Data Security and Privacy Statement
Overview
The aim of this document is to cover all the relevant information about the Data Security and Privacy of Nola to help our customers understand what we do and don't do with their data.
KEY TAKEAWAY: ANONYMOUS BY DESIGN
-
Nola does not use facial recognition or individual identification technology of any kind.
-
Nola does not produce or store any information about individuals.
-
Nola works by processing video footage from cameras installed on customer premises and generates anonymized numerical statistics as output.
-
Nola minimises the exposure of any information:
-
For on-premises deployments, video footage never leaves the customer premises/network.
-
For cloud deployments, individual video frames are processed and immediately destroyed. Under no circumstances are they stored in the cloud.
-
Introduction
Nola implements policies to ensure the security and privacy of customer data and in particular, personal information about customer staff and clients (such as names, email addresses and/or visual resources, like video recordings and still images).
Nola’s primary activity is the collection and processing of real-time CCTV streams from physical venues/locations in order to deliver analytical data, reporting and alerts.
This statement provides a summary of the practices employed by Nola to protect the data of the customer.
Nola annually reviews this Data Security and Privacy Statement, as well as Nola’s internal data security controls. This consistent review helps ensure that Nola and its customer’s data security risks are mitigated.
Personal Information
This document uses the definition of “personal information” according to the Privacy Act 1988.
Protecting information that could be used to identify individual identities is a primary concern.
Nola's services are designed to be privacy preserving for the customer, staff and the general public.
Analytic functionalities and backend processes are implemented in a way to minimize the scope of personal information which is stored and processed, as well as the duration the information is kept for.
The objective of Nola’s Data Security and Privacy controls is to mitigate against the risk of a data breach that could result in personal information being unintentionally designed, imported, stolen, and used for unauthorized purposes.
Data Collection
The data processed by Nola on behalf of customers includes video streams, in addition to transactional information such as Point-Of-Sale data when access is provided.
Video stream data is collected, processed, and discarded as close to real-time as possible to eliminate unnecessary storage and to reduce risk of unauthorised access. Some temporary storage is required to preserve functionality during adverse network events. The location of temporary storage of video data depends on the configuration/topology selected by the customer. The Nola team can provide specific privacy and security advice for each selected configuration.
Video streams are generally accessed via RTSP (Real Time Streaming Protocol) with authentication. Since RTSP is not a secure protocol, Nola takes steps to ensure that transport of video data is secured end-to-end. This does not rely on the security of the customer network.
To calibrate and increase data accuracy for some customer-specific environments, Nola may need to record and copy a limited number of video frames for use as a training dataset. Training datasets are securely copied to the Nola development environment and used to fine-tune machine learning models. Nola will undertake this activity with informed customer consent only.
Data Processing
Nola processes customer data by running specialised services that allow for the most effective use of analytical results by the customer's organisation.
The Visual Intelligence Service uses video streams to extract information and conditions such as object detection, counting and attribution, e.g. customer counting, gender segmentation, queue length estimation, behavior analysis, area visitations, occupational health and safety compliance. The Visual Intelligence Service takes video frames as input and extracts anonymised data for further storage. Nola designs and provides advice on how to use this service in a way that avoids unnecessary and inadvertent collection of personal information.
The Online Service provides browser-based access to configuration and calibration tools, dashboards, actionable items, and analytical reports. Customers are provided with access controls that should be used to ensure information is only exposed in appropriate ways. Nola provides advice on how to configure online dashboards to comply with Data Security and Privacy principles.
The Actionable Items Service uses real-time data to detect and act when specified conditions are met. This service may generate notification alerts and distribute them to a list of recipients, email or SMS. Nola provides advice on how to best configure Actionable Items to comply with Data Security and Privacy principles.
Data Storage
All data collected by Nola on behalf of its customers is the property of the respective customers. Each customer’s data is logically separated from other customers. Access to customer data is restricted to Nola and to the customer only.
Client Data Location
All client data is processed and stored in Australia.
Data Center Security
Unless the customer opts for an on-premises configuration, Nola uses a certified secure data centers (Equinix SY3 and Amazon Web Services Sydney) to provision its services.
Nola also follows a secure, end-to-end encrypted off-site data backup process to protect against unauthorised access to backup media and to ensure rapid recovery of client data in the case of data loss.
Data Retention and Disposal
Nola’s standard data management process includes data removal from the following sources:
-
Backups of customer data are automatically removed after 30 days.
-
All aggregated customer data is automatically removed after 2 years.
-
Video recordings are removed within a maximum of 2 hours of being processed, unless otherwise agreed upon.
Data Breach Disclosure
Nola uses the OAIC Notifiable Data Breach (NDB) scheme to inform its approach to understanding, planning for and responding to data breaches.
If any suspected data breach against Nola customer data were to occur, Nola would immediately take steps including notifying the affected customers, providing a complete list of datasets believed to have been compromised, and working closely with relevant organizations to satisfy any other notification obligations.