Security & Data Protection

Security built into every Totem installation

Totem manages energy across thousands of rooms without touching your building's wiring — so security and data protection are designed in from the device to the dashboard. Here's exactly how we keep your buildings, your data, and your residents safe.

Independently reviewed
Full security review completed and remediated, 2026
Encrypted end-to-end
TLS in transit, encrypted at rest
Fail-safe by design
Defaults to full power on any fault
UK-based & UK GDPR
Chaahk Ltd, England & Wales

How we protect your data

Encryption everywhere

All traffic between devices, hub, cloud and dashboard is encrypted in transit using TLS. Stored data is encrypted at rest. There are no plaintext credentials in the browser — sessions use short-lived, server-signed access only.

Role-based access

Every user gets the least privilege they need. Administrator, operator and viewer roles are separated, so dashboard access never exposes device control or system credentials beyond a user's permission level.

Secure cloud infrastructure

Totem runs on managed AWS IoT infrastructure with per-session signed credentials. Device commands are authenticated and verified — the platform rejects any unsigned or unverified instruction.

Hardened against attack

Login rate-limiting, CSRF protection, a strict Content-Security-Policy and secure session cookies guard the dashboard against common web attacks. Webhooks and device messages are signature-verified.

Monitoring & audit logging

Access and security events are logged and retained for audit. System uptime and device health are monitored continuously — Bargate House has run at over 99% uptime since January 2026.

Data minimisation

Totem measures room-level energy and temperature to deliver savings — not the personal data of residents. We collect only what the service needs, which keeps your data-protection footprint small by design.

Fail-safe by design

If anything fails, residents stay warm

Totem Control units are engineered to default to full power on any fault or loss of connection — never off. A network outage, hub failure or power blip can never leave a student cold. Security and resilience aren't a trade-off against resident welfare; the fail-safe design protects both at once.

Data protection & privacy

Totem is operated by Chaahk Limited, registered in England & Wales (No. 12042935), and we process data in line with UK GDPR and the Data Protection Act 2018. Building energy data is hosted on Amazon Web Services in Sweden, within the EU, and retained for up to two years.

Because Totem works at the level of rooms and devices rather than individuals, the platform is built around data minimisation: we gather the energy, temperature and occupancy signals needed to cut waste, and no more. Where any personal data is involved, we handle it under a clear lawful basis, share it only with the operator who owns the building, and never sell it.

Operators and procurement teams can request our data-processing details and a security overview at any time — see below.

Independent security review

Reviewed, then remediated

In 2026 the Totem platform underwent a full independent security and code review covering credential handling, authentication, network endpoints and infrastructure. Every finding has been remediated, and security review is now part of how we ship. We're happy to walk security and IT teams through our posture in detail under NDA.

Built on certified infrastructure

Totem runs on Amazon Web Services, whose data centres are independently audited and certified to leading international standards including ISO 27001, SOC 1, 2 and 3 and ISO 27017/27018 for cloud and data-privacy controls. Hosting in AWS's Sweden (EU) region means your data sits on infrastructure that meets these standards by default, and our own controls are built on top of that foundation.

Security FAQ

Is Totem's energy management system secure?
Yes. Security is designed into Totem from the device to the dashboard: all data is encrypted in transit (TLS) and at rest, access is role-based with least privilege, device commands are signature-verified, and the dashboard is hardened with rate-limiting, CSRF protection and a strict Content-Security-Policy. The platform was independently security-reviewed in 2026 and all findings were remediated.
Where is my building's data stored, and who can see it?
Energy data is stored on managed AWS infrastructure in Sweden (within the EU) and retained for up to two years. It is only accessible to the operator who owns the building and to authorised Totem staff under role-based access controls. Totem never sells your data, and we apply data minimisation — collecting only the energy, temperature and occupancy signals needed to deliver savings.
Is Totem GDPR compliant?
Yes. Totem is operated by Chaahk Limited (England & Wales No. 12042935) and processes data in line with UK GDPR and the Data Protection Act 2018. Because Totem works at room and device level rather than tracking individuals, its personal-data footprint is minimal by design. Data-processing documentation is available to operators on request.
What happens to the heating if the Totem system fails or goes offline?
Totem Control units default to full power on any fault or loss of connection — never off. A network outage, hub failure or power interruption can never leave a resident cold. This fail-safe design protects both resident welfare and system resilience.
Does installing Totem create a cyber-security risk to my building network?
Totem installs without rewiring and connects through its own secure hub using authenticated, encrypted communication. Device commands are signature-verified and the platform rejects unsigned instructions, so the system cannot be driven by unverified third parties. We're happy to review network architecture with your IT team before deployment.
Can I see Totem's security documentation before we buy?
Yes. Operators and procurement teams can request a security overview and our data-processing details at any time, and we can brief your security and IT teams under NDA. Use the contact below to get started.

Need our security documentation?

We'll share a security overview and data-processing details, and brief your IT team directly.

Request security overview →
Totem is operated by Chaahk Limited, registered in England & Wales No. 12042935. Contact: hello@totem.systems