SOC 2 and safety technology: why data security matters for AI platforms

When you connect a computer vision AI platform to your CCTV cameras, you're handing it access to video feeds of your workplace. Footage of your people, your operations, your facility layout. That's a significant amount of trust to place in a technology vendor.

So before you evaluate detection accuracy or dashboard features, there's a more fundamental question: how does this vendor protect your data?

It's a question that doesn't get asked often enough. In procurement conversations about AI safety platforms, the focus tends to land on what the technology can do. But equally important is what happens to the data it processes, where that data goes, who can access it, and what safeguards exist if something goes wrong.

That's where security certifications like SOC 2, ISO 27001, and GDPR compliance come in. They're not just badges on a website. They represent independently verified commitments to how a platform handles, stores, and protects your information.

What SOC 2 actually measures

SOC 2 (System and Organisation Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how well a service organisation manages customer data across five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.

Security is the only mandatory criterion. It covers protection against unauthorised access, both physical and logical. The remaining four criteria are optional but increasingly expected by enterprise buyers, particularly availability (ensuring systems are operational when needed) and confidentiality (ensuring sensitive data is appropriately restricted).

There are two types of SOC 2 report. Type I assesses whether security controls are properly designed at a specific point in time. Type II goes further, evaluating whether those controls actually worked consistently over an extended period, typically six to twelve months. For enterprise procurement, Type II is the standard that matters. It answers the question: do these controls work in practice, day after day?

For AI platforms specifically, SOC 2 auditors are increasingly scrutinising how customer data is handled in the context of model training, data pipelines, and automated processing. They want to see evidence that customer video or operational data isn't leaking into training datasets, that access controls are enforced consistently, and that data flows are documented and auditable.

ISO 27001: the global information security standard

Where SOC 2 is primarily recognised in North American procurement, ISO 27001 is the global equivalent. Published by the International Organisation for Standardisation and the International Electrotechnical Commission, it specifies requirements for establishing, implementing, and maintaining an information security management system (ISMS).

Certification requires an organisation to systematically identify risks to its information assets, implement controls to address those risks, and continuously monitor and improve those controls over time. An independent certification body audits the ISMS against the standard, and re-certification is required at regular intervals.

For organisations operating across multiple regions (which describes most enterprise safety programmes), ISO 27001 is often a procurement prerequisite. The standard's structured approach to risk management, access controls, incident response, and supplier security aligns closely with what enterprise IT and security teams evaluate during vendor assessments.

In industries where workplace safety platforms are most commonly deployed (logistics, warehousing, manufacturing, retail distribution), ISO 27001 certification signals that a vendor takes information security as seriously as the operational challenges it's trying to solve.

GDPR and workplace camera monitoring

For organisations with operations in the European Union or the United Kingdom, the General Data Protection Regulation adds another layer of obligation. CCTV footage that captures identifiable individuals is classified as personal data under the GDPR, which means any processing of that footage must have a lawful basis, be proportionate to the stated purpose, and be transparent to the people being recorded.

Under Article 35, any use of CCTV monitoring that could create a high risk to individuals' rights and freedoms requires a Data Protection Impact Assessment (DPIA) before the system is deployed. Employers must clearly communicate why monitoring is taking place, restrict access to authorised personnel, define retention periods, and ensure footage is stored securely.

This is where the architecture of your AI safety platform becomes critical. A platform that processes video on-premise (keeping footage on your own infrastructure rather than transmitting it to external cloud servers) significantly reduces your GDPR exposure. inviol's approach is designed around this principle: 99% of data is processed on-premise, video footage doesn't leave your site, and faces are automatically blurred to prevent individual identification. You can verify inviol's certifications at trust.inviol.com.

For organisations subject to New Zealand's Health and Safety at Work Act (HSWA) or Safe Work Australia's model WHS laws, the principles are similar even where the regulatory framework differs. Workers have a reasonable expectation that monitoring technology is implemented transparently, proportionately, and with appropriate safeguards. A platform that can demonstrate independent certification against recognised security standards makes that case considerably easier.

Why this matters more for safety platforms

You might wonder why data security deserves special attention for workplace safety technology compared to, say, a project management tool or an HR platform. There are three reasons.

First, the data is inherently sensitive. Computer vision AI for safety processes continuous video footage of your workers going about their daily tasks. Even with face blurring and anonymisation, the operational intelligence captured (movement patterns, vehicle flows, shift-by-shift activity) is commercially and operationally sensitive. A breach could expose not just personal data but detailed information about your facility operations, traffic patterns, and security vulnerabilities.

Second, the deployment footprint is wide. Safety platforms connect to cameras across multiple zones, shifts, and often multiple sites. That's a broad attack surface. Every connection point between cameras, processing units, dashboards, and integrations is a potential vulnerability that needs to be secured, monitored, and audited.

Third, the consequences of a breach in this context are amplified. IBM's Cost of a Data Breach Report found that the average global cost of a data breach reached US$4.88 million in 2024, with industrial organisations paying US$5.56 million on average. Beyond the financial impact, a breach involving workplace monitoring footage could fundamentally undermine the trust your workforce has placed in the technology, destroying the cultural buy-in that makes coaching-led safety programmes effective.

The difference between on-premise and cloud processing

One of the most important architectural decisions in computer vision AI is where video data is processed. There are two broad approaches.

Cloud processing sends video footage (or extracted data) to external servers for analysis. This can offer scalability advantages, but it means your workplace footage is travelling across networks and being stored on infrastructure you don't control. Every transit point is a potential interception point, and the data is subject to the data sovereignty laws of wherever those servers are located.

On-premise processing keeps the analysis local. A processing unit sits on your site, connected to your cameras, and performs the computer vision analysis without sending raw video externally. The outputs (safety events, heatmaps, trend data) are transmitted in a structured, anonymised format, but the footage itself stays within your physical infrastructure.

From a security and compliance standpoint, on-premise processing is substantially stronger. It reduces your data transfer risk, simplifies your GDPR and privacy obligations, and gives your IT team direct physical control over the processing hardware. For industries handling sensitive operations, this architectural choice is often a deciding factor.

Questions to ask your safety technology vendor

When you're evaluating an AI safety platform, data security shouldn't be an afterthought in the procurement conversation. Here are the questions that your IT and security teams should be asking.

Does the vendor hold a current SOC 2 Type II report? A Type I report is a starting point, but Type II demonstrates sustained operational security over months, not just a well-designed system at a single point in time.

Is the vendor ISO 27001 certified? For organisations with international operations or those selling into European markets, this certification is increasingly expected in vendor assessments.

Where is video data processed and stored? Understand whether processing happens on-premise, in the cloud, or in a hybrid model. If cloud processing is involved, ask which data centres are used and under which jurisdiction's data sovereignty laws.

What data leaves your site? There's a significant difference between a platform that transmits raw video to external servers and one that transmits only structured event data. The less sensitive data that travels externally, the smaller your risk surface.

How does the platform handle personally identifiable information? Look for automated face blurring, anonymisation of individuals, and clear data retention policies. The platform should be designed so that safety events can be reviewed without identifying specific workers.

Can the vendor provide documentation for a DPIA? If you're subject to GDPR or similar privacy regulations, your vendor should be able to support your Data Protection Impact Assessment with clear documentation of their data flows, processing purposes, and security controls.

Is there a public trust centre? Vendors that are genuinely confident in their security posture make their certifications, policies, and compliance documentation publicly accessible rather than burying it behind sales conversations.

The trust foundation

Data security isn't the most exciting part of evaluating a safety technology platform. It doesn't have the immediate appeal of watching a computer vision system detect a near miss in real time. But it's the foundation that everything else sits on.

Your workforce needs to trust that the technology monitoring their environment isn't compromising their privacy. Your IT team needs confidence that connecting to your camera infrastructure doesn't introduce new vulnerabilities. Your board needs assurance that the vendor protecting your most sensitive operational data has been independently verified to do so.

Certifications like SOC 2 Type II, ISO 27001, and GDPR compliance aren't guarantees that nothing will ever go wrong. But they represent a verifiable commitment that a vendor has built security into their architecture, their processes, and their culture, and that an independent auditor has confirmed it.

When you're choosing a platform to monitor safety across your sites, make sure data security is one of the first conversations, not the last.

Frequently Asked Questions

What is SOC 2 Type II and why does it matter for safety technology?

SOC 2 Type II is an auditing standard developed by the AICPA that evaluates whether a service organisation's security controls work effectively over an extended period, typically six to twelve months. Unlike Type I (which checks controls at a single point in time), Type II demonstrates sustained, operational security. For AI safety platforms that process sensitive workplace video footage, a current SOC 2 Type II report provides independent verification that the vendor's data protection controls are working consistently, not just designed well on paper.

What is the difference between SOC 2 and ISO 27001?

Both frameworks address information security, but they differ in scope and geography. SOC 2 is an AICPA auditing standard primarily recognised in North American enterprise procurement. ISO 27001 is a global standard published by the International Organisation for Standardisation that specifies requirements for an information security management system (ISMS). Many enterprise buyers, particularly those with international operations, look for both certifications. SOC 2 is common in US-based procurement, while ISO 27001 is the preferred standard in European, Asia-Pacific, and international vendor assessments.

Why is on-premise processing more secure for workplace AI?

On-premise processing keeps video footage on your own physical infrastructure rather than transmitting it to external cloud servers. This reduces the number of potential interception points during data transit, simplifies compliance with data sovereignty and privacy regulations like the GDPR, and gives your IT team direct physical control over the processing hardware. For organisations subject to strict data protection requirements, on-premise processing significantly reduces the risk surface compared to cloud-based alternatives.

How does GDPR apply to AI workplace safety cameras?

Under the GDPR, CCTV footage that can identify individuals is classified as personal data. Employers using AI-powered camera monitoring must have a lawful basis for processing (typically legitimate interests for health and safety purposes), conduct a Data Protection Impact Assessment where monitoring poses high risk, clearly inform employees about the monitoring and its purpose, define retention periods, and restrict access to authorised personnel. Platforms that incorporate privacy-by-design features like automatic face blurring and on-premise processing help employers meet these obligations.

What security certifications should I look for when evaluating an AI safety platform?

At a minimum, look for SOC 2 Type II and ISO 27001 certification. These represent independently audited commitments to data security. For organisations with EU or UK operations, GDPR compliance is also essential. Beyond certifications, evaluate the platform's architecture: where video is processed and stored, what data leaves your site, how personally identifiable information is handled, and whether there is a publicly accessible trust centre where you can verify certifications independently.