This document outlines the technical and organizational measures (TOMs) implemented by Evercam to ensure compliance with information security standards and data protection laws such as GDPR, ISO 27001 and SOC 2. Evercam is committed to maintaining the confidentiality, integrity, and availability of all data processed.

Organizational Security Measures

Endpoint security

To ensure that Evercam employees’ work devices meet security standards, regular endpoint security checks are conducted to confirm the following: Encryption is enabled. Firewalls are activated. Anti-virus and anti-malware software are installed and up-to-date.

Non-Disclosure Agreements (NDAs)

All employees and consultants must sign non-disclosure agreements before gaining access to sensitive systems or data. This measure ensures confidentiality and restricts data sharing without proper authorisation.

Annual Security Training

All employees are required to complete a regular security training course to ensure awareness and compliance with Evercam's security policies and best practices.

Formal Internal Audit Process

Evercam has established an internal audit process to review enforcement of access management, information security policies, and the overall Information Security Management System (ISMS). The audit covers areas such as access control, information systems security, and incident response. This process is conducted annually to ensure compliance.

Data Encryption and Network Security

Encryption of Data in Transit

For data in transit Evercam relies on VPN (communication protocol that implements encrypted virtual private networks) and TLSv1.2 on HTTPS (protocol that authenticates and encrypts data securely when transferred over a network). Evercam is not on the client network. Instead we are using SIM cards. A specialized hardware is required for access points to that network.

Evercam Network Architecture with Encryption

Data at Rest

Evercam stores customer camera footage in a segregated storage system. Each customer’s data is stored in a separate directory, with data being hashed and downloaded as a binary large object (BLOB). Data is non-identifiable unless configurations match Evercam’s specific settings.

Data at rest is stored locally on site and at ISO 27001 and SOC2 certified cloud service providers, offering encryption using AES-256 algorithm and Key Management Services (KMS). Databases are hosted by these providers and use block-level storage encryption.

All sensitive information, credentials, and tokens are stored in a secure vault & encrypted using BCrypt and PBKDF2 and AES algorithms.

Our organisation implements full-disk encryption (FDE) on laptops and devices used by employees who access sensitive information. We use industry-standard encryption tools, such as BitLocker (Windows), FileVault (Mac), or LUKS (Linux), to ensure complete encryption of data-at-rest. Additionally, access to Evercam systems follows the principle of least privilege, meaning employees are only granted the minimum access necessary to perform their duties. Privileged access requires a formal approval process to ensure its necessity and justification

Data Deletion and Retention

Evercam stores all project data for 90 days following the project's completion. After this period, data storage can be extended at the Client's expense, with several storage options available. Data is securely erased from the systems upon request from the Data Controller, following legal and regulatory obligations. Upon a customer's request, Evercam deletes data immediately.

Physical Security Measures

Data Center Physical Security

Evercam does not operate its own physical servers but relies on ISO 27001 and SOC-2-certified data centers. The physical security measures at these facilities include: Video-monitored, high-security perimeters. Access control with transponder keys or admission cards. 24/7 monitoring by modern surveillance systems. Intrusion detection systems. Uninterruptible Power Supply (UPS) with backup capacity. Fire detection and suppression systems. Leakage detection mechanisms.

Access Control

Principle of Least Privilege

Access to Evercam systems follows the principle of least privilege. Employees are granted only the minimum level of access required to perform their duties. Privileged access undergoes a formal approval process to ensure it is necessary and justified.

Multi-Factor Authentication (MFA)

MFA is enforced across Evercam systems internally. For the Evercam platform, both mobile and web users can manually login with SSO. MFA can be provided upon request. For more on authentication, visit the Evercam User Manual.

Access Review

Employee access to systems is reviewed and audited periodically. If an employee leaves the company, access is automatically revoked to prevent unauthorized access.

Information Security Management System (ISMS)

Evercam has implemented an Information Security Management System (ISMS) in compliance with ISO 27001 and SOC 2 standards. The ISMS is overseen by a dedicated ISMS team, responsible for developing, enforcing, and maintaining all data security policies. This system ensures that information security risks are systematically identified, managed, and mitigated.

Password Management

Passwords and encryption keys are securely stored in Zoho Vault, accessible only to authorized individuals. Employees are required to follow strict password management policies, including the use of strong, unique passwords for each system. Administrators configure the user account policy to require the following:

• Passwords with a minimum of 8 characters

• Passwords with a mix of numbers, uppercase, lowercase, and special symbols such as (*%!&) that prevent the use of dictionary words

• Forced password expiry of 90 days unless 2FA is required

• A minimum password reset time of 1 day to prevent users from resetting their password too frequently

• A password history of at least 10 passwords to prevent frequent re-use of passwords

• Account lockout of 30 minutes on 5 failed logon attempts. The account should automatically unlock after the 30 minute period, or IT can manually unlock the account upon request

• Password reset on first logon or following manual password reset

Data Collection and Handling

Data Collected

Evercam collects various types of data to provide its services, including but not limited to:

Camera Footage: Video streams captured by cameras deployed on construction sites. Footage is stored in segregated directories specific to each customer.

Metadata: Information about camera usage, including timestamps, IP addresses, and device configuration details.

User Information: Evercam collects and stores customer’s name, surname, and official email address, which are used to create and manage login credentials for access to the platform. Additionally, usage activity and communication logs (such as system notifications or support requests) are securely stored within the Evercam platform.

Company Information: Evercam collects company name, billing address, company financial data, official email address, and phone number. This data ensures accurate invoicing and payment processing.

System Logs: Logs generated from cameras, servers, and network devices used in Evercam’s infrastructure. These logs track performance, errors, and access to systems.

Data Handling and Access Management

Access to the collected data is strictly controlled and limited to authorized personnel only:

Camera Feed Access: The camera owner has direct access to their own camera feed via the Evercam dashboard or mobile app. This access extends to any users the camera owner has authorized to view the feed based on a written request to support@evercam.io. Only authorized Evercam personnel can access this data, typically for technical support or troubleshooting purposes, within the scope of the contract.

Metadata and System Logs: Access to metadata and system logs is restricted to designated Evercam personnel, including system administrators, security officers, and the ISMS team, who use it to ensure system integrity and perform audits or investigations. These logs are used internally for monitoring performance and security, and are subject to regular reviews.

Third Parties: Evercam does not share collected data with third parties unless required by law, or as part of a service agreement with trusted service providers. In such cases, data-sharing agreements are in place to ensure compliance with Evercam’s data security policies.

Data Access Reviews

Access permissions to sensitive data are reviewed periodically to ensure that only authorized individuals have the required level of access. If any unauthorized access is detected, an immediate investigation is launched, and access is revoked as necessary. Additionally, when employees leave the company, all access to customer data and internal systems is automatically terminated.

Incident Response

Incident Response Procedure

Evercam has a defined Incident Response Procedure in place to address security incidents. An Incident Response Team is designated to manage and document all incidents. If an incident occurs, relevant stakeholders are notified immediately, and a containment process is initiated to mitigate damage. The Incident Response Procedure is reviewed annually for effectiveness, and formal incident response exercises are conducted for various departments.

Incident Logging and Auditing

Evercam collects and maintains logs from cameras, routers, and servers using log management tools such as Grafana, Sentry and PostHog. Logs are reviewed and audited to detect anomalies or suspicious activities.

Data Backup and Recovery

Data Backups

Evercam regularly backs up customer data. This ensures data availability and integrity in case of a system failure or data loss.

Business Continuity and Disaster Recovery

Evercam has implemented business continuity and disaster recovery plans that include testing scenarios to prepare for potential threats.

Vulnerability Management

Periodic Vulnerability Scans and Penetration Testing

Evercam conducts regular vulnerability scans and penetration testing to identify and address potential security weaknesses. The results of these assessments are actioned and tracked for remediation.

Suspicious Activity Monitoring

If the cloud service providers detect suspicious activity on a server, the server is suspended, and Evercam’s designated personnel are notified. These individuals investigate and mitigate the threat before services are resumed.

Audit and Compliance

ISO 27001 Certification

Evercam is ISO 27001 & SOC 2 certified, ensuring that the company maintains high standards of information security management.

GDPR Compliance

Evercam complies with GDPR by ensuring customer data protection, providing data access controls, and facilitating data deletion upon request.

Third-Party Assessments

Evercam conducts regular reviews of audit reports and certifications from its cloud service providers to ensure their compliance with globally recognized security frameworks, such as ISO 27001 and SOC 2, thereby ensuring they continuously adhere to high standards for data integrity, availability, and confidentiality.

Email and Communication Security

Email Security

Evercam secures its email communication with TLS encryption. In addition, spam and phishing filters are activated on all employee email accounts to reduce the risk of phishing attacks.

Log Management

Log Retention and Monitoring

Evercam collects and stores logs from all critical systems. These logs are monitored for anomalies and are part of regular audits to ensure the integrity of Evercam's IT infrastructure.