MEETING YOUR COMPLIANCE REQUIREMENTS

2.1 What SOC 2 Means for You

SOC 2 Type II is an independent audit conducted by a certified public accounting firm that evaluates our security controls over an extended period (typically 12 months). Unlike a point-in-time assessment, Type II certification demonstrates that our controls are consistently effective over time.

2.2 Trust Service Criteria Covered

Our SOC 2 report covers three trust service criteria:

• Security: Protection of system resources against unauthorized access
• Availability: System is available for operation and use as committed
• Confidentiality: Information designated as confidential is protected as committed

2.3 Audit Frequency

• Full SOC 2 Type II audit conducted annually
• Continuous monitoring between audits
• Gap assessments conducted quarterly
• Remediation tracking for any identified observations

2.4 Report Availability

• SOC 2 report summary available upon request
• Full SOC 2 report available under NDA to Customers and qualified prospects
• Bridge letters available for periods between audit reports
• Request reports at compliance@sctplus.com

3.1 What Is CJIS?

The Criminal Justice Information Services (CJIS) Security Policy is published by the FBI and establishes security requirements for any organization that accesses, stores, or transmits criminal justice information (CJI). If your organization shares SCT+ footage or analytics with law enforcement agencies, CJIS compliance may be required.

3.2 Who Needs CJIS Compliance?

• Law enforcement agencies using SCT+ for surveillance
• Organizations that share footage with law enforcement as part of formal partnerships
• Government entities that integrate SCT+ with criminal justice systems
• Private organizations providing security services to law enforcement

3.3 How SCT+ Complies with CJIS

• Personnel security: All employees with potential CJI access undergo fingerprint-based background checks
• Access controls: CJIS-compliant authentication with advanced authentication at CJI access points
• Encryption: AES-256 encryption meets CJIS encryption requirements (FIPS 140-2 validated)
• Audit and accountability: Comprehensive audit logging meeting CJIS audit trail requirements
• Media protection: Secure handling and destruction of media containing CJI
• Physical protection: Data center physical security meets CJIS physical protection requirements
• System and communications protection: Network segmentation and monitoring per CJIS requirements

3.4 CJIS Security Addendum

We provide a CJIS Security Addendum for qualifying Customers that formalizes our compliance obligations. Contact compliance@sctplus.com to request the addendum.

4.1 Our Approach

Rather than treating each state's privacy law as a separate compliance project, we've implemented a unified privacy framework that meets or exceeds the requirements of all current state privacy legislation. This means all Customers benefit from the highest standard of privacy protection regardless of their location.

4.2 California (CCPA/CPRA)

• Full compliance with the California Consumer Privacy Act and California Privacy Rights Act
• Privacy notice provided to California consumers
• Data subject request processing within required timelines (45 days)
• No sale or sharing of personal information
• Sensitive personal information use limitations honored
• Annual risk assessment for high-risk processing activities

4.3 Other State Privacy Laws

We comply with comprehensive privacy laws in all states that have enacted them, including but not limited to:

• Colorado (CPA): Consumer rights, data protection assessments
• Connecticut (CTDPA): Consent for sensitive data, universal opt-out
• Virginia (VCDPA): Consumer rights, data protection assessments
• Utah (UCPA): Consumer rights, business obligations
• Montana (MCDPA): Consumer rights, consent requirements
• Oregon (OCPA): Consumer rights, processor obligations
• Texas (TDPSA): Consumer rights, data protection assessments

4.4 Biometric Privacy Laws

Several states have specific biometric privacy requirements that apply to our facial recognition capabilities:

• Illinois (BIPA): Written consent, data retention policies, private right of action
• Texas: Notice and consent for biometric capture
• Washington: Commercial purpose restrictions for biometric data

We provide Customers with tools and documentation to help them meet their notice and consent obligations for biometric data collection.

5.1 Retail (PCI-DSS Considerations)

When SCT+ cameras are deployed in retail environments near payment processing areas:

• Camera positioning guidance to avoid capturing payment card data
• If card data is inadvertently captured, it is automatically redacted by our AI
• Our systems are not part of the cardholder data environment (CDE)
• Documentation available to support your PCI-DSS assessment
• We do not store, process, or transmit cardholder data

5.2 Healthcare (HIPAA Considerations)

For healthcare facilities using SCT+ for security monitoring:

• Business Associate Agreement (BAA) available for Customers who require it
• Cameras positioned to monitor facility access, not patient care areas
• If protected health information (PHI) is incidentally captured, it is handled per HIPAA requirements
• Encryption and access controls meet HIPAA Security Rule requirements
• Audit logging supports HIPAA audit trail requirements
• Breach notification procedures align with HIPAA Breach Notification Rule

5.3 Education (FERPA Considerations)

For schools, colleges, and universities using SCT+ for campus security:

• Camera footage from educational campuses may contain education records under FERPA
• SCT+ can serve as a "school official" under FERPA with a legitimate educational interest in campus safety
• Access to campus footage is restricted to authorized school personnel
• Footage retention and sharing policies align with FERPA requirements
• Parental/student notification guidance provided

5.4 Government (FedRAMP / FISMA)

For federal, state, and local government agencies:

• FedRAMP: Authorization pathway in progress for federal agencies
• FISMA: Security controls aligned with NIST 800-53 framework
• StateRAMP: Pursuing StateRAMP authorization for state/local government adoption
• Government-specific deployment options with enhanced security controls
• Ability to operate in government-designated cloud environments upon FedRAMP authorization

5.5 Construction (OSHA Compliance)

For construction sites using SCT+ for safety and security monitoring:

• Cameras can monitor compliance with OSHA safety requirements (PPE, fall protection, exclusion zones)
• Video evidence supports OSHA incident investigation and reporting
• Safety analytics can track hard hat and safety vest compliance
• Documentation supports workplace safety audit requirements
• Footage retention policies align with OSHA recordkeeping requirements (5 years for serious injuries)

6.1 Configurable Retention

Customers can configure retention periods to meet their specific regulatory requirements:

• Standard: 30 days (default for all camera footage)
• Extended: 60, 90, or 180 days (available at additional cost)
• Custom: Longer retention available for specific compliance needs
• Per-camera: Different retention periods can be set per camera/location

6.2 Automated Deletion

• Footage is automatically and permanently deleted after the configured retention period
• Deletion is logged for audit trail purposes
• Deleted data cannot be recovered
• Deletion applies to all copies including backups (within backup rotation schedule)

6.3 Legal Hold

• Customers can place specific footage on legal hold to prevent automated deletion
• Legal holds override retention policies indefinitely until released
• Legal hold status is visible in the platform and audit logs
• Legal hold evidence is preserved with chain-of-custody documentation

7.1 Available Reports

The SCT+ platform provides compliance-ready reports:

• Access audit report: Who accessed what footage, when, and from where
• Alert response report: All alerts, response times, and actions taken
• System availability report: Uptime metrics by camera and by month
• User activity report: Login history, permission changes, account modifications
• Data handling report: Retention compliance, deletion records, export history
• Incident report: Security events, response actions, and resolution status

7.2 Audit Trail

• Immutable audit logs for all platform activity
• Logs retained for minimum of one year
• Exportable in standard formats (CSV, JSON) for external audit tools
• Integration available with enterprise SIEM systems (Splunk, Sentinel, etc.)

7.3 Compliance Documentation

Upon request, we provide:

• SOC 2 Type II report (under NDA)
• CJIS Security Addendum
• Business Associate Agreement (HIPAA)
• Data Processing Agreement
• Sub-processor list
• Security questionnaire responses (SIG, CAIQ, custom)
• Penetration test executive summary (under NDA)

7.4 Evidence Packages

For legal and investigative purposes, the platform generates court-ready evidence packages:

• Video clips with metadata and timestamps
• Chain-of-custody documentation
• Hash verification for footage integrity
• Audit trail showing who accessed the footage
• AI detection logs and confidence scores

8.1 Bias Testing

We are committed to fair and equitable AI:

• Regular bias testing across demographic groups for facial recognition accuracy
• Third-party fairness audits conducted annually
• Performance reporting disaggregated by demographic factors
• Ongoing model improvement to address any identified disparities
• Transparency reporting on AI accuracy metrics

8.2 Accuracy Reporting

• Published accuracy metrics for all AI capabilities (detection, recognition, classification)
• False positive and false negative rates tracked and reported
• Accuracy metrics broken down by environmental conditions (lighting, weather, distance)
• Customer-accessible accuracy dashboards for their specific deployments

8.3 Human Oversight Requirements

• All AI-generated alerts resulting in law enforcement contact require human verification
• Customers can configure automation levels (fully automated alerts vs. human-reviewed)
• Critical decisions (access denial, law enforcement dispatch) always include human review
• Override and correction mechanisms available for AI classifications

8.4 Ethical AI Principles

SCT+ is guided by the following principles in our AI development:

• Transparency: Customers understand what our AI does and how it works
• Fairness: Our AI treats all individuals equitably regardless of demographics
• Accountability: We take responsibility for our AI's performance and impacts
• Privacy: AI processing minimizes data collection to what is necessary
• Human control: Humans maintain meaningful oversight of AI decisions

9.1 Platform Accessibility

The SCT+ platform is designed to meet WCAG 2.1 Level AA accessibility standards:

• Keyboard navigation support throughout the platform
• Screen reader compatibility for all core functions
• Sufficient color contrast ratios
• Alternative text for all visual elements
• Consistent navigation and labeling
• Focus management and visible focus indicators

9.2 Accessibility Statement

We are committed to making our platform accessible to all users, including those with disabilities. If you encounter accessibility barriers, please contact accessibility@sctplus.com and we will work to provide accommodation.

10.1 US-Only Operations

SCT+ operates exclusively within the United States:

• All Services are provided within US territory only
• All data is stored and processed in US-based data centers
• No international data transfers occur
• Equipment is deployed only within the 50 US states and territories

10.2 Export Control Compliance

• SCT+ technology is subject to US export control regulations
• Our AI and surveillance technology is classified under applicable export control categories
• We do not export hardware, software, or data outside the United States
• Customers may not export or re-export SCT+ technology or data