Security

Introduction

BauWatch takes information security very seriously. Being a key player in the (surveillance) security business, information security is embedded in our primary processes and products. We take crucial steps to protect information from data breaches, unauthorized access and disruptive information security threats to business, customer and personal data. We do see information security as a service differentiator towards our competitors.

At BauWatch we embraced the attitude “Improve Everyday”. We believe that humans should never stop improving. Through learning and development, our users and colleagues aim to perform their jobs as best as they can. But this also applies to our products, services and processes. For protection of your data we adopted the ISO 27001 framework to achieve the same. With a continuous improvement attitude we try to protect your data as good as possible.

We have dedicated operational processes to manage information security, dedicated security staff and an internal reporting mechanism to facilitate proper decision making in case of incidents. Our Information Security Management System is based on risk management.

Security Governance

We are committed to comply to all relevant laws and legislation, such as the NIS-2, General Data Protection Regulation (GDPR) and standards like ISO 27001 and EN 50518. A key mechanism is our Governance structure with a direct reporting line into our executives, who are committed on security. At the same time we established a security steering committee headed by our CISO to align the businesses within the several countries. They monitor security processes and discusses security incidents when applicable and make sure the security program is implemented and executed at the group and in the countries.

Security by Design

Protection of your data starts at the beginning. For that reason our products and services are developed based on the Security by Design principle. For our software we defined a secure development process and a secure code checklist. The same is valid for our engineering processes and project management processes. Security is in all phases of our development processes.
If we use components from suppliers we make sure they meet our security guidelines.

Protection of your data

We take substantial efforts to protect the confidentiality of personal data, preferences and other information. For this we adopted the “least privilege” and “need to know” principles. We make substantial investments in our server, database, backup and firewall technologies. For more information on data privacy, please see our Privacy Statement.

We are dedicated to transparency

At BauWatch we don’t pretend to be able to prevent all security incidents. Incidents can and will occur occasionally. When they do, we are dedicated being transparent about them. We believe this is the best way to maintain the trust of our customers. We obviously work hard to make sure incidents are as rare as they can be.

To reduce the impact of incidents we implemented disaster recovery plans and established an incident response team that practices potential crisis yearly. To give some guidance to this we execute Risk Management on a continuous basis.

Approved by independent experts

Multiple times a year we are monitoring our information security controls and processes. Once a year we ask an external auditor to do the same. Resulting in our ISO27001:2022 certificate. These Multiple audits (both internal as external) helped us to establish a continuously improvement cycle on information security.

Additional Information

BauWatch welcomes questions or comments about it Security and this Security Statement. If you have any questions or comments about this Security Statement or need to receive our compliance report for audit purposes, please send an email to security@bauwatch.com with all relevant details.

DEKRA certification badge for ISO/IEC 27001 information security, featuring the DEKRA logo and website.

Implemented controls

Below you’ll find more detailed information on our implemented information security controls:

Product Security

Audit logs
For our products and services we keep track of the activities that are happening via log files. New developments follow our logging policy. Example of activities we trace:
       - User logs
       - Event logs
       - Error logs

Multi-Factor Authentication – Single Sign On
Where possible we require MFA to access our applications and products we use. When selecting new product this is one of the must-have requirements. If possible this is supported via Single Sign On.

Role-based Access Control (RBAC)

In our processes and products we follow the “least privilege” and “need to know” principles so people can see and do what is related to their role and activities that belong to several roles.

Penetration tests

We test our products regularly via penetration tests and work on the findings when applicable.

Information Security

Information Security Officer
For questions on information security you can email us via security@bauwatch.com

Data Encrypted At-Rest

BauWatch utilizes several technologies to ensure stored data is encrypted at rest using AES-256 encryption.

Data Encrypted In-Transit

BauWatch encrypts sensitive data in transit with TLS 1.2 or TLS 1.3.

Passwords

BauWatch uses password protection, encryption, and other security measures to help prevent unauthorized access to confidential data. Passwords follow NIST requirements.

Access Reviews and Monitoring

Access to BauWatch's systems is stringently controlled and permissions for internal systems and applications are reviewed and approved on a periodic basis to ensure that the principle of least privilege is maintained.

BauWatch has access policies and procedures in place that are reviewed and approved on an annual basis.

Data Backups

BauWatch's systems are backed up on a regular basis using established schedules and frequencies. Backups are monitored and alerts generated in the event of an exception. Failures are documented, triaged and resolved accordingly. All backups are encrypted.

Asset Inventory

A systems inventory is maintained that includes physical devices and systems, virtual devices, and software.

Data Classification

BauWatch has a formally documented data classification policy that identifies the information required to support the functioning of internal controls, achievement of objectives, and associated protection, access rights, and retention requirements.

Organizational Security

Employee Background Checks

BauWatch employees undergo a background check prior to formal employment offers. The Background check may differ per country and role due to laws and regulations. Upon hire, all employees must read and acknowledge BauWatch’s:

Security Code of Conduct
Employee Handbook

Employee Security Training

BauWatch requires that all employees complete security behavior / awareness training as part of the new employee onboarding process and on a annual basis for all employees.

Asset Management

BauWatch has implemented tools in place to provide visibility into key assets within our infrastructure.

Change Management

BauWatch maintains a change management process within its cybersecurity framework, systematically evaluating and controlling modifications to its IT environment to ensure that updates, configurations, and alterations are implemented securely, minimizing potential risks and maintaining a strong security posture.

Incident Management

BauWatch maintains a formal Incident Management process that outlines the response procedures for (security) events. Every employee is notified how to report (security) incidents.

Privacy

Data privacy officer

For questions on data privacy you can read our Privacy Statement and email us via privacy@bauwatch.com

Processor’s Agreement

BauWatch has established a comprehensive Processor’s Agreement that outlines the terms and conditions governing the processing of personal data in video surveillance.

GDPR

BauWatch is GDPR compliant and complies with the applicable data breach notification rules

Camara

BauWatch towers and its camera’s are only monitoring area’s that are requested by our customers and compliant with the rules for video surveillance. All areas that shouldn’t be monitored are not visible in our monitoring centers. At the same time we do not continuously monitor the screens but are triggered based on events in specific detection area’s as agreed with our customers. Only in case of a real event we will activate and monitor the live camera’s.

Alarm Receiving Centers (ARC)

Alarm Monitoring

BauWatch monitors your alarms in the Alarm Receiving Centers. In Germany and the Netherlands we have our own alarm receiving centers.

EN 50518

BauWatch own ARC’s are EN 50518 certified. In other countries we are hosted in certified ARC’s.

Availability

Based on the EN 50518 we guarantee an availability of our alarming process of 99,9% on a yearly basis

Physical security

Our monitoring centers are highly protected and separate environments that has the highest physical protection too. Only people who should have access can enter these area’s

Business Continuity & Disaster Recovery

Business Continuity Plan

BauWatch has a documented business continuity plan and disaster recovery plan controlled and enforced by a disaster recovery team. This is tested annually.

Disaster Recovery Plan

BauWatch has a documented business continuity plan and disaster recovery plan controlled and enforced by a disaster recovery team. This is tested annually.

Recovery Time Objective (RTO) / Recovery Point Objective (RPO)

Our Business continuity plan and Disaster recovery plans are based on RTO and RPO KPI’s that guarantees a 99,9 availability of our monitoring process.

Threat Management

Vulnerability Management

BauWatch maintains a robust vulnerability management system, systematically identifying, assessing, and mitigating potential security vulnerabilities within its IT and OT infrastructure to ensure a resilient and secure operational environment. BauWatch undergoes an annual vulnerability scan and penetration test conducted by a third-party vendor.

Vulnerability Disclosure Policy

If you're a BauWatch Customer or Potential Customer and believe you have found a security vulnerability pertaining to BauWatch products or services, please contact security@bauwatch.com

Penetration Testing

BauWatch undergoes an annual vulnerability scan and penetration test conducted by a third-party vendor.

Risk Management

BauWatch has implemented a comprehensive risk management process, systematically identifying, analyzing, and mitigating potential cybersecurity risks to ensure the confidentiality, integrity, and availability of its information systems and assets.

An annual risk assessment is conducted to systematically evaluate potential cybersecurity risks, ensuring that BauWatch's information systems and assets are comprehensively analyzed for vulnerabilities and that appropriate mitigation strategies are implemented.

Antivirus and Malware

BauWatch has a comprehensive antivirus and malware policy in place for both employee workstations and servers. BauWatch utilizes reputable endpoint protection solutions as part of a defense-in-depth strategy, ensuring systems are regularly updated to defend against the latest threats.

Third-Party Service Providers / Sub-processors

Third-Party Service Providers / Sub-processors

BauWatch may engage and use (i) certain third-party data processors and/or (ii) one of BauWatch affiliates (collectively, “Sub-Processors”) to provide services to our customers. These Sub-Processors may access personal data provided directly by our customer in order to perform the contracted services and support.

Third Party Risk Management (TPRM)

BauWatch has implemented a robust Third-Party Risk Management (TPRM) framework to systematically identify, assess, and mitigate potential risks associated with its external partnerships, ensuring the security and integrity of its operations.