Security at Memfault

Protecting You and Your Customers

At Memfault, we understand the importance of protecting not only our customers but their customers as well.  We have features in place to ensure we meet the security and privacy policies of your organization.

Protecting You and Your Customers


Security Compliance

SOC 2 Type II Certified

The SOC 2 Type II certification affirms that a verified, independent third party has formally reviewed Memfault’s infrastructure, software, data, people, policies, procedures, and operations. Memfault’s SOC2 Type II Report is available upon request under NDA.

Security Compliance


Full Data Encryption

Memfault is GDPR compliant, and we have a form DPA available upon request.

Device → Cloud
Device → Cloud

All data sent from the device to the Memfault cloud is encrypted via HTTPS and the latest versions of TLS where applicable. No networking connections used by Memfault for any purpose ever send unencrypted data. Memfault Customers are in full control of the exact data sent from the device, ensuring they can remove any sensitive PII (Personal Identifiable Information) or other info they don't want to collect.


All data is encrypted at rest. We are hosted on AWS and encrypt all data at rest with keys managed in KMS and AWS SSE-S3. Crash reports uploaded to our service are encrypted using a key, which is unique to each project. This guarantees that this data cannot be shared between customers.

Per-Organization Encryption
Per-Organization Encryption

Raw binary data sent by devices and stored by Memfault is stored in AWS S3 and encrypted with a unique encryption per customer using AWS SSE-C.


On-Device Data Collection

For all Memfault device SDKs, the customer is in complete control of the data that is sent to the Memfault service.

For Android devices, data can be scrubbed and filtered before it leaves the device. Scrubbing and filtering rules can be updated in our dashboard and are automatically propagated to the devices.

For MCU devices, the customer is in control of the device sent to Memfault. We recommend scrubbing memory regions, personally identifiable information, and sensitive data from any data collected before sending it to Memfault.

For Linux devices, customers have the ability to determine what data they’d like to collect. We’ve also added support for forced (non-interactive) updates, a critical feature for delivering security updates to devices.

Cloud Infrastructure

Memfault is hosted on cloud infrastructure from Amazon Web Services. We perform daily backups and can scale to meet performance needs.

On-Device Data Collection


Memfault Web App Access
Single sign-on

Enterprise-grade single sign-on (SSO)  allows users of an organization to log in using the organization’s third-party identity provider. Memfault supports Google OAuth, Microsoft OAuth, and many SAML-based identity providers (IDP). Learn more.

Memfault API and Memfault CLI Access
Organization Auth Token

Requests authenticated via an Organization Auth Token can only access the resources of their respective organization. Admins can create and delete Organization Auth Tokens. Learn more.

User API Key

Requests authenticated via a User API Key can access the resources of all the organizations a user has access to (except when SSO is required). Learn more.


Device SDKs and Usage

The Memfault Firmware and Android SDKs were purposely designed for low bandwidth, embedded hardware environments. Our SDKs are restricted to requesting pre-defined data sets and configuration, so they will never be able to inject code or run arbitrary scripts.



Memfault Firmware SDK

The Memfault Firmware SDK is capable of collecting full device coredumps, debug registers, logs, and custom metrics. Data collected is first compressed and then broken up into packets that can be as small as 9 bytes. The packets can be sent over any network technology, such as Bluetooth, LTE, WiFi, LoRa, Zigbee, proprietary protocols, and more, and using any combination of protocols. The data can also be collected after the fact from an SD card or hard drive and uploaded to Memfault at a later time.

A typical MCU device configured with a minimal configuration generates as little as hundreds of bytes of data per day. The cadence at which telemetry data is stored and sent from a device as well as the size of the data is fully configurable by the customer for further optimization.

The Memfault firmware SDK is source-available on GitHub at


Memfault Android Bort SDK

The Memfault Android (Bort) SDK collects crashes, metrics, reboots, and logs from the entire device (from device drivers, to system services, and applications). Custom Metrics can be added using on-device APIs. Learn more.

Data can either be collected using bugreports, or Memfault Caliper – an alternative collection mechanism where what data is collected is completely configurable. Individual types of data collection can be enabled/disabled, privacy rules configured (including log scrubbing) from the Memfault dashboard. Learn more.

The Memfault Bort SDK is source-available on GitHub at


Memfault Linux SDK

The Memfault Linux SDK relies on well-established, battle-tested open-source software and provides our core platform features such as collecting crash reports, metrics, reboot reasons, and logs from the entire device.  

With its compatibility with the hawkBit API, customers can point a compatible OTA on-device agent, such as SWUpdate, to Memfault’s endpoints to gain access to insightful device data.  Learn more.

The Memfault Linux SDK is source-available on GitHub at