Data Security & Privacy
Abstract
We’re committed to your privacy and security with best-in-class infrastructure and enterprise-grade security features to keep your data safe. This document provides an overview of the security practices and policies implemented in the Nexa platform. As a solution that unifies customer data with smart devices, our security posture is continuously evolving to meet the rigorous standards of the internet of things industry.
Nexa Platform
Nexa is an intelligent water management platform that is comprised of software, which is securely deployed to Microsoft’s Azure cloud platform and operated by Watts’ internal engineering team, and hardware that is installed onsite at Nexa customer’s locations. Nexa provides comprehensive visibility into the performance of water-related systems by collecting, visualizing, and analyzing metrics surfaced from hardware that is connected to Nexa. The visibility provided by Nexa empowers customers to improve efficiency and sustainability while gaining unprecedented insight into the safety and performance of their plumbing and hydronics systems. Nexa software is a cloud-based monitoring and analytics platform designed for customers to observe and manage their water system(s) in the buildings they own or operate. Nexa hardware is comprised of sensors, gateways (for secure communication between hardware and the cloud), and water-related equipment that connect and communicate securely to Nexa software in the cloud.
Data Policies
We are committed to ensuring the highest standards of data security and privacy. The Nexa platform is built with robust controls to protect customer data through its’ lifecycle and remain fully compliant with security standards.
Access
The Nexa system and our internal tools process data created by customers and connected devices. Access to production data is strictly controlled and fully audited. Our internal audit system logs who made changes to data, when the change occurred, and what data was changed, providing us with full traceability.
Retention
Data is regularly backed up and internally replicated throughout regional data centers owned and operated by Microsoft via automated secure processes to avoid data loss. We have a data retention policy that minimizes the data we keep while complying with regulatory and business requirements.
Privacy and protection
We follow industry best practices and comply with relevant security standards to ensure our data handling practices exceed customer expectations for privacy and security. Our systems encrypt all data both in transit and at rest, ensuring sensitive information remains secure and inaccessible to unauthorized parties. For more information regarding what data Nexa collects and how we use that data to better serve you, please review our privacy policy: - https://www.watts.com/privacy-policy
User Access
Nexa provides customers with comprehensive control over user management, including Role-Based Access Control (RBAC) which dictates what users can see and what actions a user can perform. With roles, you control who has access to your Organization and the level of access each person has. We implement robust authentication and authorization policies to ensure that operations are accessible only to users with the appropriate access rights.
Platform Security
We treat security as a fundamental principle. We prioritize safeguarding customer data through industry-standard encryption, access controls, and continuous monitoring. We work hard to ensure that our platform is resilient against evolving threats and that customer trust remains at the forefront of everything we do.
Encryption
We employ a multi-layered security strategy to protect our platform. Whether it is data at rest or data in transit, all data transmitted to Nexa is secured using encryption, ensuring confidentiality and integrity of communications. Whether it’s a device communication with Nexa or a user using the mobile application or website, rest assured that your connection to Nexa is secured and data transmitted to Nexa is protected.
Security Testing
We conduct regular penetration testing against our hardware and software through trusted third-party providers to identify and address potential vulnerabilities. This proactive approach, combined with continuous monitoring and rapid response capabilities, ensures that our platform remains resilient against security threats and is consistently compliant with industry standards.
Cloud Infrastructure and Network
Nexa’s servers and networks are stored in enterprise-class data centers that can detect patterns and signatures of malicious activity via continuous monitoring. Enterprise-grade firewalls, intrusion detection systems (IDS), and threat intelligence solutions continuously monitor traffic for signs of malicious activity. Inbound traffic is inspected in multiple layers—before reaching the firewall—using advanced security controls such as anomaly detection, deep packet inspection, and behavior-based threat analysis. Additionally, our firewall rules adhere to OWASP and NIST cybersecurity best practices, enforcing strict access controls, rate limiting, and automated threat mitigation measures.
Internet of Things (IoT) Device Connectivity
Our IoT-enabled hardware is designed to provide secure connectivity through Cellular (for select devices), Ethernet, and WiFi, ensuring you can connect with confidence and peace of mind. All devices undergo rigorous security testing to ensure they do not introduce vulnerabilities or expose customer networks. Our goal is to provide a secure and seamless integration experience from device to cloud.
Wi-Fi Connectivity
For devices that support Wi-Fi, secure connectivity is supported using the latest WPA security standards. Before connecting to the Nexa platform, each device must undergo a secure authentication process that ensures only authorized devices can establish a connection. The connection process includes a four-way handshake to authenticate, and all communication is then encrypted, providing strong protection against unauthorized access. Once connected, a secure channel is established between the device and the cloud, ensuring they cannot be accessed or exploited by unauthorized systems.
Ethernet Connectivity
For customers who prefer wired connections, many of our IoT devices also support Ethernet connectivity. Like Wi-Fi, each device must be explicitly authorized before it can communicate with the Nexa platform, ensuring only trusted devices are able to transmit data. Our devices are designed to operate securely within existing IT environments, preventing any risk of compromise to your network or systems. Once connected, a secure channel is established between the device and the cloud, ensuring they cannot be accessed or exploited by unauthorized systems. Additionally, Ethernet communication benefits from encryption protocols that protect data transmission, preventing interception and unauthorized data access.
Device Authentication
Before a device can connect and transmit data to Nexa, it must undergo a strict authentication process to verify its identity. Each device is explicitly authorized by the Nexa platform prior to establishing a connection, ensuring that only trusted devices can communicate. Unauthorized devices are automatically rejected, preventing any unauthorized access attempts. All communication between devices and Nexa are secured using industry-standard encryption protocols, ensuring data integrity and protection against tampering. Device credentials are securely managed and validated through a centralized provisioning system, which enforces strict security policies and continuously monitors for anomalies. This approach guarantees that only authenticated and authorized devices can establish a connection, safeguarding both the platform and customer environments from unauthorized access.