Files

3.9 KiB

Data sovereignty

The sovereignty model is enforced at three layers, each visible in the operator console.

Layer 1 — Storage tier separation

Tier Data Where it lives Encryption
1 Raw video clips Cell's local disk (NVMe + HDD) LUKS at rest
1 Audio recordings Cell's local disk LUKS at rest
2 Embeddings (CLIP, voiceprints) Cell's vector index, optionally bridged to hub TLS in transit, AES at rest on hub
2 Detection metadata (events, hashes) Cell's TimescaleDB, bridged to hub same
3 Evidence packs (when exported) Customer-provided destination BYOK encryption

Tier 1 never leaves the site by default. No accidental upload, no "telemetry" exemption, no "diagnostics improvement" loophole.

Layer 2 — MQTT bridge policy

Defined in mqtt-contract.md. Summary:

Direction Allowed Not allowed
Up (site→hub) events, state, registry, health, bridge status, evidence manifests snapshots, raw telemetry, $SYS
Down (hub→site) commands, config nothing else

The policy is in /etc/mosquitto/conf.d/bridge.conf, version-controlled in the site-config repo. The MQTT panel renders it.

Layer 3 — Network egress at the firewall

The cameras VLAN (VLAN-10 by default) has zero internet egress. Firewall rules:

  • DROP from VLAN-10 to WAN.
  • DROP from VLAN-10 to any non-RTSP port on VLAN-20.
  • DROP from VLAN-10 to anywhere except: local DNS sinkhole, RTSP from VLAN-20, NTP from local router.

DNS is sinkholed: cameras think they have DNS but the router resolves all queries locally. Phone-home attempts are visible in the security checklist during onboarding.

The Cell (VLAN-20) does have internet egress, but only to bridge endpoint and Balena. The router enforces this with named iptables/nftables sets.

Layer 4 — GitOps audit trail

Every configuration change is a Git commit, signed by an operator's GPG or SSH key. The repo is auditable by anyone with read access. Drift between live config and Git state is detected within 5 minutes and surfaced in the GitOps panel.

This is the audit trail for compliance: "show me what was running on this site on date X" → check Git history for commits before date X.

What customers see

In the operator console:

  • MQTT panel → bridge policy section: explicit ↑hub, ↓hub, ✗ stays local, ✗ never bridged tags on every topic.
  • CAMS panel → "DNS BLK 847 calls today" stat showing how many phone-home attempts were blocked.
  • GITOPS panel → who changed what, when, with the SHA.
  • HEALTH panel → "VLAN segregation · DENIED ✓" test confirming the policy is alive.
  • SYNOPSIS → bottom right corner shows ◆ DATA · SOVEREIGN ◆ as a permanent banner.

Customer-facing claims (what we can say)

We can claim:

  • "Raw video stays on-site; cryptographically demonstrable."
  • "Hub data centers are EU-jurisdiction; no US presence in the critical path."
  • "Customer holds encryption keys for evidence packs (BYOK)."
  • "Audit trail in Git, signed by operators, retained indefinitely."
  • "Zero unauthorized egress from cameras VLAN; verifiable in the live MQTT bus."

We do not claim (yet):

  • "Compliant with [specific regulation]" — that's per-jurisdiction legal review.
  • "Tamper-evident clips" — that's the evidence chain workstream, post-MVP.
  • "Air-gapped possible" — partially true, but with caveats; document case-by-case.

Sovereignty incidents (planned response)

If a customer reports concern that data leaked:

  1. MQTT panel → check bridge log for unexpected publishes.
  2. GITOPS panel → check recent commits to bridge.conf.
  3. HEALTH panel → check VLAN segregation test history.
  4. Pcap → router can capture WAN egress for last 24h on demand (if enabled in config).

The platform is designed so that demonstrating sovereignty is a search, not an investigation.