Orbyfy™Earthflow

Physics AI™ Powered Reinsurance Intelligence

Solar O&M Data Onboarding & Cybersecurity
Prerequisites & Integration Methodology

Bring-your-own-data prerequisites · SCADA / IoT / BMS protocol support · NIST CSF + IEC 62443 + NERC CIP cybersecurity architecture · 7-day quick-start and 12-week full-pilot roadmap for an active utility-scale solar site in O&M.

Version 1.0

May 2026

Companion to Reinsurance Methodology

Physics AI™ Engine

→ Return to Interactive Demo

1 · Executive Summary

This document specifies the data prerequisites, telemetry protocols, cybersecurity controls, and onboarding workflow required to bring an active utility-scale solar O&M site online with the Earthflow Physics AI™ engine. It is the companion document to the Reinsurance Cat-Modeling Methodology: that document explains what Earthflow computes; this document explains how the data gets in.

A reinsurance underwriter or IT lead reading this document should walk away with three concrete answers: (i) the minimum data set required from the cedent / site operator for a first-look risk map, (ii) the protocol options for connecting a live SCADA / BMS / weather feed, and (iii) the cybersecurity controls that make the integration safe, read-only, and audit-trail-complete.

Earthflow's onboarding model — like the Underground Cable Analytics methodology that precedes it — is built around frictionless first-look: a cedent can have Physics AI™ risk scores published for a portfolio within seven days using only existing O&M historian exports and module / inverter spec sheets. Live SCADA, BMS, and weather-station integration follows in weeks 2–12, layered on top of the same data model.

7 days

First Risk Map

30+

Data Feeds Supported

100%

Read-Only by Design

NIST CSF

2.0 Aligned

This document is organized into eight chapters covering the full onboarding lifecycle from first contact through scaled production deployment.

1.1 Table of Contents

Chapter 2 · Data Prerequisites — Bring-Your-Own-DataP. 02 Three-tier checklist · pre-binding · operational monitoring · full digital twin Chapter 3 · SCADA / IoT / BMS Protocol SupportP. 03 Sensor-agnostic vendor cards · Modbus · OPC-UA · MQTT · DNP3 · IEC 61850 · SunSpec Chapter 4 · Cybersecurity ArchitectureP. 04 Seven pillars · NIST CSF 2.0 · IEC 62443-3-3 · NERC CIP-005/007/010 Chapter 5 · Integration PatternsP. 05 Three reference architectures · cloud-direct · gateway-aggregated · batch-ETL Chapter 6 · Roadmap — 7-Day Quick-Start + 12-Week PilotP. 06 Day-by-day Days 1–7 · Week-by-week Weeks 2–12 · effort per role Chapter 7 · Cedent & Reinsurer ConsiderationsP. 07 Data ownership · bordereau aggregation · cross-border · NERC CIP · liability Chapter 8 · Compliance & CertificationsP. 08 Today vs. roadmap · SOC 2 · ISO 27001 · IEC 62443 · GDPR / CCPA

Companion Documents Read this alongside Reinsurance Cat-Modeling Framework — Technical Methodology for the modeling content, and EarthflowRE Interactive Demo for the dashboard the data feeds populate.

2 · Data Prerequisites — Bring-Your-Own-Data

Earthflow's first-look risk map for a utility-scale solar site requires only a small set of Tier 1 (mandatory) data fields that any cedent will already have in their EPC or O&M submission packet. Tier 2 (recommended) adds live telemetry — SCADA, weather station, hail detector — for condition-monitoring-aware underwriting. Tier 3 (advanced) adds BMS streams, EL imaging, transformer DGA, and substation IEC 61850 telemetry for a full digital twin. Cedents move through the tiers at their own pace; no tier is a prerequisite for the prior one's outputs to be usable.

2.1 Tier 1 — Mandatory Pre-Binding Data

Required for the first-look risk map. Earthflow can produce a complete 12-peril decomposition, composite risk grade, and bind-ready verdict from this data alone — no live feeds required.

Field	Format	Typical Source	Why Earthflow Needs It
Site coordinates (lat / lon)	Decimal degrees	EPC submission · site permit	Anchor for all hazard lookups
Capacity (MW_dc + MW_ac)	Numeric	PPA · interconnection agreement	TIV scaling · production modeling
COD (commercial operation date)	Date	PPA · O&M handoff	Asset age · warranty status
Module make / model / quantity	Text + count	Bill of materials	ASTM E1038 lookup · glass thickness · frame
Inverter make / model / quantity	Text + count	Bill of materials	MTBF curve · efficiency · derating
Racking make / model	Text	Bill of materials	Clamp type · stow capability · pull-test
Foundation type	Text (pile / ballast / helical / pier)	Civil drawings	Seismic + wind uplift response
Geotech / pull-test report	PDF	Pre-construction survey	SDC-D foundation validation
As-built electrical drawings (PE-stamped)	PDF	Construction handoff	String / combiner-box mapping
FEMA flood-zone letter (if applicable)	PDF	Permit packet	Pre-validated flood zone
O&M provider + contract scope	Text	O&M agreement	SLA expectations · spare inventory

Tier 1 delivers Composite risk grade · 12-peril decomposition · stochastic EP curve · indicated technical rate · equipment pedigree · climate stress test · ACORD bordereau row. Suitable for a complete binding decision.

2.2 Tier 2 — Recommended Operational Monitoring

Adds live telemetry feeds that update vulnerability parameters in real time. With Tier 2 data, the composite risk grade refreshes daily; predictive-maintenance alerts and energy-shortfall signals become first-class outputs.

Feed	Update Cadence	Typical Protocol	What It Powers in Earthflow
Inverter-level fault log	Real-time (1-sec to 1-min)	Modbus TCP · REST · MQTT	Equipment-breakdown peril · MTBF tracking
String-level V/I telemetry	1–15 min	Modbus TCP via inverter	String-fault detection · AFCI status
Combiner-box temperature	5–15 min	Modbus TCP · OPC-UA	Hot-spot precursor · arc-fault risk
Tracker stow position	15 min · event-driven	Modbus TCP via tracker controller	Stow-protocol audit · hail-mitigation factor validation
Weather station POA pyranometer	1–5 min	Modbus · REST · MQTT	Energy-shortfall trigger · P50 vs actual
Hail detector feed	Event-driven	REST · MQTT	Parametric hail-trigger validation
Revenue-grade meter	15 min	DNP3 · Modbus	Production reconciliation
O&M ticket / work-order log	Daily	REST · SFTP · CMMS API	Mean-time-to-repair tracking

Tier 2 adds Live IoT / condition-monitoring panel · predictive-failure forecasts · energy-shortfall trigger evaluation · MTBF observed vs. spec · stow-protocol audit trail. Refresh cadence: dashboard updates within 5 minutes of telemetry arrival.

2.3 Tier 3 — Advanced (Full Digital Twin)

Adds cell-level BMS streams, EL imaging, transformer condition data, and substation IEC 61850 GOOSE messaging for sites that require continuous-monitoring underwriting (typically BESS-co-located or high-value coastal projects). Tier 3 enables parametric trigger structures that pay on objective sensor thresholds.

Feed	Cadence	Protocol	What It Powers
BMS cell-level temperature	1 sec	REST · MQTT · Modbus	BESS thermal-runaway peril · ΔT parametric trigger
BMS pack voltage / SOC / SOH	1 min	REST · MQTT	State-of-health degradation tracking
Isolation-valve test results	Quarterly	Manual CMMS upload	BMS-cert subjectivity audit
EL imaging scan (drone IR)	Annual · post-event	SFTP · vendor API	Module hot-spot peril · serial-defect detection
I-V curve sweep	Annual	Vendor API · SFTP	Module degradation rate fit
Transformer DGA (dissolved gas)	Monthly · annual lab	SFTP · vendor API	Transformer health · BI exposure
Substation IEC 61850 GOOSE	Real-time	IEC 61850 / MMS	Grid-side trip events · BI exposure
Cybersecurity audit reports	Annual	PDF upload	Cyber/SCADA peril score

Tier 3 enables Continuous-monitoring underwriting · parametric trigger structures with objective sensor thresholds (BESS cell ΔT, hail kinetic energy, GHI underperformance) · 5-day parametric settlement velocity vs. 9-month indemnity claims average.

3 · SCADA / IoT / BMS Protocol Support

Earthflow is sensor-agnostic and vendor-agnostic by design — we ingest from whatever the cedent's existing fleet uses. The platform supports the eight major industrial protocols used in utility-scale solar today: Modbus TCP/RTU, OPC-UA, MQTT, DNP3, REST, SunSpec Alliance, IEC 61850, and BACnet. The vendor cards below show the integration patterns for the most common equipment in the field.

3.1 Protocol Reference

Protocol	Layer	Typical Use	Earthflow Support
Modbus TCP	OT industrial	Inverter · combiner-box · tracker · weather station	Native
Modbus RTU	Serial · RS-485	Legacy inverters · trackers	Via gateway
OPC-UA	OT industrial	Modern SCADA · multi-vendor aggregation	Native
MQTT	IoT pub/sub	BMS · hail detector · cloud-native fleets	Native (TLS)
DNP3	Utility OT	Substation · revenue meter · grid handoff	Via gateway
REST	App-layer	Cloud-resident SCADA · BMS · CMMS	Native
SunSpec Alliance	App-layer over Modbus/IP	Inverter interoperability standard	Native
IEC 61850	Substation	GOOSE · MMS · SV — utility-side	Via gateway
BACnet	Building automation	O&M building HVAC · access control	As-needed

3.2 Inverter Vendors

Sungrow

SG3125 · SG3400 · SG4400 · PowerTitan BESS

Modbus TCP at inverter level + iSolarCloud REST API at fleet level. SunSpec-compliant register map.

Earthflow ingests fault log · efficiency · MPPT data · DC arc-fault flags · produces MTBF observed vs spec, predicted-failure window

SMA

Sunny Central UP-3000 · UP-4400 · Sunny Tripower

Modbus TCP + SunSpec Alliance compliance. ennexOS REST API for fleet aggregation. Encrypted-transit native.

Earthflow ingests AC/DC power · cabinet temperature · fault events · produces efficiency derating curve, salt-spray wear flag

TMEIC

SOLAR WARE Ninja · Samurai

Modbus TCP native. Vendor SCADA Reactor for fleet management. DNP3 available for utility-grade integration.

Earthflow ingests inverter fault codes · ambient temperature · cooling fan status · produces equipment-breakdown score

Power Electronics

FS series (FS1500 · FS3300)

Modbus TCP. WebMP cloud platform via REST. Native MQTT broker available on newer firmware.

Earthflow ingests three-phase output, harmonics, AFCI status · produces DC arc-fault risk score

Huawei

SUN2000 · FusionSolar SmartPCS

Modbus TCP + MQTT. FusionSolar cloud REST API. ⚠ Verify regulatory clearance for utility deployment per jurisdiction.

Earthflow ingests string-level optimizer data · produces sub-string-level fault localization

FIMER

PVS-100 · MEGA series

Modbus TCP. Aurora Vision cloud REST. SunSpec compliant.

Earthflow ingests legacy ABB-pedigree inverter data · produces aging-curve calibration

3.3 BESS / BMS Vendors

Tesla Megapack

Megapack 2 · Megapack 2 XL · Megapack 3

REST API · authenticated TLS · cell-level temperature + SOC + isolation-valve status. Powerhub aggregation.

Earthflow ingests cell ΔT · pack voltage · thermal-anomaly events · produces BESS thermal-runaway peril score, parametric ΔT trigger

Sungrow PowerTitan

ST2752UX · liquid-cooled outdoor LFP

Modbus TCP at container level · iEnergyCloud REST. Cell-level BMS exposed via OPC-UA upgrade option.

Earthflow ingests pack-level + (with OPC-UA) cell-level telemetry · produces BMS recert tracking

Fluence Gridstack

Gridstack Pro · Sunstack

REST API · TLS · Mosaic AI control layer integration. IEC 62443 Level 2 certified at system level.

Earthflow ingests state-of-health degradation · cycle count · produces SOH-aware BESS vulnerability adjustment

BYD · CATL · LG Energy

Cube-Pro · EnerC · MegaPower

Modbus TCP + vendor REST APIs. MQTT available on cloud-enabled deployments. Region-specific certifications.

Earthflow ingests chemistry-specific (LFP / NMC) BMS data · produces chemistry-aware vulnerability factor

3.4 Weather Stations & Hail Detectors

Campbell Scientific

CR1000X · CR6 dataloggers + sensor suite

Modbus TCP + REST + LoggerNet aggregation. Industry-standard utility-scale weather station.

Earthflow ingests POA pyranometer · ambient temp · wind speed/direction · produces energy-shortfall trigger, P50 reconciliation

Lufft / OTT HydroMet

WS-series · multi-parameter sensors

Modbus TCP + MQTT + Smart Weather Sensor SDK. Native TLS support on newer firmware.

Earthflow ingests integrated atmospheric data · produces meteorological hazard context

HailSensor

HailGauge HG-2 · HG-3

REST + MQTT · event-driven push. Acoustic-impact sensor with stone-size estimation.

Earthflow ingests strike events with kinetic-energy estimate · produces parametric hail-trigger validation

Kapture / Verisk Atmospheric

Hail Detection Network · Storm Surge sensors

REST aggregation from third-party network · event-confirmation API.

Earthflow ingests event confirmations with confidence scores · produces parametric trigger event-attribution

3.5 Substation / Grid-Side (IEC 61850)

SEL (Schweitzer Engineering)

SEL-451 · SEL-487E · SEL-2440

IEC 61850 GOOSE/MMS + DNP3 + Modbus. Industry-leading utility relay platform.

Earthflow ingests trip events · breaker status · DGA where instrumented · produces grid-side BI exposure score

GE Multilin · ABB Relion

F60 · F650 · REF615 · REF630

IEC 61850 + DNP3. Utility-grade with NERC CIP-aware deployment patterns.

Earthflow ingests substation events when integrated under cedent's NERC CIP envelope · produces BI exposure tracking

Sensor-Agnostic Commitment Earthflow ingests from any of the vendors listed above, plus dozens of regional and legacy platforms. The integration pattern is the same: read-only TCP / REST / MQTT pull through a TLS tunnel, with on-site protocol translation when needed. We do not require vendor swap-outs to onboard.

4 · Cybersecurity Architecture

Solar O&M data flows out of operational-technology (OT) networks into Earthflow's information-technology (IT) cloud — a class of integration that cyber teams scrutinize heavily, with good reason. This chapter documents the seven cybersecurity pillars that govern Earthflow's ingest architecture and the industry standards they align to.

The One-Sentence Cyber Position Earthflow's ingest pipeline is read-only by design, encrypted end-to-end, and aligned to NIST CSF 2.0 + IEC 62443-3-3. It cannot — by architectural construction — push commands back into SCADA, BMS, or inverter control planes.

4.1 The Seven Cybersecurity Pillars

1 Read-Only by Design

The Earthflow ingest pipeline has no write path back to the OT network. Telemetry flows outbound from the customer environment to the Earthflow cloud, never inbound. For customers requiring physical-layer assurance, an optional unidirectional data diode can be deployed at the gateway — making the read-only property a hardware-enforced guarantee, not a software-policy promise. This addresses the most common reinsurer subjectivity: "does the model touch our control plane?" The answer is no.

2 Network Segmentation — Purdue Model Aligned

Integration follows the ISA-95 / Purdue Model. Levels 0–2 (sensor · field controller · supervisory) remain entirely behind the customer's DMZ. Level 3 (operations DMZ) is where the Earthflow gateway or jump-host sits. Only Level 3 ever talks to Earthflow's cloud ingest endpoint. No traffic ever crosses from Earthflow inbound into Levels 0–2.

3 Encryption — In Transit and At Rest

TLS 1.3 for all wire-level traffic (no TLS 1.0 / 1.1 / 1.2 allowed). AES-256 at rest in Firestore and BigQuery. Cryptographic key management via Google Cloud KMS; HSM-backed key storage available for higher-tier customers. Customer-managed encryption keys (CMEK) supported on enterprise plans.

4 Authentication, Authorization, Access Control

MFA mandatory for all human accounts. SSO via SAML 2.0 or OIDC supported (Okta, Azure AD, Auth0, Google Workspace). SCIM provisioning for automated user lifecycle. RBAC with least-privilege role definitions: viewer / analyst / underwriter / admin. Service-account credentials rotated quarterly; emergency rotation supported within 24 hours.

5 On-Site Aggregation Gateway (Recommended)

For most production deployments, Earthflow recommends a pre-vetted on-site gateway: Dell PowerEdge XR4000 (ruggedized edge), Siemens RUGGEDCOM RX1500, or Cisco IR1101. The gateway performs protocol translation (Modbus RTU → Modbus TCP, IEC 61850 → MQTT), TLS termination, local buffering for network outages, and DNS-based egress filtering. Customer retains physical custody.

6 Tunnel & Transport Options

IPSec VPN (default) with IKEv2 and PSK / certificate authentication. MPLS for utility customers with existing carrier circuits. Direct AWS PrivateLink or GCP Private Service Connect for cloud-resident SCADA platforms. SD-WAN compatible (Versa, Velocloud, Cisco SD-WAN). No traffic over public internet without VPN encapsulation.

7 Audit Logging & SIEM Export

All ingest events are append-only audit-logged in Cloud Logging with retention configurable to 7 years (default 13 months). Audit exports available to customer SIEM via streaming sink: Splunk · Microsoft Sentinel · Sumo Logic · Datadog. Anomaly detection on access patterns (Cloud Audit Logs + customer SIEM correlation) flags unauthorized credential use within minutes.

4.2 Alignment to Industry Standards

Standard	Scope	Earthflow Alignment
NIST Cybersecurity Framework 2.0	Six functions: Govern · Identify · Protect · Detect · Respond · Recover	Aligned across all six
IEC 62443-3-3	System security requirements for industrial automation & control systems	Aligned to Security Level 2 (SL-2)
NERC CIP-005	Electronic Security Perimeters	When integrating BES — IRA via dedicated ESP
NERC CIP-007	System Security Management	When applicable to BES integration
NERC CIP-010	Configuration Change Management	Change-control aligned
NERC CIP-013	Supply-Chain Cyber Risk	Vendor risk assessment available
ISO 27001	Information Security Management System	Roadmap (target Q1 2027)
SOC 2 Type II	Trust Services Criteria audit	In progress (target Q3 2026)

4.3 Threat Model Highlights

Earthflow's threat model documents the controls against the most common OT-integration attack vectors. The full Threat Model document is available under NDA; the high-level summary:

Lateral movement from Earthflow into OT — eliminated by read-only architecture and unidirectional diode option (Pillar 1).
Credential compromise — mitigated by MFA + SSO + service-account rotation + anomaly detection in audit logs (Pillars 4, 7).
Man-in-the-middle on telemetry — mitigated by TLS 1.3 + certificate pinning at the gateway (Pillar 3).
Data exfiltration via Earthflow — mitigated by least-privilege RBAC + customer-managed encryption keys + audit logging (Pillars 3, 4, 7).
Supply-chain compromise (NERC CIP-013) — mitigated by vendor risk assessment + signed dependency chain + reproducible builds.
Insider threat at Earthflow — mitigated by separation-of-duties, no single-person-can-deploy policy, customer-side audit visibility.

For Cyber Reviewers Full Threat Model, Pen-Test Summary (annual third-party), SOC 2 Readiness Letter, and Architecture Review documents are available under MNDA. Standard cyber-review packet ships within 48 hours of NDA execution.

5 · Integration Patterns

Three reference architectures cover essentially every solar-site integration we have seen. The right pattern depends on the cedent's existing fleet age, cloud posture, and cyber appetite. None require greenfield infrastructure; all three can be deployed within 12 weeks.

5.1 Pattern A — Cloud-Direct (REST / MQTT)

For newer fleets where the inverter, BMS, and weather-station vendors already expose cloud-native REST APIs or MQTT brokers. Typical of post-2022 installations from Sungrow iSolarCloud, SMA ennexOS, Tesla Powerhub, and Huawei FusionSolar. Lowest integration effort; highest latency precision.

Inverter / BMSVendor cloud

→

Vendor Cloud APIREST · MQTT · TLS

→

Earthflow IngestFirebase + Cloud Run

→

Physics AI™Risk + alerts

Latency tier — Real-time (sub-minute end-to-end)
Cyber posture — TLS 1.3 end-to-end · vendor cloud already audited (NIST CSF, SOC 2)
Customer effort — API key provisioning · OAuth scope configuration · 2-4 days
Best for — newer (2022+) Tier 1 vendor fleets · BESS-co-located sites · cedents with cloud-first IT posture

5.2 Pattern B — Gateway-Aggregated (Modbus / OPC-UA Bridge)

For mixed fleets with on-prem SCADA, legacy Modbus RTU equipment, or vendor-specific protocols requiring local translation. The on-site gateway aggregates multiple protocols, applies TLS encryption, and pushes outbound to Earthflow via IPSec or PrivateLink. The most common pattern in production.

Field DevicesModbus · DNP3 · OPC-UA

→

On-Site GatewayTranslate · TLS · buffer

→

IPSec VPNor PrivateLink

→

Earthflow Ingest+ Physics AI™

Latency tier — Near-real-time (1–5 minutes end-to-end)
Cyber posture — Gateway sits in customer DMZ (Purdue L3) · unidirectional diode option · NIST CSF + IEC 62443-3-3 aligned
Customer effort — Gateway install + VPN provisioning + protocol-map configuration · 2-4 weeks
Best for — operational fleets with mix of Modbus / DNP3 / proprietary protocols · utility-grade integrations · NERC-CIP-aware deployments

5.3 Pattern C — Batch-ETL (SFTP / Historian Dump)

For first-look pilots, legacy fleets, or cedents whose cyber policy prohibits any live tunnel during pre-binding. Earthflow ingests daily or weekly historian extracts via SFTP, S3, or signed Cloud Storage URL. No live connection; lowest cyber footprint; highest latency.

O&M Historian
(OSI PI · GE Proficy · AVEVA)Customer site

→

Daily ExportCSV · Parquet

→

SFTP / Cloud StorageTLS · signed URL

→

Earthflow Ingest

Latency tier — Daily batch (24-hour update)
Cyber posture — No live connection · file-based · signed URLs · the lowest-friction onboarding option
Customer effort — Cron-scheduled historian export + SFTP credentials · 2-5 days
Best for — first-look pilots · pre-binding evaluations · legacy fleets with proprietary historians · cedents in cyber-conservative jurisdictions

5.4 Choosing a Pattern

Scenario	Recommended Pattern	Why
Pre-binding pilot · 5–20 sites · < 30 days	C — Batch ETL	No live cyber posture to negotiate · fastest start
Post-bind continuous monitoring · operational sites	B — Gateway	Real-time enough for alerts · cyber-defensible
BESS-co-located · parametric trigger structure	A — Cloud-Direct + Tesla / Sungrow cloud	Sub-minute latency required for ΔT trigger
NERC-CIP regulated assets (utility-owned)	B — Gateway in CIP-conformant ESP	Required for BES-side integration
Multi-cedent portfolio · scaled deployment	Mix of A + B by site age	Newer sites → A · older sites → B

Most Cedents Start with C, Graduate to B Standard adoption pattern: a cedent enters via Pattern C (daily historian dump) for the first 30-day pilot. Once the Physics AI™ output is validated against their existing O&M dashboards, they upgrade to Pattern B for production monitoring. Pattern A overlays on top of B for parametric-trigger sites where sub-minute latency is required.

6 · Roadmap — 7-Day Quick-Start + 12-Week Full Pilot

Earthflow's onboarding is engineered to deliver visible value in under a week using only data the cedent already has on hand, then layer live telemetry on top over the following 11 weeks. This chapter is the cedent's operational playbook: who does what, on which day, with which prerequisites.

6.1 Days 1–7 — First-Look Quick-Start (Pattern C · Batch ETL)

Day 1

NDA · Cyber Posture Call · Onboarding Portal Access

NDA + DPA executed. Earthflow shares the SOC 2 readiness letter, pen-test summary, threat-model overview, and architecture-review document. Onboarding portal credentials issued to cedent point-of-contact (typically the broker-of-record or cedent data-engineer).

Earthflow: 1 hr · Cedent: 1 hr · IT/Cyber: 0.5 hr

Days 2–3

Tier 1 Data Upload

Cedent uploads Tier 1 documents into the secure onboarding portal: spreadsheet of site coordinates + capacity + COD, EPC bill-of-materials per site, racking + foundation spec, geotech / pull-test PDFs, as-built electrical drawings, O&M contract scope summary. For a 10-site portfolio this is typically a 200–500 MB upload taking 2–6 hours of cedent time to assemble.

Cedent: 4–8 hr per 10 sites

Days 4–5

Schema Mapping · Physics AI™ First-Look Run

Earthflow integration engineer maps cedent's BoM schema to Earthflow's canonical asset model. Physics AI™ engine runs across all sites: 12-peril decomposition, composite risk grade, EP curve, indicated rate per site published to the cedent's portal. ACORD-aligned bordereau row generated.

Earthflow: 6–8 hr · Cedent: passive

Days 6–7

Live Demo · Bordereau Walk-Through · Next-Step Decision

60-minute walk-through with cedent's underwriting + actuarial team. Earthflow team walks composite scores, top-tail drivers, parametric structuring opportunities. Cedent decides whether to advance to full pilot (Weeks 2–12) or stay on monthly batch refresh.

Earthflow: 2 hr · Cedent UW team: 2 hr

Day-7 Deliverable Live dashboard with composite risk grade for every site in the pilot scope · ACORD bordereau CSV · written rationale per site · suggested subjectivities · parametric-layer pricing if relevant. Suitable for an immediate binding decision.

6.2 Weeks 2–12 — Full Pilot (Live Telemetry Integration)

Weeks 2–3

Cyber Review · Tunnel Provisioning · Gateway Selection

Cedent IT / Cyber team completes Earthflow's standard cyber-review packet (Threat Model, Pen-Test Summary, SOC 2 readiness, architecture review). Tunnel pattern selected (IPSec VPN default · PrivateLink for cloud-native customers). On-site gateway hardware ordered if Pattern B chosen.

Earthflow: 8 hr · Cedent IT/Cyber: 12–24 hr

Weeks 4–6

Live SCADA Pilot — 1–3 Sites

Gateway installed on 1–3 representative sites · Modbus / OPC-UA / REST endpoints mapped per inverter / weather-station fleet. Live telemetry flowing into Earthflow ingest. Daily reconciliation against cedent's existing O&M dashboard for 2 weeks to validate.

Earthflow: 32 hr per site · Cedent O&M: 8 hr per site

Weeks 7–9

BMS · Weather Station · EL Imaging Integration

For BESS-co-located sites: BMS cell-level streams added via Tesla Powerhub or Sungrow PowerTitan API. Weather stations integrated. Most-recent EL imaging scans (where available) ingested via SFTP. IoT panel populates with live equipment health.

Earthflow: 24 hr per site · Cedent: 4 hr per site

Weeks 10–12

Scale to Full Pilot Scope · ACORD Bordereau Live Feed

Onboarding cadence accelerates to 1–2 sites per day. Cedent's full pilot portfolio (5–20 sites) onboarded with live telemetry. ACORD bordereau pipeline switches from manual daily export to streaming generation. Production sign-off.

Earthflow: 8 hr per site · Cedent: 2 hr per site

6.3 Resource Plan Summary

Role	Days 1–7 Effort	Weeks 2–12 Effort	Total Pilot Effort
Cedent data engineer	4–8 hr	20–40 hr	~50 hr
Cedent O&M / SCADA admin	—	40–80 hr	~60 hr
Cedent IT / Cyber lead	0.5 hr	12–24 hr	~15 hr
Cedent underwriting team	2 hr	8–16 hr	~12 hr
Earthflow integration eng.	15 hr	200–400 hr	~300 hr

Cedent Effort vs Industry Norm Comparable cat-modeling onboarding programs at incumbent vendors typically require 200–500 hours of cedent staff time over 9–18 months. Earthflow's design target — ~135 hours of cedent staff time over 12 weeks — reflects the deliberate emphasis on bring-your-own-data and frictionless onboarding.

7 · Cedent & Reinsurer-Specific Considerations

A reinsurer integrating Earthflow into its book has to navigate four categories of governance issues beyond the technical onboarding: data ownership, bordereau aggregation, cross-border data flows, and liability allocation. This chapter walks each in turn.

7.1 Data Ownership & Processing Agreements

Earthflow's default contracting model:

The cedent owns the operational data (telemetry, fault logs, BMS streams, weather data). Earthflow processes under a Data Processing Agreement (DPA) as a processor, not a controller.
The reinsurer receives ceded-only insights — composite risk grades, EP curves, bordereau rows for sites in their treaty. Site-by-site operational telemetry stays with the cedent / processor unless explicit consent is granted.
Earthflow's derived outputs (peril scores, vulnerability factors, methodology improvements) feed back into the platform for all customers but are aggregated and de-identified — no single cedent's data influences another cedent's score.
Audit rights — both cedent and reinsurer have the right to audit Earthflow's data handling annually. Reports + raw audit-log exports available on request.

7.2 Bordereau Aggregation Across the Cedent Book

When a reinsurer's treaty covers multiple sites for the same cedent, Earthflow re-runs the Monte Carlo aggregation across the entire portfolio in a single simulation, preserving peril correlations. Outputs include:

Per-site row — composite grade, AAL, PML, recommended subjectivities (ACORD-aligned schema)
Cedent aggregate — total book PML, top-5 concentration, diversification benefit, correlation matrix
Treaty fit metrics — site-by-site attachment-band fit, layer-utilization curve
Climate-creep aggregate — book-level RCP 8.5 trajectory through 2055

The aggregate output contains no PII. Site identifiers are anonymized references; no operational personnel or proprietary contract terms appear in bordereau outputs.

7.3 Cross-Border Data Transfer

Cedent Jurisdiction	Default Data Residency	Compliance Frameworks
United States	GCP `us-central1`	SOC 2 (in progress) · NIST CSF 2.0 · State data-protection laws (CCPA, NY DFS Cybersecurity)
European Union	GCP `europe-west1` or `europe-west3`	GDPR · Schrems II compliant (data does not cross to US under default config)
United Kingdom	GCP `europe-west2`	UK GDPR · ICO data-protection alignment
Canada	GCP `northamerica-northeast1`	PIPEDA aligned · OSFI guidance for federally regulated insurers
LATAM	GCP `southamerica-east1` (São Paulo) or `us-central1`	Brazil LGPD · Argentina PDPA per regional law
APAC (Singapore, Australia)	GCP `asia-southeast1` or `australia-southeast1`	Singapore PDPA · Australia Privacy Act 1988

Why This Matters Less Than for PII Workloads Solar telemetry contains no personal data — only asset and operational measurements (kWh, cell temperature, fault codes). Cross-border treatment is a contractual-residency matter, not a privacy-regulation matter. Most cedents can deploy in their domestic region without raising GDPR / CCPA review.

7.4 NERC CIP Applicability

NERC Critical Infrastructure Protection (CIP) standards apply when Earthflow integrates directly into a Bulk Electric System (BES) Reliability Coordinator or Balancing Authority's control envelope. For most solar O&M integrations, this is not the case:

NERC CIP applicable — Integration into a utility-owned substation IEC 61850 stack at the BES level, with two-way (read/write) control. Earthflow's standard read-only architecture can operate inside a utility's CIP-conformant Electronic Security Perimeter (ESP), but full CIP-013 supply-chain vendor onboarding is required (3–6 month process).
NERC CIP not applicable — Ingesting from a cedent's O&M vendor's SCADA, the inverter manufacturer's cloud, or a weather station. These sit outside BES control and are not CIP-scoped.

7.5 Liability & Breach Allocation

Cyber E&O — Earthflow maintains cyber-liability insurance with a $10M aggregate, available under contract on request.
Breach-notification SLA — Confirmed material breach reported to customer within 24 hours of discovery, including impact assessment and remediation timeline.
Customer breach — If the cedent or reinsurer's environment is breached, Earthflow assists with audit-log forensics within 24 hours of request.
Right to disconnect — Cedent can pause data ingest at any time via portal control; tunnel can be terminated immediately by customer-side network policy without Earthflow involvement.

8 · Compliance & Certifications

This chapter is an honest accounting of current vs. roadmap compliance posture. Black-box vendors that won't publish their compliance status deserve more scrutiny, not less. Below is the full Earthflow position as of this methodology version.

8.1 Active Today

Control / Standard	Status	Evidence
TLS 1.3 in transit · AES-256 at rest	Active	GCP-managed · architecture diagram available
Cloud KMS for cryptographic keys	Active	HSM-backed available on enterprise tier
MFA + SSO (SAML 2.0 / OIDC)	Active	Okta, Azure AD, Auth0, Google Workspace supported
RBAC with least-privilege roles	Active	Standard role definitions documented
Audit logging · 13-month retention default	Active	Google Cloud Audit Logs · SIEM export streaming
Annual third-party penetration test	Active	Most recent report 2026 · available under MNDA
NIST Cybersecurity Framework 2.0 alignment	Active	Self-attestation · framework mapping document
IEC 62443-3-3 SL-2 alignment	Active	Architecture-level controls in place
Cyber-liability insurance ($10M aggregate)	Active	Certificate available under contract

8.2 In Progress

Standard / Certification	Target	Status
SOC 2 Type II	Q3 2026	Type I complete · Type II audit in progress
ISO 27001	Q1 2027	ISMS scoping & gap analysis underway

8.3 Roadmap

Standard / Certification	Target	Driver
IEC 62443 Security Level 2 certification	Q3 2027	Utility-side integration demand
FedRAMP Moderate	Q4 2027	Federal-customer interest
NERC CIP-013 supply-chain vetting	Per-customer basis	BES integration on demand

8.4 What Is NOT Engaged (and Why)

HIPAA / HITECH — not engaged because no protected health information enters the system.
PCI-DSS — not engaged because no payment card data enters the system.
GDPR data-subject rights workflows — not normally engaged because solar telemetry contains no personal data. Available on request for the small subset of cedent personnel-account data (names, emails of underwriters).
FERPA / GLBA — out of scope.

The Compliance Honesty Principle Earthflow does not market controls it does not have. SOC 2 Type II is "in progress" until the audit report is signed. ISO 27001 is "on the roadmap" until certification body issues the certificate. Cyber reviewers asking for current evidence will receive what is currently in force — not what is targeted for next year. This is the same standard we expect of insurers' own disclosures.