Samsara is built from the ground up for sensitive environments and security-conscious customers.

Unlike legacy solutions that were designed in a different era and patched over time, Samsara is purpose-built to aggregate and process sensor data securely. All aspects of Samsara’s service, from its patent-pending technology architecture to built-in security tools for administrators to ongoing monitoring and risk mitigation, are designed for security and reliability by seasoned industry experts with extensive experience building secure technology systems for enterprise and industrial customers.

  • arrow icon SSL (TLS 1.2) / 256 bit AES encrypted transport
  • arrow icon Always protected with over the air patches
  • arrow icon Validated by 3rd party audits
  • arrow icon Robust end-user security tools
  • arrow icon Redundant hosted software service

Security in Depth

  • Hardened Cloud Infrastructure

    Samsara’s cloud-hosted infrastructure is designed and managed in alignment with the best practices of multiple IT security standards. Samsara’s underlying infrastructure leverages Amazon AWS, which is ISO 27001 and SOC 1 Type II certified, and is rated as the leader in cloud security by research firm Forrester.

    Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services.

    ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.

    Samsara is built on a secure multi-tenant cloud architecture with logical data separation. Customer data is logically separated across distributed databases with required authentication checks for every application-layer and data-layer access made to any tenant's data. The logical separation ensures that data is always associated with exactly one customer, and required authentication checks at the application and data layers ensure that data is completely isolated by customer and accounts provisioned for that customer.

    Samsara employs a Virtual Private Cloud to provide resource isolation and minimize attack surface area. Samsara services are protected by IP- and port-based firewalls. Administrative access to Samsara’s infrastructure is highly restricted, and verified by public key (RSA). Distributed Denial of Service (DDoS) attacks are mitigated with elastic load balancing and highly available DNS services.

    When a storage device containing customer data has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) are used to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

  • SSL-Encrypted Data Transmission

    Samsara IoT gateways communicate exclusively over SSL-encrypted connections. Whether communicating over a cellular network or via WiFI, all traffic is encrypted, preventing third parties from reading sensor data. Moreover, Samsara automates gateway provisioning, eliminating the potential for man-in-the-middle attacks through configuration errors or invalid certificates.

    Likewise, all access to sensor data via the Samsara web application, mobile app, or API access are SSL-encrypted, securing data retrieval without depending on the integrity of local networks or VPNs.

  • SOC 2® Reporting

    The Service and Organization Controls (SOC 2) is an industry-recognized attestation report given to a company after an audit of the company’s internal practices. Our report describes the controls and processes Samsara has in place to secure customer data and to ensure availability of our system.

    Samsara's SOC 2 Type 1 report includes a description of our software infrastructure and the processes we have in place to keep our customers’ data safe and available. Some of the processes covered in our report are employee on-boarding and termination processes; internal access controls to production environments; and disaster recovery, data backup, and incident response processes. Samsara’s SOC 2 Type 1 report was provided by Schellman & Company, a licensed and independent certified public accountant firm.

    If you’re a current or prospective Samsara customer and wish to view the report, you can request a copy from your account representative.

  • 24x7x365 Monitoring

    Samsara employs multiple independent systems to monitor system health and security. Security verification and penetration tests are performed daily by McAfee SECURE, an industry-leading third party service. Application availability is constantly monitored by multiple geographically distributed services, and Samsara’s operations engineers are available around the clock to respond to incidents.

    Security monitoring tools help identify several types of denial of service (DoS) attacks, including distributed, flooding, and software/logic attacks. In addition to the DoS prevention tools, redundant telecommunication providers as well as additional capacity protect against the possibility of DoS attacks.

    In the unlikely event of a security event that affects the customer's data, organization administrators and/or identified points of contact will be notified by Samsara. Any event will be reported as soon as possible after discovery.

  • Redundant, Highly Available Infrastructure

    Samsara’s service is a distributed system designed to spread computation and data across multiple physical servers. Every customer’s data is replicated across multiple servers and storage appliances, so that hardware failure will not compromise service availability or customer data. Networks are multi- homed across a number of providers to achieve Internet access diversity.

    Datacenters are equipped with advanced fire detection and suppression equipment, including protection by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

    Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

    Samsara is designed for rapid failover in the event of a hardware failure or natural disaster. And Samsara sensors and gateways are equipped with on-board storage to save data locally in the event of a cloud service interruption, and will automatically upload buffered data upon service resumption.

  • Security Tools for Administrators

    Samsara provides administrative tools to protect your organization’s data, including user management with email verification, authentication audit logs, and two factor authentication (via Google Apps). Moreover, Samsara enforces robust user authentication, with data access requiring authentication via Samsara’s centralized server (no default passwords or shared secrets).

  • Security Disclosure Policy

    Samsara is dedicated to upholding the highest standards of security for our platform and openly working with the security community. Our vulnerability disclosure policy aims to provide a way for external researchers to report and remediate security issues.

    Reporting security issues
    If you have a security concern, please email with details about the vulnerability such as the page in which it exists and a short description of the issue. Please do not include any details about steps to reproduce the issue until we request them.