SECURITY POLICY

Aligned with ISO/IEC 27001 & SOC 2

  1. Introduction
    DeskCamera is a software application that streams the computer screen and audio to NVR/VMS systems using ONVIF/RTSP protocols. It is designed to operate fully on-premises within the customer’s local network and does not transmit, collect, or store any user data or video content. The software is developed following strict security standards and compliance practices.

     

  2. Policy Objective
    To define the security framework and responsibilities to ensure the confidentiality, integrity, and availability of the DeskCamera application, in alignment with the ISO/IEC 27001 and SOC 2 Trust Services Criteria.

     

  3. Key Security Principles
  • Local-Only Architecture: DeskCamera operates entirely within the customer’s infrastructure and does not require a connection to the internet or external servers. An optional connection to DeskCamera cloud infrastructure may occur solely for licensing or update-checking purposes. In no case is any personal data transmitted during such a connection. 
  • No Data Collection: The application does not collect or transmit any user data, video, or telemetry.
  • Secure Codebase Management (ISO 27001 A.9, A.12): Source code is maintained in a protected DevOps repository with role-based access control, logging, and regular audits.
  • Signed Builds (SOC 2 – System Integrity): All application builds are digitally signed using a certificate stored securely in encrypted form on a hardware token (e.g., HSM/Yubikey) compliant with modern encryption and physical security standards.
  • Secure Development Lifecycle (SDLC): DeskCamera follows a secure SDLC including secure design, code review, static code analysis, and penetration testing at least annually.
  • Update Integrity (SOC 2 – Change Management): All updates undergo formal change control, regression testing, and integrity verification prior to release. Changes are tracked via a version control system with audit trails.
  1. Access Control
  • Only authorized personnel can access source code or build infrastructure.
  • Access is reviewed quarterly (ISO/IEC 27001 A.9.2.5).
  • All access and administrative actions are logged and retained for audit purposes.
  1. Supplier & Third-Party Risk Management (ISO 27001 A.15)
  • All third-party libraries and dependencies are tracked and monitored.
  • Security advisories are reviewed weekly, and patches are applied regularly.
  • High-risk or unsupported components are avoided or sandboxed.
  1. Incident Response Readiness (ISO 27001 A.16, SOC 2)
  • A dedicated contact point is available for vulnerability and incident reports.
  • Security incidents follow a structured process: detection, classification, containment, remediation, root-cause analysis.
  • Lessons learned are reviewed to improve future response.
  1. Customer Responsibilities
  • Apply software updates provided via the official DeskCamera website.
  • Maintain secure system configurations and restrict network access to DeskCamera endpoints.
  1. Compliance & Review This policy is reviewed annually and whenever significant changes are made to the system or environment.

  2. Contact for Security Issues Security issues can be reported to: [email protected]