Video stays at the plant.

The single design rule we built around. Vision inference runs on a local box at the plant; raw video never leaves the site. Only event metadata — what was detected, when, on which camera — and a small number of evidence stills sync to the cloud.

That means an internet outage doesn't cost you safety coverage, and a cloud breach doesn't expose your footage. Two failure modes, both gone by construction.

• Event metadata + a few stills. Stored in Firestore in the asia-south1 multi-region (Mumbai). Custom regions are available for Enterprise customers with residency requirements.
• Operator inputs. Same path — they flow to Firestore via the companion app, alongside the event spine they relate to.
• Raw video. Stays in your CCTV NVR. We do not pull it, copy it, or stream it offsite.

• In transit. TLS 1.2+ on every connection between edge, cloud, and clients.
• At rest. Firestore data is encrypted with Google-managed keys by default. Customer-managed keys are available on Enterprise.
• Backups. Firestore point-in-time recovery and scheduled backups are enabled on production data.

• Operators sign in to the companion app with a phone-based one-time code against a per-plant roster. Lost devices revoke at the next sign-in.
• Supervisors and ownerssign in the same way with elevated roles defined by the plant's admin.
• Our internal team signs in with passwordless email links and an audit log on every access. Production data access is logged and reviewed.
• Row-level securityis enforced at the database layer. Even a misbehaving query can't cross a plant boundary or read a resource the role doesn't own.

Events, operator entries, maintenance logs, and incident records are append-only. Edits land as new rows that reference the original; nothing is mutated in place. The result is a complete audit trail you can hand to a regulator without explaining gaps.

Critical alarms — fire, fall, distress, lone-worker — are designed to keep firing on the plant during an internet outage. Events queue locally and sync when connectivity returns. The plant doesn't go quiet when the cloud has a bad day.

We do not score individual operators. Posture, distraction, and similar signals are aggregated at the line or station level and used to drive equipment changes — not to evaluate people. This is a design principle, not a roadmap item.

• SOC 2 Type II — readiness work underway with a target audit window in the next 12 months. Bridge letters available on request for enterprise pilots in the meantime.
• ISO 27001 — alignment with controls is part of the SOC 2 work; certification follows.
• GDPR / UK GDPR. We process personal data as a processor on behalf of our customers, under standard data-processing terms available in the Enterprise contract. Personal data on the marketing site is covered separately on our Privacy page.
• Data residency. Default Mumbai (asia-south1). EU and US regions available for Enterprise customers.

If you've found a security issue, please email security@factoryopsai.com with the details. We'll acknowledge within one business day, investigate, and update you on remediation. Good-faith research will not face legal action from us.