Security & compliance

Your footage stayson your site. Full stop.

The Fenec Labs appliance runs entirely behind your firewall. Video is processed, redacted, and discarded locally. Only the metadata you choose ever leaves the box.

Book a demoSee data flow below
No inbound ports requiredAir-gap supportedDPA on request
Data flow

Where every frame goes — and where it does not.

Cameras in, alerts and metadata out, video stays put.

YOUR SITE · BEHIND YOUR FIREWALLCAMERAScam-01RTSP · H.264cam-02RTSP · H.264cam-03RTSP · H.264cam-04RTSP · H.264FENEC LABS APPLIANCE · 1U · ON-PREMIngestdecode · batch01Face redactin-stream02DetectPPE · zones03Rulesdedupe · alert04Local encrypted storageAES-256 · LUKS · TPM-sealedClips 30d · Metadata 13moConfigurable retentionLocal dashboard & audit logRole-based access · SAML SSOSCIM provisioningImmutable event trailNO VIDEO EVER LEAVESOUTBOUND · METADATA ONLYAlertsTeams · Slack · webhooksJSON · HTTPSEventsSIEM · MES · warehouseJSON · HTTPSLicense heartbeatoptional · HTTPS outJSON · HTTPS
Runs on the appliance
No video ever leaves the site
Outbound-only metadata and alerts
GDPR mechanics

Compliance is not a checkbox. It is the architecture.

Every GDPR obligation has a concrete product mechanism rather than just a policy promise.

Face redaction in-stream

Faces can be blurred on the GPU before any frame touches disk or the network.

DSAR and erasure support

Event-level deletion workflows help respond to data-subject requests.

Retention policies

Configurable per stream with default clip and metadata retention windows.

Lawful basis and DPIA

Deployment package includes review material for DPIA and worker notices.

Network architecture

Outbound-only. Air-gap if you prefer.

The appliance does not need a public IP, does not open inbound ports, and can run offline with signed update bundles.

LAN · 10.0.0.0/16CamerasOperatorsSIEM / MESIdentity · SAMLFIREWALLFENEC LABS APPLIANCENo inbound portsTCP/443 LAN onlyTPM · Secure bootSigned OS imagelicense.www.feneclabs.comoptional
  • Inbound ports
    None required. Operator access is scoped to your LAN on TCP/443.
  • Outbound traffic
    Optional HTTPS heartbeat to license.feneclabs.com. Block it and run offline.
  • Air-gap mode
    Offline license file, no external calls, signed update bundles.
  • Access control
    Role-based access, SAML SSO, SCIM provisioning, scoped API tokens.
  • Audit trail
    Actions are written to an append-only log with operator identity.
Encryption

Encrypted in motion. Encrypted at rest. Bound to the box.

Defense in depth, not one tunnel carrying all trust.

AES-256 at rest

LUKS full-disk encryption on appliance volumes. Keys never leave the TPM.

TLS 1.3 in transit

Operator, control, and webhook traffic use modern cipher suites.

TPM-sealed keys

Disk keys are sealed to measured boot state.

Signed OS and secure boot

Release images are signed and verified from boot to userland.

Certifications & roadmap

Where we are. Where we are going. Dated.

We publish framework status plainly rather than implying finished certifications.

Framework
Status
Detail
GDPR DPA
Draft
Draft structure published; must be completed by counsel before signing.
ISO 45001-friendly reporting
Preparation
Reporting is designed to support future EHS audit workflows.
CSA STAR self-assessment
Planned
Questionnaire to be completed after incorporation and security review.
SOC 2 Type II
Not started
The SOC 2 audit period has not started.
ISO 27001
Future track
Gap assessment and ISMS scoping are future work.
Pentesting & disclosure

Security review is planned before commercial pilots.

No external penetration test has been completed yet. Responsible disclosure is welcomed while the product is prepared for pilots.

  • Report a vulnerability
    Email security@feneclabs.com. PGP key on request. We respond within one business day.
  • Public policy
    Full scope and safe-harbor language will live at /security/disclosure.
  • Attestation
    Pending first external penetration test.
Trust center

Security materials without invented attestations.

Preparation documents are useful, but they are not a substitute for counsel review, audits, or issued certifications.

Security overview

Architecture, controls, and data flow in one document.

Sample DPA

Article 28 processor agreement skeleton for review.

Subprocessors list

All third parties used for website operations.

Status page

Audit, SBOM, and certification status.

Security team

Talk to our security team.

Architecture review, DPIA walkthrough, or a direct Q&A about how the appliance behaves on your network.

Book a security reviewEmail security@feneclabs.com