Trust & security

Security

How HydroIQ protects your garden, your data, and the network.

Four architectural rules

These aren't policies we can quietly change later. They're built into the system.

  1. No video stored, ever. Our streaming infrastructure has no recording capability built in.
  2. AI images deleted after analysis. Camera stills exist in memory only during the API call. The JSON analysis result is kept; the image bytes are not.
  3. Local-first by default. Schedules run on the device. Cloud is for intelligence, not control.
  4. Append-only audit log. Every valve open, every fertigation dose, every command — written once, never modified.

Encryption

  • All connections between Controller, cloud, and app are encrypted end-to-end using TLS 1.2 or higher.
  • Firmware updates are cryptographically signed and verified by the device before installation. Unsigned firmware is rejected.
  • Camera live-view sessions require time-bound session tokens that expire automatically (5-minute windows).
  • Account passwords are stored using industry-standard salted and hashed algorithms. We never store plaintext.

Data minimization

  • Garden GPS coordinates are truncated at the device to three decimal places (~110 meter resolution) before transmission. Exact coordinates stay on the device.
  • Camera live streams are relayed only — never written to disk on our infrastructure.
  • Camera stills used for AI analysis are held in memory only for the duration of the analysis call, then discarded.
  • Telemetry retention: raw sensor data 90 days, hourly averages 1 year, daily averages indefinite (owner-deletable). See the Privacy Policy for the full retention table.

Responsible disclosure

If you find a vulnerability in HydroIQ hardware, firmware, cloud, or app, please email security@hydroiq.us. We commit to:

  • Acknowledge your report within 3 business days.
  • Provide an initial triage decision within 10 business days.
  • Coordinate a fix and public disclosure within 90 days of acknowledgment, longer only by mutual agreement.
  • Credit you in the disclosure unless you prefer to remain anonymous.
  • Not pursue legal action against good-faith researchers who follow this process.

security.txt

Our security.txt file lists the security contact, encryption key, and policy URL in the format described by RFC 9116.

Public CVE register

Any vulnerability we publicly disclose appears in our CVE register (published as production matures). Beta-period security advisories are sent to active beta participants by email.

For procurement & IT teams

If your organization needs a security review packet (architecture diagram, data-flow diagram, encryption-in-transit / at-rest summary, vendor questionnaire response), email security@hydroiq.us with your organization name and the procurement contact, and we will turn around a packet within 5 business days.

← Back to HydroIQ