Verkada FAQ
1. Who manufactured the hardware devices used in the school?
Verkada hardware is made in Taiwan to the specifications by their highly trustworthy manufacturer partners, who themselves have in place strong compliance guidelines on privacy and cybersecurity. They control 100% of the software (firmware) that is loaded on to the device and have incorporated 256-bit SHA2 HMAC cryptographic integrity checking to ensure that only authentic and authorized software is uploaded to the camera system
Verkada software and firmware engineering teams are based in the San Mateo, California. The teams have full control over the software development lifecycle, and no component or service is written or introduced without thoroughly vetting it for performance, reliability and security.
2. Is the hardware connected to the internet in any way?
Yes
3. Who has access to the data?
The security sub-group in the admin team.
No third parties have access to the data without the knowledge and consent of the said security sub-group. Authorized Verkada staff are permitted to view system information only for the purpose of troubleshooting and software development.
4. Is the data stored, and if so where? Does it stay on a local server?
Hybrid - data is stored on the units and gets uploaded nightly.
All traffic that is transmitted over Verkada's network uses both AES 128 and TLS v1.2. Thus, even if a malicious actor manages to compromise an intermediary network node, eavesdropping will yield them no interpretable information. Similarly, the cameras accept no inbound traffic and exclusively transmit data over HTTPS, thereby removing any access point for hackers to inject or embed custom code.
Once the data reaches the cloud, it enjoys industry-leading data security practices like automatic backup and unilateral AES 256 encryption. Everything is hosted on Amazon’s AWS servers, which feature some of the best data security and reliability on the planet.
Cloud data is retained only after 30 days unless archived. Archived items are all done by the security sub-group in the admin team, which are all safety and security related.
5. Is PII stored or shared?
Stored on the cloud, US servers only.
Verkada runs on secure AWS infrastructure.
6. Is data encrypted? Do only people on location have access to it, and do they need a special encryption key to access it?
Yes
Verkada command gives us tools like Audit Logs and individual user permissions. These empower our IT Director to revoke access to specific users at will and identify what they saw or changed.
7. How does data transit from the cameras? Does it stay on a local server or transit via the internet?
Hybrid, with encryption.
Per response to question 4.
8. Who is RCS's internet service provider and do they have access to our data?
Connexion as primary
Xfinity as backup
Running via SD-WAN powered by Bigleaf
No data access, all transfers are encrypted.
Bigleaf Networks is a cloud-based internet redundancy service that prioritizes network security.
Bigleaf's router installs outside of the firewall and doesn't require changes to any firewall features.
Bigleaf also has a privacy policy that requires any vendors or agents to comply with their data privacy and security requirements.
Bigleaf also has an acceptable use policy to help protect the privacy and security of their customers.
We have an active firewall powered by SonicWall.
9. How often will (or do) you perform log reviews of the data and who performs these log reviews? Is this task outsourced to a 3rd party?
No outsourcing is involved.
3rd party involvement is only for troubleshooting.
Comprehensive audit logs help reveal who has accessed our system, and any changes they have made; there is an active notification system, thus can immediately identify any changes.
Other key items:
1. Verkada complies with SOC2, HIPAA, PCI, GDRP, UL, NDAA, and FERPA
2. Verkada conforms to NDAA 889 and is an approved supplier
Ridgeview Classical Schools Video Sharing Policy
I. Purpose
This policy outlines the guidelines and procedures for the use, management, and sharing of video recordings captured by the Verkada AI-powered security camera system installed at Ridgeview Classical Schools. This policy aims to:
Ensure Responsible Use: Provide clear guidelines for when and how video footage may be shared, emphasizing the importance of protecting student and staff privacy.
Maintain Transparency: Inform the school community about the circumstances under which video footage may be shared with individuals or entities outside of the school.
Comply with Legal Obligations: Uphold all applicable federal and state privacy laws (including FERPA) and ensure the responsible handling of sensitive information.
II. Sharing of Video Footage
Video footage captured by the Verkada system may be shared under the following limited circumstances:
Law Enforcement: Footage may be shared with law enforcement agencies upon official request, in compliance with applicable laws and regulations, for the purpose of investigations or ensuring public safety.
Court Orders: Footage may be released in response to a valid court order or subpoena.
Authorized School Personnel: Designated school administrators and security personnel have authorized access to the system for security monitoring and investigations related to school safety and policy violations.
Parent/Guardian Requests: Parents/guardians may request access to footage that directly involves their child, subject to the following:
The request must be made in writing to the school administration.
The request must specify the date, time, and location of the incident in question.
The school administration will review the request and release the footage only if it is determined to be relevant to the request, does not violate the privacy rights of other individuals, and serves a legitimate educational or safety purpose.
Emergency Situations: Footage may be shared with relevant authorities or individuals in emergency situations where it is necessary to protect the health and safety of students, staff, or the school community.
III. Prohibited Sharing
Social Media: Video footage will not be shared on social media platforms under any circumstances.
Public Distribution: Footage will not be shared publicly or with unauthorized individuals outside of the circumstances outlined in Section II.
Disciplinary Action: Sharing footage in violation of this policy may result in disciplinary action for staff members, up to and including termination.
IV. Privacy Safeguards
Confidentiality: All individuals accessing video footage are obligated to maintain the confidentiality of the information and adhere to this policy.
Limited Access: Access to the Verkada system is restricted to authorized personnel through secure login credentials.
Data Security: The Verkada system employs industry-standard security measures to protect video footage from unauthorized access and disclosure.