GOVERN · COMPLIANCE & PRIVACY
Privacy isn’t a setting you remember to turn on. It’s the way the data model works.
In Sentinel, privacy rules are enforced by the platform: no watching without a recorded lawful basis, no face detection without a signed impact assessment, and authorization that lapses suspends itself. Subject rights, retention, and breach timelines live in the same console as the live operation.
Click to enlargeLawful basis required on every watched subject — enforced, not optional.
Lawful basis required on every watched subject.
Every watchlist entry targeting an individual requires a recorded lawful basis — enforced by the platform, not left to policy.
- One of six basis types — judicial order, consent, vital interest, legitimate interest, public task, or contract
- A document reference for the order, consent form, or authority that grants the basis
- An expiry date for when the authorization stops being valid
- A last-reviewed timestamp, so an auditor can see the basis is current, not stale
- Alerts auto-suspend the day authorization lapses — the system stops watching a subject it is no longer permitted to watch
Click to enlargeAuthorization that lapses suspends itself.
Subject access — record, verify, export or erase — in one workflow.
Sentinel handles the full subject-access lifecycle in one workflow — export assembles a portable hashed bundle, erase permanently removes the face vector, identity links, and crops, and every step is recorded against the requesting officer.
- Open a request with subject, contact, identity-verification document, and request type
- Clear lifecycle: received → verifying → processing → fulfilled or rejected, with a per-request audit trail
- Export: portable bundle sealed with a hash, delivered by a one-time signed link
- Erase: face vector deleted, event identity links nullified, face crops removed — events retained for evidentiary integrity
Click to enlargeThe whole subject-access workflow in one screen, on the clock.
Retention enforced automatically. Litigation holds always win.
Sentinel enforces retention on the schedule you set — per camera, zone, and event type — and logs every removal, while litigation holds protect whatever must be kept until explicitly released.
- "Face matches 30 days, weapon alerts a year, motion 7 days" — configurable per camera, zone, and event type
- Nightly enforcement removes aged events, crops, and clips — per-run audit entry with counts
- Litigation holds always win: held material is skipped by retention until explicitly released
- Every policy change is audit-logged
Click to enlargeRetention rules you set, enforced by the platform every night.
More controls
Eight controls that make video intelligence defensible.
DPIA required before detection
A signed impact assessment can be mandated before face or plate intelligence is enabled on a camera — status pill (Signed · Pending · Expired) tells the DPO which cameras are cleared at a glance.
Per-camera privacy notice
Sentinel generates printable signage per camera from the same record that drives the impact assessment — controller, purpose, DPO contact — with a last-printed timestamp so signage cadence is provable.
Subject-access SLA tracking
A daily scan watches every open subject-access request against the 30-day statutory window and surfaces a red overdue marker on the most urgent request so the DPO never misses a deadline.
Breach workflow with the 72-hour clock
Open a breach record and the notification clock starts from detection. A guided flow tracks status from detected to closed, with reminders at T-24h, T-12h, and T-1h — and an immediate escalation if the window is missed.
Data-protection officer of record
One DPO contact per organization — name, email, phone, address, jurisdiction — automatically surfaced on camera privacy notices, subject-access correspondence, and breach notifications.
How it works
From authorization to erasure, the controls stay on.
Authorize
Before a person is watched, an officer records the lawful basis, document reference, and expiry. Before a camera runs detection, a DPIA is signed against it. No basis, no watching; no assessment, no detection.
Inform & Retain
Each camera generates its own privacy notice for signage, and a retention policy defines how long its events, crops, and clips live. A nightly job enforces the policy and logs what it removed.
Review automatically
Crons watch the deadlines: lawful bases expiring within 30 days are flagged and lapsed ones suspend their alerts; subject-access requests are tracked to the statutory window; breach records count down to 72 hours.
Respond to the subject
When an individual exercises their rights, the DPO opens a request, verifies identity, then exports the subject's data or erases it — face vector, event links, and crops — with the whole exchange on the audit record.
Specifications
What’s in the box.
| Lawful basis types | Judicial order · consent · vital interest · legitimate interest · public task · contract |
| Lawful basis fields | Basis type, document reference, expiry date, last-reviewed timestamp |
| Lawful basis review | Nightly cron flags bases expiring within 30 days; auto-suspends alerts on lapse |
| DPIA record | Purpose, data subjects, retention window, lawful basis, signed-by, signed-at |
| DPIA enforcement | Can be required before face/plate detection is enabled on a camera; status pill: Signed · Pending · Expired |
| Privacy notice | Per-camera printable signage — controller, purpose, DPO contact; last-printed timestamp |
| Subject access request | Subject, contact, identity-verification doc, type (access / erase / both); lifecycle: received → verifying → processing → fulfilled / rejected |
| DSAR export | Portable bundle: events, watchlist entries + lawful basis, related audit records, per-camera DPIA reference; hashed, one-time signed link |
| DSAR erase | Deletes face vector, nullifies event identity links (events retained), deletes face crops; permanent; recorded against requesting officer |
| DSAR SLA | 30-day window tracked; reminders at T-5, T-1, and overdue; overdue flag in the queue |
| Retention scope | Per camera, per zone, per event type, with an org-wide default |
| Retention enforcement | Nightly job removes aged events / crops / clips; per-run audit with counts; honors litigation holds |
| Breach clock | 72-hour notification timer from detection; reminders at T-24h, T-12h, T-1h; escalation + banner if missed |
| Frameworks supported | PDPL · GDPR · RIPA · CJIS — controls map to lawful basis, accountable controller, documented retention, subject rights, and breach notification. These are frameworks we support, not endorsing authorities. |
| Deployment | Identical controls in cloud, on-premise, and air-gapped modes |
Frameworks listed (PDPL · GDPR · RIPA · CJIS) are frameworks we support — not named customers or endorsing authorities. Every control above maps to a shipped platform capability.
Elsewhere in Govern
Compliance is one of four disciplines on the same platform.
Evidence & Chain of Custody
Export any event as a sealed evidence pack — per-file and bundle hashes, full audit trail, operator signature inside. Litigation holds set here are the same holds retention respects.
Learn moreAudit & Accountability
Every compliance action — a lawful basis set, a subject erased, a retention run — lands in a tamper-evident audit chain anyone can independently recompute and verify after the fact.
Learn moreSecurity & Identity
SAML 2.0, OIDC, SCIM provisioning, WebAuthn / FIDO2, role-based access, and per-organization session policy — the front door that decides who is even allowed to perform the actions on this page.
Learn moreSee privacy enforced, not promised.
Request demo access and we’ll walk it on live data — set a lawful basis on a watched subject and watch its alerts suspend when we expire it, open a subject-access request and export the bundle, then erase the subject and confirm the face vector, the crops, and the identity links are gone.