Data is encrypted and securely stored on AWS. AWS is utilized because Amazon S3 is designed for 99.999999999% durability, ensuring that data will not be lost once it reaches the servers.

Compliance Certifications. Compliance certifications are maintained through AWS Cloud, leveraging AWS Compliance frameworks. https://aws.amazon.com/compliance/ Penetration Testing. Internal penetration tests are conducted quarterly or after major releases. Audits. Audits are performed internally every three months or following major releases. Data Labeling, Handling, and Security Policies. Customer data is anonymized, with AWS IAM Policies implemented to prevent unauthorized access. Customer Data Retention Enforcement. Data retention is enforced, allowing data purging with customer or camera deletion. Deletion is managed by the integrator. Separation of Production and Non-Production Data. AWS VPC is utilized to segregate environments, avoiding on-premises staging. Multi-Tenant Data Leakage Prevention. Anonymization of data and AWS IAM Policies prevent unauthorized access and data leakage. Data Loss Prevention. AWS GuardDuty is used, ensuring no third-party access to cloud infrastructure. Data Location Consistency. Customer data is stored exclusively on AWS servers and not moved between physical locations. Information Security Standards. The solution aligns with industry standards via AWS SecurityHub. https://aws.amazon.com/compliance/ Third-Party Service Providers. AWS Cloud is utilized. Timely Access Removal. Access is revoked promptly using AWS IAM Policies. Documentation of Access Approvals AWS CloudTrail and SecurityHub document data access approvals. Access Deprovisioning. User access is deprovisioned upon any status change in personnel. Data Encryption at Rest. Data at rest is encrypted using AWS S3 server-side encryption (AES-256). Data Encryption in Transit. AES-256 is employed for transport encryption via SSL tunnels in the Starllion PUSH technology. Vulnerability Scanning. Regular vulnerability scans are conducted using AWS AMI, ECS ASG, Fargate, and serverless architecture. Vulnerability Patching. Critical vulnerabilities are patched promptly using AWS AMI recalls and ECS redeployment. Anti-Malware Programs. AWS WAF, GuardDuty, and serverless architecture ensure malware protection. Incident Notification. Customers are informed in case of unauthorized data release. SIEM System. AWS SecurityHub, GuardDuty, and CloudTrail are utilized. Incident Isolation. Incidents can be isolated to specific customers via anonymized data and admin-panel logs. Source Code Access Controls. Source code access is restricted using AWS IAM Policies, GuardDuty, and CloudTrail. Service Management Providers. No outsourced providers are used for service management. Logical Data Segmentation. Logical segmentation is supported via private cloud installations. Intellectual Property Protection. Not applicable; no customer intellectual property is stored or processed. Data Geographic Restrictions. Data can be restricted to specific AWS regions or zones, including GovCloud. Chain-of-Custody Compliance. Incident response plans adhere to industry chain-of-custody standards. Data Separation for Legal Subpoenas. Data separation is enforced for legal requirements. Litigation Hold Support. Video footage can be saved in the Library for litigation, unaffected by regular deletion protocols. Metadata Access. Metadata is accessed for AI video analytics under customer-defined alert schedules. Metadata Inspection. No metadata is created or collected through inspection technologies. Identity Federation. Identity federation standards such as SAML and OAuth2 are supported. Strong Authentication for Users. MFA is available for end-users. Strong Authentication for Administrators. MFA is mandatory for administrators, supported by AWS IAM Policies. SDLC Security Standards. Industry security standards are integrated into the SDLC. Password Encryption. Passwords are stored encrypted using AES-256 or equivalent AWS ciphers. Supplier Security Standards. Software suppliers adhere to security standards. User ID/Password Management. User ID and password management follow policies with MFA and password complexity rules. The minimum password length is 8 characters. Require at least one number. Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ') Allow users to change their own password. Remember the last 3 password(s) and prevent reuse. Risk Assessment Program. A comprehensive risk assessment program is in place, approved by management. Information Security Program. Security policies are established, approved, and reviewed annually. Program Review. Policies are reviewed annually. Third-Party Management Program. AWS Security and Compliance tools are leveraged. https://aws.amazon.com/products/security Background Checks. Annual employee background checks are conducted. Change Management Program. A formal change management program is established. Antivirus/Malware Policy. AWS and other security tools continuously monitor and protect against malicious activity. System Backups. AWS snapshot and backup services ensure redundancy with daily snapshots. Firewall/ACLs. AWS detection and network tools are utilized. https://aws.amazon.com/products/security/?nc=sn&loc=2 Vulnerability Testing. Internal penetration tests are conducted quarterly or after major releases. Application Security Testing. Applications undergo regular vulnerability testing and checks against attack vectors. SDLC Security and Privacy by Design. Security is embedded into the SDLC, including regular updates and code inspections. Encryption Tool Maintenance. AWS encryption tools are consistently managed. Incident Management. AWS Incident Management services are utilized. https://aws.amazon.com/products/security/?nc=sn&loc=2 Business Continuity and Disaster Recovery. Business continuity and disaster recovery plans follow AWS guidelines. AWS D/CP is leveraged: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html BC/DR Testing. Tests are conducted annually or post-major infrastructure changes. AWS Config provides continuous monitoring and recording of AWS resource changes. AWS CloudFormation is utilized to automate testing processes. For more details, https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html Business Impact Analysis. Annual business impact analyses are performed. Internal Audit and Compliance. A dedicated team oversees audit, risk, and compliance processes. Privacy Risk Assessments. Privacy risks are assessed annually or during regional expansions. Privacy Incident Reporting. A formal process addresses privacy complaints and incidents. Incident Response for Privacy Breaches. AWS Automated Incident Response frameworks are leveraged. Privacy Program Implementation. Administrative, technical, and physical safeguards are documented and maintained. A documented privacy program is in place, incorporating administrative, technical, and physical safeguards to protect systems and data. This program follows established guidelines and policies. The program leverages AWS Security and Compliance tools https://aws.amazon.com/products/security The AWS FTR program, and the AWS Well-Architected Framework and toolset https://aws.amazon.com/architecture/well-architected/

To limit outbound traffic from a network to a specific DNS, a rule can be created for `*.starllion.com`. For restricting inbound traffic from Starllion Cloud servers into a network, DNS resolution cannot be relied upon. A single DNS name may represent hundreds of servers, with DNS resolution returning individual server IPs in a round-robin manner. For example, if a port-forwarded camera is configured, limiting access to it using resolved IP addresses from Starllion Cloud DNS is not feasible, as these IPs are subject to change. For networks with cameras that do not support the encrypted push module, Starllion Cloud Gateway can be used. This gateway establishes an encrypted tunnel between the cameras and the Starllion Cloud, ensuring secure communication. It also supports secure webhook calls from the cloud to the local network. For instance, it enables actions like activating network speakers based on human detection within a specific area and time.

A P&P tool has been developed to enable integration of select camera models with services without requiring port forwarding. The push module establishes an encrypted tunnel between the cloud and the camera, eliminating the need for port forwarding. This approach ensures a secure and reliable connection between the camera and the cloud while maintaining network security.

The push module operates without requiring open ports on the customer's end, allowing the network to remain closed and secure against external attacks. Video data is transmitted through a direct, encrypted tunnel to AWS, ensuring secure communication.

The Starllion Cloud Plug and Play solution is built on proprietary technologies, avoiding reliance on manufacturer plug-and-play features. Instead, a custom module is integrated into the camera to establish a direct, encrypted tunnel between the camera and Starllion servers. All data from the camera is transmitted directly to these servers, without involving any third-party servers in the process.

Permission to view, create, and download clips is determined by user roles. The system operates as follows: Roles define which cameras are accessible to a user. Roles specify whether clips can be saved for specific cameras. User interactions with the video portal are based on role-assigned permissions. If the role includes "Save Clip" permission, the user can create clips for assigned cameras. Clips are part of the camera's archive, not tied to individual users. When a user with permission to create clips for a camera generates a clip, it becomes part of the camera archive. Any user with access to that camera can view the clip in the Library. For instance, in a scenario with four cameras and two users: User A has permission to view and create clips for all four cameras, while User B can only view two cameras. If User A creates one clip for each camera, User B will only see the clips associated with the two cameras they are authorized to view.