Skip to main content
AirGapNetPhysical network isolation
Security

Security & trust

AirGapNet sells network-isolation hardware, so the security of our own operations matters as much as the product on the rack. This page summarises how we protect customer data, the sub-processors we rely on, and the compliance work in progress.

Last updated · May 23, 2026

Customer data we hold

We collect only what is necessary to quote, ship, support, and warrant the hardware: contact details, shipping and billing address, order history, device serial numbers, and any messages you send to support. We never collect packet captures, configuration files, or production-network telemetry from a deployed AGN1 device — the device's control channel sits on GSM/SMS by design and does not reach our servers.

Encryption

  • All traffic to airgapnet.us is served over TLS 1.2+ with HSTS preload
  • Customer records at rest are encrypted with AES-256 in our database and object storage
  • Stripe processes card payments under PCI-DSS; we never store the full PAN, CVC, or expiry
  • Backups are encrypted with separate keys and retained for 30 days before rotation

Sub-processors

We use a small, audited set of US-based service providers. Each sub-processor is bound by a data-processing agreement that mirrors the safeguards we offer customers.

  • Vercel (Vercel Inc., US) — site hosting, CDN, edge functions
  • Stripe (Stripe, Inc., US) — card payment processing for AGN1 orders
  • Resend (Resend Inc., US) — transactional email for order confirmations and form submissions
  • Google Workspace (Google LLC, US) — corporate email and document storage

Access controls

Production access is restricted to a named on-call rotation; every administrative login requires hardware-key WebAuthn and is logged for 18 months. Developer access to non-production environments is gated by single sign-on with mandatory two-factor authentication.

Vulnerability disclosure

We welcome reports from security researchers and operators. Email AirGapNet@gmail.com (subject line "Security report — <product or URL>") or call +1-305-610-3390 during business hours. We respond within two business days, do not pursue legal action against good-faith reporters who follow the standard disclosure timeline, and credit the reporter on the published advisory unless they prefer anonymity.

Compliance posture

AGN1 hardware is engineered to fit into operating environments that need to meet NIST SP 800-53, NIST SP 800-171 (CMMC), HIPAA Security Rule, and PCI-DSS network-segmentation controls. The device itself is purpose-built for physical network isolation; it does not on its own constitute a certified compliance product, and we do not market it as one.

FCC: AirGapNet AGN1 is currently in the FCC equipment-authorization pipeline. Until the authorization issues, AGN1 ships in the United States as an evaluation unit under FCC Part 15 §15.5 conditions. Final marketing claims will be updated once the grant is on file.

SOC 2: We are building toward a SOC 2 Type 1 assessment in the next 12 months. The trust-services criteria we map to today are Security, Availability, and Confidentiality.

Incident response

If a security incident affects customer data we notify the affected customers within 72 hours of confirmation, in line with the strictest applicable breach-notification rule (GDPR Art. 33 for EEA customers, the state breach-notification statutes in the US). The notification names the data involved, the impact, the steps we have already taken, and the steps we ask the customer to take.

Questions

Email AirGapNet@gmail.com or call +1-305-610-3390 with any policy question — we answer most inquiries within one business day. Mailing address: AirGapNet, Inc., 1209 N Orange St, Wilmington, DE 19801.