Last updated on 09 Aug 2024
As a trusted partner to the retail industry, RadiusAI has made security and privacy core elements of our products and technology.
Privacy is a key design principle in RadiusAI’s products. When our AI systems analyze video and PoS data to generate actionable insights, as a foundational policy, they do not identify individuals in the video stream, or reidentify them during return visits. To RadiusAI, a person in your retail location is just a shape, defined enough for our software to analyze their behavior, but completely anonymous, and forgotten within a few minutes of their departure from your store. We do not use external data sets to augment the camera data, and we do not attempt to recognize people.
Because RadiusAI’s software does not extract any identifiable information from the video stream, even if data were exfiltrated from RadiusAI’s systems, no individuals can be identified.
RadiusAI’s core AI systems are deployed on our customers’ premises. Video stream data remains inside the store, never leaving the store network, except in rare cases when a snippet of video needs human review for troubleshooting. The anonymous shape data derived from your store’s video stream is processed in store, and discarded within 15 minutes of a shopper leaving your premises. Only anonymous analytical data is exported to RadiusAI’s secure cloud, for use by our customers’ staff in our next-generation applications.
RadiusAI has built a comprehensive security program to ensure the systems we deploy on premises and in the cloud are secure from both external and internal threats such as unauthorized access, tampering, and unintended disclosures of data flowing through RadiusAI’s systems. Our security and policy compliance are regularly tested by third parties.
Our policies are based on the following foundational principles:
Policies are reviewed and reapproved no less than once per year.
RadiusAI’s SOC-2 Type I attestation is available upon request.
RadiusAI does not allow unencrypted network connections. Whenever possible, networked resources are not directly exposed to the public internet, and instead require secure access through a bastion host.
In addition, RadiusAI deploys site-to-site VPNs and uses a wide range of network security, including secure tunneling, WAF, IDS, and DDoS protection from Cloudflare. Firewalls are set to deny-all by default. For deployments on customers’ premises, RadiusAI works closely with the customers’ IT and security teams to ensure networks are configured securely.
RadiusAI’s security team reviews published CVEs (Common Vulnerabilities and Exposures) weekly, and schedules any necessary patches based on our Vulnerability Management Policy, which includes SLOs and SLAs for patch deployment based on severity and mitigating mechanisms.
All datastores are encrypted at rest. Endpoint storage is encrypted by MDM.
Secrets are managed via Azure Key Vault, 1Password, and native encrypted secret management on platforms offering that feature (e.g. Azure App Service, Azure Kubernetes, Github, etc).
RadiusAI performs pen tests annually, using reputable vendors. Source code and endpoints are fully available to the testers in order to maximize the effectiveness and coverage.
RadiusAI performs automated vulnerability scans on its public-facing services weekly. Source code for production software is scanned using SAST tools. Dependencies used in source code are scanned using Github’s Dependabot. Container images are scanned using Docker Scout.
Cloudflare’s intelligent WAF is deployed to block threats and attacks against our web-accessible resources and applications.
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. We use MDM software to enforce secure configuration of endpoints, such as firewalls, disk encryption, screen lock configuration, and software updates.
RadiusAI uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor. Vendor reviews are refreshed annually.
RadiusAI provides comprehensive security training to all employees upon onboarding and annually thereafter. Unannounced automated phishing tests are conducted periodically. Success and completion is tracked. Failed tests must be taken again.
Whenever supported, workforce access to RadiusAI resources is managed with a single-sign-on solution, currently Azure Entra (formerly AAD). Two-factor authentication is required on all services that support it.
RadiusAI employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application. In addition, RadiusAI’s IT and security teams performs monthly permission and access sweeps to ensure employees’ permissions are configured appropriately for their role, and that no unauthorized access has occurred. Any deviations are corrected during the sweep.