Security model

Written for the engineer evaluating whether to put a device in a customer's building. No security theatre — just what the system does.

Every device has its own identity

Every device holds its own CA-issued certificate. The private key is generated on the device and never leaves it.

Enrollment is a certificate signing request: the device generates its keypair locally and sends only a CSR. Renewal is automatic and proves possession of the current key. Identities are SPIFFE URIs, scoped to your organization, over a TLS 1.3 floor with mutual authentication on the tunnel.

Revocation is fast

Revoke a device and its live tunnels drop in seconds — the relay re-checks certificate status continuously.

What we can and cannot see

We can see We cannot see
Per-interval byte and connection counters (for metrics and quotas) The contents of passthrough traffic — it is never decrypted
Device and route metadata you configure Your payloads on TLS-passthrough routes
An append-only audit trail of state changes Anything a routing decision does not require

Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.

Routes you choose to terminate at the edge are, by definition, decrypted there to apply the access rules you enabled — that is a choice you make per route, not a default.

Tenant isolation

Every resource belongs to an organization, and the boundary is enforced and adversarially tested in CI.

Account security

Console accounts get role-based access, optional TOTP two-factor, and an append-only audit trail.

Coordinated disclosure: email support@tollan.ie. Report abuse of the service to abuse@tollan.ie.