Private spectrum, 5G-native identity, and OT network segmentation
Signalweft is built for environments where the security stakes of wireless access are highest — assembly floors, logistics yards, and energy facilities. This page describes our security architecture as it exists today, without compliance marketing language.
Signalweft is a 2024-founded company. We do not hold certifications such as SOC 2 Type II, FedRAMP, or ISO 27001 at this time. This page describes our design intent and current technical controls — not a certification status. We'll update this page accurately as certifications are obtained.
How we protect your network and data
Private CBRS spectrum isolation
CBRS PAL spectrum is licensed at the site level. Your private 5G network cannot be accessed by devices that haven't been provisioned to your PLMN. Unlike shared carrier LTE/5G, there is no shared air interface with other tenants — the physical layer is private by design, not by policy configuration.
5G subscriber identity (SUPI/SUCI)
All devices on the Signalweft network authenticate via 5G-native SUPI (Subscription Permanent Identifier) with SUCI concealment using ECIES-A profile. Device identity is cryptographically bound to the SIM or eSIM — there is no username/password fallback for network access.
Mutual TLS on all control plane connections
Connections between Signalweft's cloud control plane and your on-premise components (CUPS user plane, local RAN controllers) are authenticated with mutual TLS using certificates managed via an internal PKI. Certificates rotate automatically on a 90-day schedule without requiring manual intervention.
OT network segmentation
Device traffic is segmented by network slice and QoS class at the core network level, not just at the application layer. AGV control traffic, sensor telemetry, and camera feeds run in separate UE groups with no cross-segment routing unless explicitly configured. This aligns with IEC 62443 zone and conduit models.
Audit logging
All Signalweft control plane actions — policy changes, device provisioning, API key issuance, user logins — are recorded in an immutable audit log. Logs are retained for 12 months and can be exported to your SIEM on request. Log tampering detection is based on cryptographic chaining.
User access control
Signalweft supports role-based access with three default roles: Admin, Operator, and Read Only. SSO via SAML 2.0 is available on Enterprise plans. All user sessions expire after 8 hours of inactivity and require re-authentication.
What we store and where
Network telemetry
Cell-level telemetry (SINR, device association state, SLA compliance metrics) is stored in Signalweft's cloud infrastructure in the AWS us-east-1 region. Telemetry is retained for 13 months and then deleted. We do not retain payload data — Signalweft is a control plane, not a packet capture or deep inspection system.
User plane data (your OT traffic)
User plane data — the actual packets your AGVs and sensors transmit — does not traverse Signalweft's cloud infrastructure. The user plane is terminated locally on your premises on a CUPS (Control and User Plane Separation) user plane function. We have no visibility into the content of your OT traffic.
Identity and authentication data
SIM provisioning records (IMSI, MSISDN, certificate fingerprints) are stored in our core network database, encrypted at rest with AES-256. Access is limited to Signalweft engineering accounts with audit logging on all reads.
Contact us about security
If you have specific questions about our security architecture, data handling, or if you're a security professional conducting a vendor review, contact us at [email protected]. We will respond to security inquiries within 2 business days.
Discuss your security requirements
Every industrial deployment has specific security requirements. We'll walk through Signalweft's architecture against your internal security policies before you evaluate further.