Skip to content
WITNESS · Physical security sensing
Talk to us

§ SOVEREIGNTY · UK · DEEP PROOF

The full residency proof. Named regions. Named windows.

The security page is the one-screen summary of our UK posture. This page is the long form — every named region, every retention window, every sub-processor, the lawful basis on file and the DPIA scope. It is the page the DPO sends to the auditor.

ICO ZA-registration is ZA-pending — UK ICO data-controller registration (in progress). The ZA number will replace this placeholder on issuance and on the JSON-LD provider.identifier above.

§ 01 · TOPOLOGY

The request graph, edge by edge.

Six layers between the camera lens and an alert row. Each layer is named, located in a single UK jurisdiction, and bounded by a retention window. No US transit at any hop.

UK sovereignty: edge inference at LHR, embedding store UK-only, no facial-recognition store. §01 · UK SOVEREIGNTY · NOT TO SCALE Camera On-site · RTSP · no audio LHR edge Inference · embed only · no faces stored Embedding store UK region · 30-day retention · DSPT v8 Facial-recognition store · excluded DATA CONTROLLER · UK ICO ZA-REGISTRATION (PENDING) DSPT v8 AUDIT · DUE 30 JUNE 2026
Camera → LHR edge inference → UK embedding store. No facial-recognition store anywhere in the graph; raw frames never leave the edge node.

  • § 01 · CAPTURE

    Customer site · no Witness ingress

    RTSP stream from on-prem camera

    We never run the camera. The RTSP stream stays on the customer's LAN until it reaches the edge node, which is also on-prem (or in a customer-controlled UK colo).

  • § 02 · INFERENCE

    London · UK · Vercel lhr1 region

    Vercel lhr1 (London)

    The model is a 512-dimensional embedding generator. Runs at the LHR edge. EU-only inference; we never invoke a US-region model for a UK customer, and the model weights themselves are mirrored into a UK object store rather than fetched cross-Atlantic at cold-start.

  • § 03 · EMBEDDING STORE

    Neon Postgres · EU-WEST-2 (London)

    Neon Postgres EU-WEST-2 (London)

    Vector column with pgvector. Encrypted at rest with AES-256-GCM. Backup snapshots are pinned to the same UK region — no cross-region failover into Frankfurt or Dublin. 14-day retention; rolling delete after that, no archival.

  • § 04 · RAW FRAMES

    Edge node RAM only

    On-edge RAM only — 30s rolling buffer, never persisted

    Raw frames are held for at most 30 seconds in a ring buffer in the edge node's RAM, used only to compute the embedding. They are never written to durable storage, never uploaded to a Witness server, never re-transmitted.

  • § 05 · ALERT EVENTS

    Neon Postgres · EU-WEST-2 (London)

    Postgres rows in the same UK region

    When the same embedding reappears on a second camera within the tunable window, we write a row to the events table — camera ids, timestamp, similarity score. No embedding vector in the event row; no thumbnail. 30-day retention.

  • § 06 · OBSERVABILITY

    Vercel runtime logs · lhr1 retention

    Stdout logs · structured JSON

    Logs are scrubbed of camera identifiers below a hashing layer. Errors are sampled to Sentry's EU project (Frankfurt). No log line carries an embedding vector, a frame, or a customer identifier above the hashing layer.

§ 02 · LAWFUL BASIS

UK GDPR Art 6(1)(f) — legitimate interests.

The processing of embedding vectors derived from CCTV imagery for the purpose of detecting repeat appearances at a private perimeter rests on legitimate interests under UK GDPR Article 6(1)(f). The interests in question are the security of the building, the safety of the residents or guests, and the deterrence of unauthorised access — all interests that the ICO has repeatedly recognised as legitimate in the private-space CCTV guidance.

We hold a balancing test on file that walks through the three limbs the ICO requires — purpose, necessity, and the data-subject's reasonable expectations. The balancing test includes the alternatives we ruled out (manual concierge review of every visit; full facial recognition; no perimeter) and the reasons embedding ReID is the least-intrusive technically feasible option. The balancing test is shared with the customer's DPO before the pilot order form is signed.

We do not rely on consent (Article 6(1)(a)). Consent is the wrong basis for ambient perimeter security; people walking into a building lobby cannot meaningfully consent to a camera that watches every visitor. We do not rely on contract (Article 6(1)(b)) for the same reason. Article 9 special-category processing is out of scope because we don't process biometric templates — see the ReID-via- embeddings posture on /security#ico.

§ 03 · RETENTION

Five data classes. Five windows.

Retention is set per data class, not as a single site-wide window. The class with the shortest window — raw frames at 30 seconds — is also the class with the highest privacy cost.

  • 01

    Raw frames

    30 seconds (rolling buffer; RAM only)

    Necessary for the embedding computation; never persisted. Not a record under UK GDPR.

  • 02

    Embedding vectors

    14 days from first observation

    Operational lifetime of a ReID window. After 14 days, the vector is statistically meaningless against fresh detections and is hard-deleted.

  • 03

    Alert events

    30 days from event timestamp

    Long enough for a security review to complete a post-incident audit. Customer can request a shorter window in the order form.

  • 04

    Audit logs

    12 months

    DSPT v8 control mapping — auditor needs the trail of who accessed which embedding store, when, and for what reason.

  • 05

    Backups

    7 days; UK region only

    Disaster-recovery. Backups are not exfiltrated to other regions and not retained past the rolling window.

§ 04 · DPIA

DPIA scope and completion plan.

A Data Protection Impact Assessment is completed per pilot before the first camera is connected. The DPIA is signed by the customer's DPO and counter-signed by us as the processor; the template walks through the four limbs below.

  • § A · NECESSITY

    Is the processing necessary to achieve the security outcome? We answer this with the alternatives table — manual concierge review of every visit (more intrusive), full facial recognition (much more intrusive), no perimeter at all (no security outcome). Embedding ReID is the least-intrusive technical option that achieves the security outcome.

  • § B · PROPORTIONALITY

    Is the processing proportionate to the risk? We bound this with the retention windows above — 30-second raw frames, 14-day embeddings, 30-day events. No facial template ever; no recognition of identity, only of repeat appearance.

  • § C · RIGHTS

    Can the data subject exercise their rights? Yes. Subject access requests resolve against the embedding store + event log. Right to erasure resolves against the same. We publish the DSAR process on the customer's signage in the building; the customer routes the DSAR to us within 7 days of receipt.

  • § D · CONSULTATION

    Has the ICO been consulted? For high-risk processing the answer is yes — we will consult under Article 36 before any deployment that exceeds the bounded perimeter posture described above. For the bounded posture itself the answer is no; we hold written legal opinion that the bounded posture is below the consultation threshold.

§ 05 · SUB-PROCESSORS

Named. UK or EU.

Four named sub-processors, all in UK or EU jurisdictions. We publish the full list rather than the SaaS-default "see DPA on request" — a DPO should be able to read this in 90 seconds and decide whether to ask for a call.

  • VERCEL

    London (lhr1)

    Edge compute · static hosting

    Embedding generation; no raw frames; no facial templates. Logs are scrubbed of identifiers above the hashing layer.

  • NEON

    EU-WEST-2 (London)

    Postgres + pgvector store

    Embedding vectors; event rows; audit logs. Encrypted at rest. UK region pinned; no cross-region failover.

  • CLOUDFLARE

    Anycast (terminates at the closest UK PoP for UK visitors)

    DNS · WAF · TLS

    Public-facing marketing requests. No customer embedding data; no alerting traffic.

  • SENTRY

    Frankfurt (EU project)

    Error reporting

    Sampled error events. Embedding vectors and raw frames are not in the payload by construction; we scrub at the SDK layer.

§ 06 · ICO ZA-REGISTRATION

Status ZA-pending.

The Information Commissioner's Office data-controller registration is filed. We will publish the issued ZA-prefixed number on this page and on the /security page on issuance, and the JSON-LD provider.identifier on every page will update at the same time so machine-readable crawlers find the live number without our touching their cache.

Target date: filed Q2 2026; expected issuance within the standard ICO window. We will not begin a paid pilot before the ZA number is live on this page.

The DPO inbox.

If you've read this far the next step is a 30-minute call with the founder, not a sales pass-through. Send the DPIA template you already use; we'll meet you on your paperwork rather than ours.

hello@ticketwave-witness → The DSPT v8 self-assessment → Back to the security summary →