White paper

AXIS Guardian –Data Security and GDPR Compliance aspects

June 2018

2

AXIS Guardian –Data Security and GDPRCompliance aspectsAXIS Guardian is a cloud-based managed services platform hosted by Axis. The plattform is designed to allow security service providers and alarm monitoring companies to offer an end-to-end managed ser-vice with remote monitoring. AXIS Guardian is hosted in Amazon Web Services (AWS), under a service agreement with Amazon. Amazon is responsible for the physical safety of their servers, the security between their data centers and regions, network security, and certification of their data centers.

1. Generally about data securityAXIS Guardian runs on hardened Linux servers, employing industry standard hardening guidelines. Se-curity updates are continuously applied as they become available.

Axis employs industry standard best practices for the management of AXIS Guardian including multifac-tor authentication on all hosts, application of the concept of least privilege, network segmentation, and patching shared resources. This means that the system is designed to make sure that servers hosted in the cloud can only be reached by approved devices and users. Approval is needed on several levels and passwords are changed regularly.

Administrative access to AXIS Guardian on AWS is strictly limited to a small set of individuals at Axis HQ, and only as needed. When a person no longer requires access in order to maintain the AXIS Guard-ian system, their permissions are revoked even though they may still work for Axis. All network traffic between Axis HQ and AWS is encrypted and protected with multi-factor authentication.

Customer site

Internet Customer access

Alarm monitoring

3

The operational status of AXIS Guardian’s network, servers & infrastructure is continually monitored & maintained by a small dedicated response team on call 24/7. Moreover, Axis constantly monitors for access codes and access requests that are out of the ordinary. Malicious attempts to overload the sys-tem are automatically blocked as soon as they occur. AXIS Guardian is developed with security best-practices in mind. Threat analysis & mitigation and test-ing is built in to the development process. The Common Vulnerability and Exposures (CVE) database is continually monitored for potentially vulnerable components. Development is co-located with the team that maintains AXIS Guardian, meaning software artefacts remain secured on premise until deployed. Before deploying to production system, all updates are thoroughly tested end-to-end, including secu-rity, load and stability, on a staging system. AXIS Guardian exposes a number of application programming interfaces (API) for partners to be able to make use of the service. These APIs are accessible on the internet, but only over a TLS encrypted con-nection. Furthermore, all API use is password protected and all input is validated. AVHS mobile applica-tion and AVHS web application use these API exclusively for communicating with the service, making them equally safe to use. AVHS mobile application is approved according to the rigorous requirements of the U.S. Bureau of Industry and Security (BIS). Each account on AXIS Guardian manages several Axis network devices (cameras, most commonly) lo-cated on end-users’ networks around the world. Communications between an Axis network device and AXIS Guardian is always initiated from the network device, permitting them to be situated behind a secured firewall (a requirement). Axis’ authenticated device registration process and public-key infra-structure (PKI) allows AXIS Guardian to trust that the connecting device is indeed the device it claims to be, and conversely allows the device to trust that it is connecting to AXIS Guardian. So established, all two-way communication between AXIS Guardian and an Axis network device is kept safely within a TLS encrypted channel.

The secure communication channel also allows AXIS Guardian to monitor the operational status of devices and send notification in the event of failure. To further protect the end user, AXIS Guardian randomizes devices’ root passwords each time they connect, requiring users to access devices through AXIS Guardian. Access to device settings and video materials is strictly governed by a granular, “deny by default” permission system, controlled by the account maintainer. In this way a user can only see video, receive notifications, and change settings which they are expressly permitted. Video data is transmitted from Axis network cameras to AXIS Guardian over TLS encrypted channels where it is retained for however number of days the customer and local regulations re-quire, after which it is purged and no longer accessible by anyone. Video data as well as all other data is stored within the borders of the EU or the USA, depending on where the customer is based.

Each customer’s data is backed up separately and kept for as far back as customer subscription and local regulations allow. This means that, in the event of data corruption, the customer’s data can be restored from any point in time for as far back as back-ups are kept.

To know or not to know?Introducing AXIS Guardian – a cloud-based surveillance service platform, tailored to the needs of security and alarm monitoring companies. AXIS Guardian is a two-in-one security offering – a fully integrated alarm and surveillance service. The added security it brings is something your customers will certainly value.

They will know that AXIS Guardian protects their premises and facilities at all hours – not just when your guard personnel happen to come by. They can even access the AXIS Guardian network themselves at any time and see directly what, if anything, is happening on site. More peace of mind. A rather good thing to know, wouldn’t you agree?

Learn more at axis.com/guardian

4

2. Specifically about GDPR compliance aspectsIn AXIS Guardian, GDPR responsibility is allocated as follows:

AXIS Guardian provider’s customer: Data controller for personal data contained in (1) employee infor-mation submitted in AXIS Guardian when setting up user accounts; and (2) video material that is cap-tured by the customer’s camera surveillance system and processed in AXIS Guardian.

AXIS Guardian provider: Data controller for personal data contained in employee information submit-ted in AXIS Guardian when setting up user accounts. Data processor on behalf of its customers for personal data contained in (1) employee information submitted by AXIS Guardian provider’s customers in AXIS Guardian when setting up AXIS Guardian provider’s customer user accounts; and (2) video mate-rial processed in AXIS Guardian by AXIS Guardian provider’s customers. (To the extent the AXIS Guard-ian provider uses personal data processed in AXIS Guardian by its customers for any other purpose than to provide AXIS Guardian, the AXIS Guardian provider may be deemed data controller of such personal data.)

Axis: Data processor on behalf of AXIS Guardian provider for personal data contained in employee in-formation submitted by AXIS Guardian provider in AXIS Guardian when setting up AXIS Guardian pro-vider user accounts; and personal data sub-processor on behalf of AXIS Guardian provider for personal data contained in video material processed in AXIS Guardian by AXIS Guardian provider’s customers.

AWS: Data sub-processor on behalf of Axis for personal data processed in AXIS Guardian by AXIS Guardian provider and a AXIS Guardian provider’s customers (employee information submitted in AXIS Guardian when setting up user accounts; and video material that is captured by the customer’s camera surveillance system and processed in AXIS Guardian).

5

Axis executes data processor agreements (DPA’s) with all AXIS Guardian providers reflecting Axis’ and the AXIS Guardian provider’s roles according to the above table. The AXIS Guardian provider has to execute separate DPA’s with its customers.

In addition, Axis has executed a DPA with AWS for the data processing activities that AWS performs on behalf of Axis, as Axis’ sub-data processor, in relation to AXIS Guardian (as described above).

As data controllers according to the above section, the AXIS Guardian provider and the AXIS Guardian provider’s customers are solely, and individually as respectively applicable to them, responsible for com-plying with the provisions of the GDPR relating to, among other things, existence of a legal ground for the data processing activities carried out when using AXIS Guardian; the requirement to provide infor-mation to data subjects about said personal data processing activities; the rights of data subjects to make various requests concerning their personal data processed in AXIS Guardian; personal data reten-tion periods.

Examples of how the AXIS Guardian system facilitates the AXIS Guardian provider’s GDPR compliance as data controller:

> AXIS Guardian provides a way for AXIS Guardian providers to communicate policy documents and other information notices through AXIS Guardian web and mobile applications to users of said ap-plications.

> AXIS Guardian user accounts, including any related personal data, can be deleted individually by the AXIS Guardian provider, and when this happens, all data for that account is purged. Some personal data may remain in system logs for some time; however, such log records are rotated out at various rates, and gone after 30 days.

> Personal data (and other data) associated with AXIS Guardian user accounts such as email addresses, language preferences etc., are retained only for so long as the AXIS Guardian provider allows.

As data processors, Axis’ and the AXIS Guardian providers’ main obligations are to process the personal data submitted to/processed in AXIS Guardian by the AXIS Guardian provider’s customer’s in accordance with the AXIS Guardian provider’s customer’s instructions and to implement and maintain adequate security measures to protect this personal data.

The security measures described in the security section above are, among other things, designed to fulfil the data protection requirements relating to physical data safety as imposed by the GDPR on Axis as data processor when providing AXIS Guardian.

In addition, these security measures are designed to facilitate fulfilment of the data protection require-ments relating to physical data safety as imposed by the GDPR on AXIS Guardian providers and AXIS Guardian providers’ customers when they use the service to process data.

Legal disclaimerThis document and its content is provided courtesy of Axis and all rights to the document are protected by law and all rights, title and/or interest in and to the document shall remain vested in Axis Communications AB. Please be advised that this docu-ment is provided “as is” without warranty of any kind for information purposes only. This document is not intended to, and shall not, create any legal obligation for Axis Communications AB and/or any of its affiliates. Axis Communications AB’s and/or any of its affiliates’ obligations in relation to any Axis products or services are subject exclusively to terms and conditions of agree-ment between Axis and the entity that purchased such products or services directly from Axis. FOR THE AVOIDANCE OF DOUBT, THE ENTIRE RISK AS TO THE USE, RESULTS AND PERFORMANCE OF THIS DOCUMENT IS ASSUMED BY THE USER OF THE DOCU-MENT AND AXIS DISCLAIMS AND EXCLUDES, TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL WARRANTIES, WHETHER STATUTORY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FIT-NESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT AND PRODUCT LIABILITY, OR ANY WARRANTY ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE WITH RESPECT TO THIS DOCUMENT.

Axis offers intelligent security solutions that enable a smarter, safer world. As the market leader in network video, Axis is driving the industry by continually launching innovative network products based on an open platform - delivering high value to customers through a global partner network. Axis has long-term relationships with partners and provides them with knowledge and ground-breaking network products in existing and new markets.

Axis has more than 2,700 dedicated employees in more than 50 countries around the world, supported by a global network of over 90,000 partners. Founded in 1984, Axis is a Sweden-based company listed on NASDAQ Stockholm under the ticker AXIS.

For more information about Axis, please visit our website www.axis.com.

©2018 Axis Communications AB. AXIS COMMUNICATIONS, AXIS, ETRAX, ARTPEC and VAPIX are registered trademarks or trademark applications of Axis AB in various jurisdictions. All other company names and products are trademarks or registered trademarks of their respective companies. We reserve the right to introduce modifications without notice.

About Axis Communications

7211

8/EN

/R1/

1806