Breath Test Connect — Secure Instrument Connectivity for Law Enforcement

Built for Today's IT Security Environment

Government IT security requirements have raised the bar for every networked device—including evidentiary instruments. Breath Test Connect bridges proven field hardware to modern agency infrastructure, with full CJIS compliance and a complete chain-of-custody audit trail.

Evolving Network Requirements

Government IT security requirements now demand modern encrypted connections for all agency network traffic. A purpose-built intermediary ensures evidentiary instruments meet those standards without disrupting proven field workflows.

Fleet Visibility & Accountability

Distributed instrument fleets need a centralized record of connection status, IP assignments, and credential history—giving your agency the documentation that compliance auditors and defense counsel require.

Rapid Revocation & Credential Control

When an instrument is stolen, lost, or decommissioned, your agency needs fast, audited network access revocation. Breath Test Connect provides instant deactivation with a complete, court-ready audit trail.

How Breath Test Connect Works

A managed, secure intermediary layer. Nothing changes on your instruments or your server.

1

Instrument Powers On

Your breath-test instrument connects to Breath Test Connect exactly as it would to any endpoint. No firmware update, no configuration change beyond a new server address.

unit-047 → btc-gateway:1723

Standard instrument connection protocol

2

Identity Verified

Each instrument authenticates with its own unique credentials. MAC address binding and optional source IP locking ensure the device is what it claims to be. Failed attempts are logged instantly.

Credential verified

MAC address matched

Audit event recorded

3

Traffic Encrypted & Routed

The instrument receives a static virtual IP. All traffic is routed through an AES-256 encrypted WireGuard (or IPsec) tunnel to your evidence management server. Instruments are isolated from each other and the internet.

10.20.0.147 WireGuard EMS

AES-256 / ChaCha20 encrypted tunnel

4

Everything Logged

Every connection, every authentication attempt, every credential rotation, every admin action—recorded in a tamper-evident audit log with SHA-256 checksums. Exportable as CSV. Ready for court.

Recent Audit Events

14:32:01 AUTH_SUCCESS unit-047

14:32:01 CONNECTED unit-047

14:28:17 MAC_REJECTED unit-091

14:15:44 CRED_ROTATED unit-012

Built for the Way You Work

A web-based management portal your IT staff already knows how to use—from any device, in English or Spanish.

Instrument Registry

Register instruments individually or import entire fleets via CSV. Each device gets unique credentials, a static virtual IP, and organizational assignment. Search, filter, and sort across your entire fleet.

Credential Rotation

Staged rotation workflow that fits how field work actually happens. The old credential stays active while the tech programs the new one on-site, then confirms in the portal. Full audit trail on every step.

Real-Time Status

See which instruments are connected right now, from which IP, with animated status indicators. Connection history tracks every session with duration and source address.

Instant Deactivation

Device stolen or decommissioned? Deactivate it in the portal and network access is revoked within 60 seconds. Active sessions are terminated immediately via real-time pub/sub messaging.

Role-Based Access

IT Admins manage the full fleet. Field Technicians see only instruments in their assigned districts. All access enforced at the database level—not just the UI. Integrates with your Active Directory via SAML2/OIDC.

Multi-Language

Full English and Spanish language support across the entire portal. Users switch languages with one click. Additional languages can be added as needed.

Mobile-Ready

Fully responsive design works on phones and tablets. Field techs can check instrument status, view credentials (with MFA re-auth), and confirm rotations from the field.

Bulk CSV Import

Onboard your entire fleet in minutes. Upload a CSV with serial numbers, MAC addresses, and org assignments. The system validates all rows before importing any, and auto-generates strong credentials.

CSV Export & Reports

Export audit logs, usage reports, and connection data to CSV for compliance reviews, court proceedings, or internal reporting. Filter by date range, event type, outcome, or actor.

Security Without Compromise

Evidentiary data demands evidentiary-grade security. Every design decision prioritizes the integrity of the chain of custody.

AES-256 Encryption at Rest

All credentials, tunnel configurations, and sensitive data encrypted with AES-256 using FIPS 140-2 validated cryptographic libraries. Encryption keys stored only in environment variables—never in code, never in the database.

Tamper-Evident Audit Log

Every event recorded with SHA-256 checksums. Append-only—records cannot be modified or deleted after creation. Checksum verification proves log integrity for compliance reviews and court proceedings.

Network-Level Isolation

Instruments cannot communicate with each other, cannot reach the internet, and cannot route traffic outside the approved path to your evidence management server. Firewall rules are generated automatically from the instrument registry.

Multi-Factor Authentication

All portal users—regardless of role—authenticate with MFA. Credential reveal requires additional re-authentication. Sessions expire after 30 minutes of inactivity per CJIS requirements.

Zero Plaintext Exposure

Credentials are never stored in plaintext, never logged, and never returned in API responses. Viewing a credential requires MFA re-authentication and creates an audit record.

Managed Service, Maintained for You

No servers to provision, no software to patch. Breath Test Connect is fully managed infrastructure—containerized, monitored, and operated by us so your IT team stays focused on your core mission.

Compliance Built In,
Not Bolted On

Every component of Breath Test Connect was designed from the ground up to meet the compliance standards that govern criminal justice data.

CJIS Security Policy

MFA on all roles, 30-minute session timeout, full audit logging, encrypted credential storage, role-based access control—all enforced at the system level.

FIPS 140-2

All encryption uses FIPS 140-2 validated algorithms and implementations. AES-256 for data at rest, AES-256 or ChaCha20 for tunnel encryption.

NIST SP 800-111

Storage encryption standards applied to all credential data, configuration secrets, and audit logs at rest on the middleware infrastructure.

Active Directory Integration

Your staff authenticate with their existing agency credentials via SAML2 or OIDC federation. No new passwords to manage or distribute.

What Gets Logged

Every instrument connection & disconnection

Every failed authentication attempt

Every credential view, creation & rotation

Every portal login & MFA event

Every registration, modification & deactivation

Every bulk import with validation details

Every administrative action by any user

SHA-256 checksums • Append-only • CSV export

Clear Boundaries

Understanding what the system does not do is just as important as what it does.

Does not touch evidentiary data. Breath test results, calibration records, and case data flow through the encrypted tunnel to your evidence management server. The middleware never stores, processes, or has access to that data.

Does not replace your evidence management system. This is additive infrastructure that sits in front of your existing server. Nothing changes about how it operates.

Does not require firmware changes. The instrument connects to a new server address—that's it. Existing field workflows are completely unaffected.

Simple to Deploy, Nothing to Manage

Breath Test Connect is a fully managed service. You provide three things; we handle everything else.

1

Your Evidence Management Server

The network address of your evidence management server and the tunnel protocol your IT team supports (WireGuard default, IPsec available).

2

Your Identity Provider

Your Active Directory OIDC or SAML2 endpoint so your staff log in with their existing agency credentials. No new accounts to create.

3

Your Instrument List

A CSV of serial numbers, MAC addresses, and organizational assignments. We import them in bulk and auto-generate credentials for each device.

Hosted on Akamai Cloud (Linode) • Containerized with Docker • Geographic placement configurable for data residency requirements

Frequently Asked Questions

Do we need to update instrument firmware?

No. The only change is pointing the instrument to the Breath Test Connect server address. All existing field workflows remain identical.

Does the middleware store breath test results?

No. Evidentiary data—test results, calibration records, case data—flows through the encrypted tunnel directly to your evidence management server. The middleware routes this traffic but never stores, processes, or has access to it.

Can defense counsel request connection logs?

Yes—and you'll have them. Every connection, disconnection, authentication attempt, credential rotation, and administrative action is recorded with timestamps, actor identity, source IP, and outcome. Logs can be exported as CSV and verified for integrity using SHA-256 checksums.

What happens if an instrument is stolen?

Deactivate it in the portal. Within 60 seconds, network access is revoked and any active session is terminated. The deactivation event is logged with the operator's identity and timestamp. The instrument cannot reconnect until reactivated.

Can our field techs use it from their phones?

Yes. The portal is fully responsive and tested on mobile browsers. Field technicians can check instrument status, view credentials (with MFA re-authentication), and confirm credential rotations from their phone or tablet.

Which instruments does this support?

Breath Test Connect is designed to work with law enforcement breath alcohol testing instruments used by federal, state, and local agencies. The platform tracks instrument model in the registry and is architected to support a range of instrument types.

How do our staff log in?

Your IT and field staff authenticate using your agency's existing Active Directory credentials via SAML2 or OIDC federation. No new accounts need to be created. Multi-factor authentication is required for all users, and sessions time out after 30 minutes of inactivity.

What does onboarding look like?

We provision your tenant, configure your identity provider federation, and import your instrument fleet from a CSV file. You provide the network endpoint for your evidence management server and coordinate the tunnel configuration with your IT team. Your instruments then need only their connection endpoint updated to point to Breath Test Connect.

See It Working

Our live demo environment is configured with a sample law enforcement agency as a tenant, complete with districts, instruments, and audit history. Log in and explore.

Open Live Demo

Demo Credentials — data resets every 30 minutes

demo_admin

AdminTest123!

IT Admin — full fleet access. Register and deactivate instruments, initiate credential rotations, manage sub-organizations, and browse the complete tamper-evident audit log.

demo_tech1

TechTest123!

Field Technician (1st & 2nd Districts) — restricted view. Sees only instruments assigned to their districts, can view credentials after re-authentication, and confirm rotations from the field.

demo_tech2