Encryption - At rest: AES-256 encryption for all stored data - In transit: TLS 1.3 for all API and dashboard connections - ID photos: Encrypted separately with per-tenant keys Compliance - SOC 2 Type II: Certified (audit report available on request) - FERPA: Compliant for educational institutions - HIPAA: Compliant for healthcare facilities (BAA available) - GDPR: Data processing agreement available for EU customers Data Retention Configure retention policies in Settings → Security → Data Retention: - Visitor records: 30 days to unlimited - ID scan images: 24 hours to 1 year - Video/photos: 7 days to 1 year - Audit logs: 1 year (non-configurable) Access Controls - Role-based access control (RBAC) with 5 built-in roles - Two-factor authentication (2FA) for all admin accounts - Session timeout configuration - IP allowlisting (Enterprise plan) Data Deletion - Visitors can request data deletion via the privacy portal - Admins can purge individual records or bulk delete - Account deletion removes all data within 30 days