Network Communication
      Outbound network communication, where applicable, is:

      • Initiated by the product for defined operational purposes.
      • Limited to configured destinations.
      • Designed to be allow listed by destination, port, or protocol.

      This enables customers to enforce egress filtering without disrupting product operation.

      Transport Encryption
      Where network communication is used, Connectiware products employ industry-standard encryption mechanisms to protect data in transit. Transport security controls are designed to:

      • Prevent interception or tampering of transmitted data.
      • Support modern cryptographic protocols.
      • Avoid use of deprecated or insecure encryption methods.

      Plaintext transmission of sensitive operational data is not required for normal operation.

      Network Segmentation & Firewall Compatibility
      Connectiware products are designed to function within segmented network environments, including:

      • VLAN-restricted deployments.
      • Firewall-enforced zones.
      • Environments with strict ingress and egress controls.

      They do not rely on unrestricted network access and are compatible with enterprise firewall and network monitoring solutions.

      Discovery and Broadcast Behavior
      Connectiware products do not require uncontrolled network discovery, broadcast, or peer-to-peer mechanisms for normal operation unless explicitly enabled as part of a documented feature. Where discovery mechanisms are used:

      • Their behavior is limited and purpose-driven.
      • Their scope can be restricted by network policy.

      Connectiware products are designed to operate within a controlled access model that limits who can interact with the system, what actions they can perform, and under what circumstances access is granted. Identity and access controls are structured to support least-privilege operation, separation of duties, and compatibility with enterprise identity policies.

      Service and Agent Identity
      Runtime components operate using dedicated service or agent identities appropriate to the underlying platform. These identities are:

      • Non-interactive.
      • Restricted to the minimum privileges required for operation.
      • Isolated from human user accounts.

      Service or agent identities are not intended for administrative access and are not used for configuration or maintenance activities.

      User and Administrative Access
      Where local user access is required for configuration or maintenance, it is:

      • Restricted to authorized personnel.
      • Governed by operating system access controls.
      • Subject to customer credential and authentication policy.

      No default, shared, or hard-coded user credentials are required for normal operation.

      Credential Storage and Handling
      Where required for integration with external systems, Connectiware products may store authentication credentials such as API keys, service tokens, or system credentials provided by the customer. Credential handling is designed to:

      • Encrypt credentials at rest using industry-standard encryption.
      • Prevent storage of plaintext credentials on disk.
      • Limit credential access to the runtime components that require them.

      Encrypted credentials are decrypted in memory only at runtime for the purpose of establishing authorized connections and are not exposed through logs or user interfaces.
      Customers retain control over:

      • Which credentials are provided.
      • Credential rotation and lifecycle.
      • Scope and permissions assigned to external system credentials.

      Enterprise Identity Integration
      Connectiware products are designed as infrastructure components, not as end-user applications. As such:

      • They do not provide built-in enterprise single sign-on (SSO) integration.
      • They rely on platform-native access controls for local and administrative access.
      • They do not introduce external identity providers or authentication services.

      Access to configuration and maintenance functionality is governed by the underlying operating system and customer-controlled identity policies. This design ensures that Connectiware products do not bypass or weaken enterprise identity enforcement, while avoiding unnecessary dependency on centralized authentication services for unattended runtime operation.

      Separation of Duties
      Connectiware products distinguish between:

      • Operational runtime access, required for continuous function.
      • Administrative or configuration access, required only during installation, commissioning, or maintenance.

      This separation helps ensure that routine operation does not require elevated privileges or ongoing administrative access.

      Authentication Mechanisms
      Authentication for local access relies on platform-native mechanisms, allowing customers to apply their own standards for:

      • Credential complexity.
      • Authentication factors.
      • Account lifecycle management.

      Connectiware products do not introduce proprietary authentication systems that bypass or replace customer identity controls.

      Privilege Elevation and Control
      Administrative privileges, where required, are:

      • Limited in scope.
      • Used only for specific configuration or maintenance actions.
      • Not required for normal runtime operation.

      This approach reduces the risk associated with persistent elevated access.

      Security Implications of Access Controls
      This access control model:

      • Limits exposure to unauthorized use.
      • Reduces impact of credential compromise.
      • Supports auditability of access events.
      • Aligns with enterprise least-privilege and role-based access principles.

      Connectiware products are designed to support operational visibility and auditability through the use of structured logging and integration with platform-native monitoring capabilities. Logging is treated as a first-class operational feature rather than an afterthought.

      System-Level Logging
      Where supported by the underlying platform, Connectiware products integrate with operating system–level event logging facilities. This enables:

      • Visibility into service and agent lifecycle events.
      • Recording of operational warnings and errors.
      • Correlation with other system and security events.

      System-level logs are generated using platform-standard mechanisms to ensure compatibility with enterprise monitoring tools.

      Application and Agent Logging
      Connectiware runtime components generate application-level logs appropriate to their function. These logs may include:

      • Startup and shutdown events.
      • Operational status and health indicators.
      • Error and exception conditions.
      • Controlled diagnostic information.

      Log content is designed to support troubleshooting and operational oversight without exposing sensitive credentials or unnecessary internal details.

      Log Storage and Retention
      Log storage and retention behavior is:

      • Configurable based on deployment requirements.
      • Intended to support customer retention and compliance policies.
      • Compatible with centralized log collection and archival strategies.

      Customers retain control over log retention duration, storage location, and downstream handling.

      Monitoring and Integration
      Connectiware products are designed to operate alongside customer monitoring and observability tooling, including:

      • Platform-native monitoring.
      • Centralized logging or SIEM systems.
      • Health and performance monitoring solutions.

      No proprietary monitoring infrastructure is required for normal operation.

      Event Traceability and Investigation
      Logging behavior is structured to support:

      • Event correlation across system and application layers.
      • Investigation of operational or security-relevant incidents.
      • Review of service or agent behavior over time.

      This supports post-incident analysis and audit review without requiring intrusive instrumentation.

      Audit Support Considerations
      Logging and monitoring capabilities are intended to:

      • Provide evidence of system operation.
      • Support customer audit and compliance processes.
      • Enable independent verification of system behavior.

      Detailed logging and monitoring guidance may be provided as part of product-specific documentation.

      Security Implications of Logging and Monitoring
      This approach:

      • Enhances operational transparency.
      • Supports early detection of abnormal behavior.
      • Enables incident response and forensic review.
      • Aligns with enterprise logging and audit expectations.

      Connectiware products are developed and maintained using a controlled lifecycle approach that addresses vulnerability awareness, update delivery, and long-term operational support. This approach is intended to align with enterprise expectations for maintainability and risk management while preserving customer control over deployed systems.

      Vulnerability Awareness and Assessment
      Connectiware maintains awareness of security vulnerabilities that may affect its products, including:

      • Vulnerabilities in operating system platforms.
      • Vulnerabilities in third-party components and libraries.
      • Product-specific security issues.

      Assessment activities are informed by:

      • Vendor advisories.
      • Public vulnerability disclosures.
      • Software component tracking.

      This process supports timely evaluation of potential impact to deployed systems.

      Software Bill of Materials (SBOM)
      Connectiware maintains a Software Bill of Materials (SBOM) for its products to support transparency and vulnerability assessment. The SBOM:

      • Identifies included third-party components.
      • Supports vulnerability correlation and impact analysis.
      • Is maintained as part of the product lifecycle.

      SBOM information is made available to customers or enterprise stakeholders under appropriate terms, such as through Certified Integration Partners or under non-disclosure agreement.

      Update and Patch Delivery
      Product updates are provided as vendor-controlled, signed software packages.
      Update delivery is designed to:

      • Preserve system integrity.
      • Prevent unauthorized modification.
      • Support controlled deployment and rollback.

      Operating system updates are typically managed by the customer or integrator in accordance with customer policy, allowing alignment with enterprise patch management processes.

      Customer-Controlled Update Strategy
      Connectiware products are designed to support customer-managed update schedules, including:

      • Planned maintenance windows.
      • Change management processes.
      • Testing and validation prior to deployment.

      Updates are not forced or automatically applied without customer authorization.

      Vulnerability Remediation and Communication
      When a security issue affecting a Connectiware product is identified, remediation actions may include:

      • Software updates or patches.
      • Configuration guidance or mitigations.
      • Documentation updates.

      Communication is coordinated through established support channels and Certified Integration Partners.

      Product Support and Lifecycle ConsiderationsConnectiware products are supported according to defined lifecycle expectations, including:

      • Supported versions and platforms.
      • Update and maintenance availability.
      • End-of-life considerations.

      Lifecycle information is provided to customers to support long-term planning and risk management.

      Security Implications of Lifecycle Management
      This lifecycle approach:

      • Supports proactive risk identification.
      • Enables controlled remediation of vulnerabilities.
      • Preserves customer authority over deployed systems.
      • Aligns with enterprise change and risk management practices.

      Detailed product-specific security documentation—including architecture details, hardening guidance, Software Bill of Materials (SBOM), and compliance materials—is provided through Certified Integration Partners or made available under non-disclosure agreement as part of enterprise due diligence and procurement processes.
      Enterprises requiring additional information are encouraged to consult their authorized integrator or contact Connectiware to initiate the appropriate review process.

      Security controls are designed and implemented in alignment
      with SOC 2 Trust Services Criteria and informed by NIST security guidance.
      Formal third-party SOC 2 attestation has not yet been obtained.

      Get the Safety&Compliance Report

      Enter your email to get the official Safety & Compliance Report PDF.

      Services

      About

      Careers

      Copyright © 2024 Connectiware Systems Inc.