Purpose
These guidelines provide a brief overview of potential safety and security risks when using Indivd. This is not professional advice; consult an expert if needed.
Background
Indivd uses cameras and infrastructure managed by the data controller, as regulated in the agreement. Video data should not be stored unless legally required (e.g., for security purposes) and handled appropriately. These guidelines are based on a risk assessment by IBM Security conducted on April 16, 2020.
Legal Framework
Article 24 of the GDPR mandates that controllers implement appropriate technical and organizational measures, including data protection policies. Article 32 requires controllers and processors to ensure security measures such as encryption, confidentiality, integrity, and regular testing.
Contact
For any questions or concerns about safety and security risks, contact us at privacy@indivd.com.
Recommendations
Encryption
- Encrypt External Connections: Any connection to the camera network from an outside source should be encrypted. If the camera network bridges over a public or vulnerable network, ensure encryption follows up-to-date industry standards like AES.
Confidentiality of Processing Systems and Services
- Prevent Unauthorized Access: Ensure that unauthorized persons cannot access data processing systems. Password-protect cameras and limit password access to necessary personnel. Store passwords securely and use strong passwords as per NIST SP 800-41 standards.
- Firewall Protection: Protect the camera network with a properly configured firewall, adhering to industry standards such as NIST SP 800-63B.
- Secure Storage: Stream video data for anonymization and avoid storage unless legally justified. Handle storage securely for necessary cases like security cameras.
- Physical Security: Protect the camera network and local servers from unauthorized physical access, following industry standards.
Integrity of Processing Systems and Services
- Maintain System Integrity: Use technical and organizational measures to protect authorizations, protocols/logs, and conduct regular audits. Log incoming and outgoing connections as per NIST SP 800-92 standards.
Regular Testing, Assessment, and Evaluation
- Implement a Security Concept: Regularly test and assess the effectiveness of technical and organizational measures.
- Review Process: Conduct reviews by the data protection officer and engage in external reviews, audits, and certifications.
These guidelines aim to ensure the security and privacy of data processed using Indivd, aligning with GDPR requirements and best practices.
Version: 1.2
Date: 7 December 2023