Compliance & Frameworks
Quick reference for reviewers. This page maps how
StrangerAIert's existing technical controls align with the regulations
and security frameworks the service follows. Where a control is in
place, the implementation reference is linked.
1. Applicable Regulations
- CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act) — collection notice, deletion and access rights, and Do-Not-Sell stance are honored. We do not sell personal information.
- VCDPA (Virginia Consumer Data Protection Act) — same rights honored where the account owner is a Virginia resident.
- CPA (Colorado Privacy Act) — same rights honored where the account owner is a Colorado resident.
- Other applicable U.S. state consumer privacy laws as they become effective in additional states.
- GDPR Article 32 — technical and organizational measures described in Architecture & Data Flow and Privacy Policy are applied to any EEA users.
- Ring® App Store Developer Policy and Data Use Policy — required for App Store certification; followed in full.
Biometric notice. Face embeddings derived from your Ring
camera footage are biometric data. Where the account owner has residents in
states with biometric-specific laws — notably Illinois BIPA
and Texas CUBI — those laws apply to the operator's use of
StrangerAIert, in addition to the general consumer privacy laws above.
StrangerAIert provides Notice and Consent at the point of camera enrollment
(see Privacy Policy Section 3).
2. NIST Cybersecurity Framework (CSF) Alignment
StrangerAIert's controls are organized along the five NIST CSF functions. Each row references the concrete implementation.
| CSF Function | What it requires | How StrangerAIert implements it |
|---|---|---|
| Identify in place | Inventory of assets, data, and dependencies. | Public storage and data-flow inventory at /architecture; sub-processor list at Privacy §9. |
| Protect in place | Access control, data protection at rest and in transit, secure configuration. | Encryption in transit (HTTPS with HSTS); cryptographic verification of inbound Ring webhooks; secure session cookies and standard browser security headers; encryption at rest on AWS cloud storage; Ring OAuth tokens kept server-side only; multi-tenant isolation enforced at the application layer. |
| Detect in place | Continuous monitoring, detection of anomalous activity. | AWS-level activity logged at the account level; an application audit trail records security-relevant events (login attempts, administrative actions); web server access and error logs; system journal. |
| Respond in place | Response planning, communications, mitigation, improvement. | Documented incident response posture and contact in our Privacy Policy; affected-user notification via email and in-app banner upon a confirmed personal-data incident. |
| Recover in place | Recovery planning, communications, improvements. | AWS S3 cross-Availability-Zone durability for camera clips; a secondary S3 bucket holds redundant copies. |
3. AWS Well-Architected Framework — Security Pillar
The Security Pillar's six design areas mapped to our implementation.
| Design Area | How StrangerAIert applies it |
|---|---|
| Security Foundations | Operations run in AWS under the principle of least privilege; administrative access is separated from runtime application access. |
| Identity & Access Management | End users authenticate via password (stored as a salted one-way hash) and Ring OAuth for Ring access. Administrative authentication is separated. Sessions are server-side and protected by secure cookies. |
| Detection | AWS-level activity is logged at the account level. An application audit trail records security-relevant events. Web server and system logs are retained per their rotation policies. |
| Infrastructure Protection | HTTPS-only access with HSTS; standard browser security headers; network access controls restrict the application instance to expected traffic; the application is reachable only through the reverse proxy. |
| Data Protection | Encryption at rest on AWS cloud storage; salted password hashing; Ring OAuth tokens kept server-side only; retention policies enforce automatic deletion of Ring-derived data after 90 days (Privacy §10). |
| Incident Response | Documented response posture in our Privacy Policy; user notification channel (email + in-app banner); audit trail enables reconstruction of access events. |
4. Cross-references
- Privacy Policy — collection, use, sharing, retention, rights, and contact.
- Terms of Service — acceptable use, your responsibilities as a camera operator, limitation of liability.
- Architecture & Data Flow — storage map and end-to-end flows.