Security
What can we see on your network?
The on-premise agent opens a single outbound-only WireGuard tunnel to our cloud control plane. No inbound ports are opened on your network — your miners stay behind your firewall.
Your LAN connects to ASIC Refinery cloud through an outbound-only WireGuard tunnel. No inbound ports are opened on your network.
What we can see
Miner status APIs
We query the miner status endpoints you allow: hash rate, board temperatures, and fan speed.
Telemetry
Chip-level telemetry — power draw, frequency, and voltage — used exclusively to drive tuning decisions.
Firmware type
The firmware type and version reported by each miner so we can apply the right tuning strategy.
What we never see
Pool credentials
Pool credentials (URL, worker name, password) live in the miner firmware. We never read or transmit them.
Wallet addresses
Your wallet addresses are not visible to our agent. We route tuning commands only, never payment data.
Traffic off allowed routes
The tunnel permits only the specific miner management APIs. Anything off the allowed routes is never seen and never routed.
How we keep tenants isolated
Per-customer network rules
Each customer gets its own isolated network namespace on our control plane. Per-customer network rules ensure that one tenant's tunnel traffic can never be read or influenced by another tenant.
Per-customer database isolation
All miner data, tuning history, and configuration is stored in rows scoped to your organization ID. Per-customer database isolation means your data is never co-mingled with another tenant's records.
Signed tokens for every request
Every API call from the on-premise agent is authenticated with short-lived signed tokens. Tokens are scoped to your organization and expire automatically — a leaked token cannot be replayed indefinitely.
Ready to get started?
Set up takes minutes. Outbound-only WireGuard tunnel — no firewall changes needed on your end.