Security and Privacy by Design
Misti is built for facilities where worker privacy rights are real legal obligations. GDPR and CCPA-aligned data handling, no biometric identification, on-premises deployment for OT-isolated networks, and security controls designed to meet industrial compliance expectations.
Note: Misti is designed with SOC 2 security controls in mind. We are not currently SOC 2 Type II certified. This distinction is important to us and to our customers.
What Is Processed, Where It Lives, and How Long We Keep It
What Is Processed
Misti processes camera video streams to extract zone-level analytics: density counts, flow patterns, PPE detection status, and event timestamps. Raw video is processed in real time — analytics are extracted and stored; raw video frames are not retained by default.
Misti does not perform facial recognition, biometric identification, or individual worker tracking. Zone metrics are aggregate patterns, not individual behavioral records.
Where It Lives
Analytics data (not raw video) is stored in Misti's cloud infrastructure (EU-based data centers) or, for on-premises deployments, on a Misti-managed edge node within your facility network.
Retention
Default analytics data retention: 90 days. Event log retention: 12 months. Retention periods are configurable per deployment. All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
GDPR, CCPA, and Union Monitoring Obligations
No Biometric Data
Misti does not collect, process, or store biometric data as defined under GDPR Article 9 or Illinois BIPA. No facial geometry, no gait biometrics, no individual worker identity markers.
Worker Notification Templates
GDPR Article 13/14-aligned notification templates included with all deployments. Templates cover UK ICO recommended disclosure for video analytics systems and US state AI monitoring notification requirements.
Blur Options
Worker figure blur option available per zone. Analytics (density, flow, PPE detection) continue to function on blurred feeds. Configurable for zones where individual visibility in video is a contractual or legal concern.
Role-Based Access and Audit Log
Role-Based Access Control
Three role types: Operations Director (full dashboard access), Supervisor (zone-specific access, no cross-zone data), EHS Lead (incident log and compliance reports). Access is provisioned by customer admin, not Misti.
Single Sign-On (SSO) integration available for enterprise deployments. All authentication events are logged.
Platform Audit Log
All data access, report exports, and configuration changes are logged with user, timestamp, and action. Audit log is customer-accessible and tamper-evident. Retention: 12 months.
Misti staff access to customer data requires explicit customer authorization and is logged in the same audit system.
We Provide Security Documentation Before You Commit
Data flow diagrams, network access requirements, DPA template, and controls summary available on request. We complete IT security reviews within 5 business days.