Security

Industrial-grade security for OT/IT environments

Sortation control systems sit at the OT/IT boundary. Sortwyre is designed to connect without introducing new OT attack surface.

Request Pilot Security questions?

OT/IT boundary

How Sortwyre handles the OT/IT boundary

Sortation control systems — PLCs, WES controllers, SCADA — operate in the OT zone where network access must be strictly controlled. Sortwyre is designed for this environment.

Network segmentation diagram showing OT zone with conveyor PLCs and WES controllers on the left, IT zone with cloud connector and WMS on the right, Sortwyre agent in a DMZ bridge with read-only OPC UA tap label

Security design

Security principles

Data scope

Sortwyre ingests sort event telemetry only — no PII, no carrier account credentials, no parcel-level manifests. Data collected: scan events, PPH metrics, chute status, WES device state.

No PII collected

Read-only OT tap

Sortwyre's OPC UA and MQTT connections are subscribe/read-only. No write commands are issued to any PLC, WES controller, or conveyor control system. The sorter control plane is not modified.

Zero write access to OT

Network deployment

Deployed as an on-premises agent or private-cloud connector. No public inbound ports to your OT network. The Sortwyre agent initiates all outbound connections — no inbound connectivity required from the internet to your OT segment.

No OT inbound ports

IEC 62443 design approach

Sortwyre is designed with IEC 62443 industrial security principles in mind — zone-and-conduit network segmentation, least-privilege access, and read-only industrial protocol use. We do not claim IEC 62443 certification; we design for alignment with its principles.

Designed for IEC 62443 principles

SOC 2 roadmap

Sortwyre has a SOC 2 audit on its roadmap. We are building with SOC 2 controls in mind from the ground up — access logging, data handling policies, change management, and incident response procedures. SOC 2 Type II audit is planned as the platform scales.

SOC 2 on roadmap — not yet certified

Encryption in transit

All data transmitted from the Sortwyre on-prem agent to the analytics layer is encrypted in transit using TLS 1.2+. OPC UA connections use its built-in security mode (SignAndEncrypt where supported by the WES server).

TLS 1.2+ in transit

Security questions from your IT/OT team?

We work directly with your network and security teams during pilot scoping. Contact us to set up a security review call before the integration kickoff.

Contact Security Team

Run a throughput pilot in your FC

Connect Sortwyre to your WMS or WES in under 6 weeks. No hardware installation, no conveyor downtime.

Request Pilot