YOUR SECURITY DATA, PROTECTED

2.1 Data at Rest

All stored data is protected with AES-256 encryption, the same standard used by financial institutions and government agencies:

• Video footage stored in our cloud infrastructure
• AI-extracted metadata and analytics data
• Customer account information and configurations
• Backup and disaster recovery data
• Encryption keys managed through a dedicated Hardware Security Module (HSM)

2.2 Data in Transit

All data moving between systems is protected with TLS 1.3, the latest and most secure transport protocol:

• Camera-to-cloud video uploads
• Platform access via web browsers and mobile apps
• API communications between services
• Internal service-to-service communications

2.3 End-to-End Video Encryption

Live video streams are protected with end-to-end encryption:

• Video is encrypted at the camera before transmission
• Streams remain encrypted through all intermediate infrastructure
• Decryption occurs only at the authorized viewing endpoint
• Even SCT+ infrastructure cannot access decrypted live streams in transit

3.1 Data Center Certification

Our infrastructure is hosted in SOC 2 Type II certified data centers that provide:

• 24/7 physical security with biometric access controls
• Redundant power systems with battery and generator backup
• Advanced fire suppression and environmental controls
• Multi-layer physical access restrictions

3.2 Geographic Redundancy

• Primary and secondary data centers in geographically separated US regions
• Real-time data replication between facilities
• Automatic failover capabilities with minimal service interruption
• All data remains within the United States at all times

3.3 Availability

• 99.99% infrastructure availability target
• Redundant network paths and load balancing
• Auto-scaling to handle traffic spikes
• Regular disaster recovery testing and validation

4.1 Role-Based Access Control (RBAC)

Every user, whether a Customer or SCT+ employee, is granted only the minimum permissions required for their role:

• Customer Admin: Full account access, user management, all footage
• Customer Viewer: View live and recorded footage, receive alerts
• Customer Analyst: Search and investigate, create evidence packages
• SCT+ Monitor: View alerts for response purposes only, no footage download
• SCT+ Support: Account assistance with Customer-authorized access only
• SCT+ Engineering: Infrastructure access only, no Customer footage access

4.2 Multi-Factor Authentication

• Required for all platform access (no exceptions)
• Supports authenticator apps (TOTP), SMS, and hardware security keys
• Step-up authentication required for sensitive operations (data export, user management)
• Session timeout after 30 minutes of inactivity

4.3 Audit Logging

Every action within the SCT+ platform is logged and monitored:

• Who accessed what data, when, and from where
• All configuration changes and permission modifications
• Video playback, download, and sharing events
• Authentication attempts (successful and failed)
• Audit logs are immutable and retained for one year

4.4 Principle of Least Privilege

• Access is granted based on job function, not seniority
• Temporary elevated access requires approval and is time-limited
• Regular access reviews conducted quarterly
• Immediate access revocation upon role change or departure

5.1 Processing Architecture

Our AI processes video data with strict data separation:

• AI inference runs on dedicated, isolated compute infrastructure
• Each Customer's data is processed in a logically separated environment
• No Customer data is commingled during processing

5.2 Ephemeral vs. Stored Data

• Ephemeral (processed and discarded): Raw video frames during AI analysis, intermediate computation results, real-time detection confidence scores
• Stored (retained per policy): Event metadata (timestamps, classifications), extracted features for search (stored in encrypted, indexed format), alert records and response logs

5.3 Model Training Isolation

• Production AI models are trained on carefully curated, consented datasets
• Customer footage used for model improvement is always opt-in and anonymized
• Training and production environments are strictly separated
• No individually identifiable data is retained in model weights

6.1 Secure Connectivity

• All camera communications use encrypted VPN tunnels
• Cameras are not directly addressable from the public internet
• Private network segments isolate camera traffic from other services
• Certificate-based authentication for all device connections

6.2 Firewall and Segmentation

• Multi-layer firewall architecture (network, application, and web application firewalls)
• Micro-segmentation between internal services
• Strict ingress and egress filtering
• Regular firewall rule reviews and cleanup

6.3 Intrusion Detection and Prevention

• Network-based intrusion detection systems (IDS) monitor all traffic
• Host-based intrusion detection on all servers
• Behavioral anomaly detection for unusual access patterns
• Automated blocking of known malicious traffic

6.4 DDoS Protection

• Multi-layer DDoS mitigation (network, transport, and application layers)
• Traffic scrubbing and rate limiting
• Geographic traffic filtering capabilities
• Automatic scaling to absorb volumetric attacks

7.1 Detection

• 24/7 Security Operations Center (SOC) monitoring
• Automated alerting on security anomalies
• Regular vulnerability scanning and penetration testing
• Threat intelligence integration for proactive detection

7.2 Containment

• Documented containment procedures for all incident types
• Ability to isolate affected systems within minutes
• Preserved forensic evidence for investigation
• Cross-functional incident response team activation

7.3 Customer Notification

• Affected Customers notified within 72 hours of confirmed breach
• Notification includes: what happened, what data was affected, what we're doing, what you should do
• Ongoing updates throughout the investigation
• Final incident report provided upon resolution

7.4 Remediation

• Root cause analysis for every security incident
• Implementation of preventive measures
• Verification testing to confirm remediation
• Post-mortem review with documented lessons learned

8.1 SOC 2 Type II

• Annual SOC 2 Type II audit by an independent third-party firm
• Covers Security, Availability, and Confidentiality trust service criteria
• Audit report available to Customers and prospects under NDA
• Continuous monitoring between annual audits

8.2 CJIS Compliance

• Compliant with FBI Criminal Justice Information Services (CJIS) Security Policy
• Required for Customers who share data with law enforcement
• Includes background checks, encryption, access controls, and audit requirements
• CJIS Security Addendum available for qualifying Customers

8.3 FedRAMP Pathway

• Currently pursuing FedRAMP authorization for federal government Customers
• Infrastructure aligned with FedRAMP Moderate baseline controls
• NIST 800-53 control framework implementation in progress

8.4 State Privacy Law Compliance

• Compliant with CCPA, CPRA, and all current state privacy laws
• Regular assessment of new state privacy legislation
• Data Processing Agreements available for all Customers

9.1 Data Center Physical Security

• 24/7 on-site security personnel
• Biometric and badge access controls at all entry points
• Video surveillance of all data center areas
• Mantrap entries at secure perimeters
• Visitor escort requirements and logging

9.2 Equipment Hardening

• SCT+ cameras include physical tamper detection sensors
• Tamper alerts are immediately escalated to monitoring team
• Equipment enclosures are secured with proprietary fasteners
• GPS tracking on all deployed equipment

10.1 Vendor Assessment

• All vendors undergo security assessment before engagement
• Annual reassessment of critical vendors
• Vendors must meet our minimum security standards
• Right to audit clauses in all vendor agreements

10.2 Data Processing Agreements

• All sub-processors are bound by data processing agreements
• Sub-processors may only process data for specified purposes
• We maintain liability for sub-processor actions
• Current sub-processor list available upon request

10.3 Sub-Processor Categories

• Cloud infrastructure (compute, storage, networking)
• Content delivery (video streaming optimization)
• Communication services (email, SMS, push notifications)
• Payment processing (billing and invoicing)
• Analytics (aggregate platform usage only)

11.1 Patch Management

• Critical security patches applied within 24 hours of release
• High-priority patches applied within 7 days
• Regular patching cycle for all other updates (monthly)
• Emergency patch procedures for zero-day vulnerabilities

11.2 Camera Firmware Updates

• Over-the-air firmware updates for all deployed cameras
• Updates deployed in staged rollouts to minimize risk
• Automatic rollback capability if issues are detected
• Customers notified of firmware updates in advance

11.3 Vulnerability Management

• Regular vulnerability scanning (weekly automated, quarterly manual)
• Annual penetration testing by independent security firms
• Bug bounty program for responsible disclosure
• Vulnerability severity rating using CVSS framework

11.4 Responsible Disclosure

We welcome security researchers who help us keep our platform safe:

• Report vulnerabilities to security@sctplus.com
• We commit to acknowledging reports within 48 hours
• We will not take legal action against good-faith researchers
• We provide recognition (and potential bounties) for valid findings
• Please allow 90 days for remediation before public disclosure

12.1 Access Management

• Add, remove, and manage authorized users
• Assign role-based permissions to each user
• Require specific MFA methods for your organization
• Set session timeout policies

12.2 Alert Configuration

• Define custom alert rules and escalation procedures
• Set geographic restrictions for account access
• Configure IP allowlists for platform access
• Enable login notifications for all account activity

12.3 Data Controls

• Set custom retention periods (within available options)
• Control footage sharing and download permissions
• Manage evidence package distribution
• Configure automated data deletion rules

12.4 Integration Security

• API keys with configurable permissions and expiration
• Webhook authentication for event integrations
• OAuth 2.0 for third-party platform connections
• Audit log integration with your SIEM system