It’s a setup such that the connections go as Device <-> VPN <-> Proxy <-> Client. The VPN is OpenVPN through which the device communicates with the resin.io services. The proxy is a very small app running on our servers based on https://github.com/findhit/proxywrap, and it’s a really minimal wrapper to proxy data between the VPN and the client, and display some meaningful error messages when that’s not possible (ie. nothing’s listening on the device on port 80).
As for ISO27001, I don’t think that it is something that we are currently working on.