Viam platform

Security, Data Privacy & Compliance

Viam's security model is built into the platform architecture, not layered on top. There are no default passwords, no open ports, and no VPNs to manage. From the moment a machine connects, every communication is encrypted and every access decision is authenticated.
Read the docs

Core guarantees

Authentication

Real credentials required for both cloud and device access. No default passwords.

Encryption

End-to-end encryption across all data and communications. No backdoors.

Compliance

SOC 2 Type II, ISO 27001, and HIPAA compliant, verified by independent auditors.

Data Privacy

Viam does not use your data to train our own models. Your data remains entirely yours.

Architecture of trust

Zero-Trust Identity

Every machine is provisioned with a unique, single-use secret. No default credentials, no shared keys. Access is granted only to organization members.

Machine-to-Cloud
(The Control Plane)

Each machine uses its unique machine secret to establish an outbound, encrypted connection to app.viam.com. Remote management with no inbound firewall rules required.

Machine-to-Machine
(The Data Plane)

Within a LAN, machines use location certificates to establish mTLS connections for high-speed, secure local coordination. Across the internet, machines negotiate a peer-to-peer WebRTC tunnel. Data flows directly between machines, not through Viam's servers.

Client-to-Machine
(Egress-Only Networking)

Your application code connects to hardware through the same encrypted layer no matter where it’s running from. No open ports, no port forwarding, no firewall configuration required. NAT traversal is handled automatically. Same mechanism, same guarantees, regardless of where you're connecting from.

User-to-Machine
(Identity & Access)

Viam secures end-customer access to your machines—from industrial fleets to consumer devices—through a managed OAuth2 layer with native SSO support. This removes the burden of building a bespoke authentication stack or managing static credentials for every unit shipped. A standard login flow provides enterprise-grade identity and granular access control that remains consistent as you scale.

Versioned OTA Updates

Updates (code, ML models, and configuration) are versioned and deployed through the Viam Registry. Pin to stable versions, roll out to a subset of machines first, and roll back with a single change if something goes wrong. No SSH loops. No per-machine intervention.

Data Privacy

Data Sovereignty:
Viam does not use your data to train our own models. Your operational data, process logic, and captured telemetry are yours. Export or delete anytime.
On-Device Inference:
ML inference runs on-device. Sensitive data doesn't need to leave the edge for your application to function.

A shared responsibility model

Category
Viam
You
Network
End-to-end encrypted WebRTC tunnels and NAT traversal
Local firewall egress rules and physical site security
Access Control
Role-Based Access Control (RBAC) frameworks and MFA-gated cloud authentication
User permissions, team members, and API key rotation
OTA Updates
Registry infrastructure and atomic update mechanisms
Testing and pinning module versions for production
Data Privacy
Encrypting data in transit
Data retention policies and PII handling
Hardware
Standardized APIs and driver isolation
Physical safety, e-stops, and component selection

FAQ

1. What happens if the machine loses internet connectivity?

Viam is local-first. The viam-server binary handles all control loops, hardware drivers, and logic locally. It caches its JSON configuration on the device; if the cloud connection is severed, your machine continues to operate according to its last known state. Once connectivity is restored, any queued telemetry or data logs are synced to the cloud automatically.

2. How does Viam bypass firewalls without open ports?

Viam uses a P2P architecture (gRPC over WebRTC) where the machine initiates an outbound connection to a signaling server. This allows for secure remote control and data streaming through NATs and firewalls without requiring a public IP, port forwarding, or a VPN. For highly restrictive enterprise environments, Viam supports STUN/TURN relay fallbacks to ensure a reliable connection.

3. What happens if a module update fails?

Each module runs as its own independent process, communicating with the core server over local Unix Domain Sockets (UDS) using gRPC.This sandboxing ensures that a failure in one module (e.g., a camera driver) doesn't crash the entire machine. You can pin your fleet to specific semantic versions to control your software release management plan.

4. How do I prevent bricking a machine during an OTA update?

The viam-agent manages the lifecycle of the server and its dependencies. You can define maintenance windows to ensure updates only occur during scheduled downtime, and roll out changes to a canary subset of your fleet before a global deployment.

Compliance

SOC2 Compliant Badge

SOC 2 Type II

Annual independent audits of security, availability, confidentiality, and privacy controls.
ISO/IEC 27001 Certification mark

ISO 27001

Certified information security management system.
Hipaa Compliance Badge

HIPAA

Annual compliance audits for healthcare data requirements.
An icon representing the General Data Protection Regulation

GDPR / CPRA

Viam treats both as a global standard for user data protection, not just a regional requirement.

Reporting a security issue

Found a vulnerability? Contact security@viam.com with steps to reproduce. We prioritize the OWASP Top 10, database injection, authentication issues, improper data access, XSS, and email spoofing. We ask that you work with us to resolve before disclosing publicly.
Viam does not offer a bug bounty program. If you believe you have discovered a security vulnerability, please report it to us so we can investigate and improve the broader internet ecosystem.
Read the docs
Right arrow
PLATFORM
Solutions
RESOURCES
COMPANY
COPYRIGHT 2026, VIAM, INC.
contact@viam.com
Terms of Use | Privacy Policy