Encryption
- At rest: AES-256 encryption for all stored data
- In transit: TLS 1.3 for all API and dashboard connections
- ID photos: Encrypted separately with per-tenant keys
Compliance
- SOC 2 Type II: Certified (audit report available on request)
- FERPA: Compliant for educational institutions
- HIPAA: Compliant for healthcare facilities (BAA available)
- GDPR: Data processing agreement available for EU customers
Data Retention
Configure retention policies in Settings → Security → Data Retention:
- Visitor records: 30 days to unlimited
- ID scan images: 24 hours to 1 year
- Video/photos: 7 days to 1 year
- Audit logs: 1 year (non-configurable)
Access Controls
- Role-based access control (RBAC) with 5 built-in roles
- Two-factor authentication (2FA) for all admin accounts
- Session timeout configuration
- IP allowlisting (Enterprise plan)
Data Deletion
- Visitors can request data deletion via the privacy portal
- Admins can purge individual records or bulk delete
- Account deletion removes all data within 30 days