Security & Data Handling

Insightek builds industrial AI products that run on or near customer production lines. That context shapes every security decision we make: customer imagery and operational data must be protected, data sovereignty must be respected, and the line must continue to run even when connectivity to external services is interrupted. We design for on-premise and hybrid deployments as the default, not as an afterthought.

We favor transparency over marketing language. Where a control is fully in place, we say so. Where a certification is in progress, we say "in progress" and explain what that means. We do not use the word "certified" in the absence of an actual certificate.

For on-premise deployments, customer imagery, detections, and operational logs remain on the customer network. The inference pipeline does not require outbound connectivity to Insightek infrastructure to make real-time decisions. Software updates and model updates are delivered through controlled channels that the customer can inspect and schedule.

For hybrid or cloud-assisted deployments, we document exactly which data flows leave the customer perimeter, why, and under what legal basis. Customers can opt into a fully air-gapped mode where no operational data ever leaves their network.

Data in transit. All network traffic between product components is encrypted using TLS 1.2 or above with modern cipher suites. Internal service-to-service traffic uses mutual TLS where supported by the customer environment.

Data at rest. Stored detection records, model artifacts, and audit logs on Insightek-managed infrastructure are encrypted using AES-256. On customer-managed infrastructure, we recommend and help configure equivalent at-rest encryption using the customer's key management solution.

Keys and secrets. Keys and secrets are managed through the platform-native secret store (for example a customer KMS or HSM where available). We avoid long-lived static credentials and rotate keys on a defined schedule.

Role-based access control (RBAC) is enforced throughout the product interface. Roles follow the principle of least privilege: operators see only the data and actions required for their station; engineers see configuration and logs; administrators manage users and policies.

Single sign-on (SSO) integration with customer identity providers (SAML and OIDC) is on the roadmap and available today for enterprise engagements on request. Until a customer integration is in place, we support strong passwords and recommend enabling multi-factor authentication at the customer's identity layer.

Insightek personnel access to customer environments is strictly limited to engineering and support staff with a documented need-to-know, requires explicit customer authorization, and is recorded in audit logs.

The product emits structured audit logs for authentication events, configuration changes, model deployments, and privileged actions. Logs are tamper-evident — each entry is chained so that retroactive modification is detectable — and retention is configurable to match the customer's compliance requirements.

Logs can be forwarded to the customer's SIEM or log aggregation system in standard formats for integration with existing monitoring and alerting workflows.

We maintain an internal incident response process covering detection, containment, eradication, recovery, and post-incident review. Suspected security incidents affecting customer environments are escalated to a named on-call engineer and an incident commander.

Notification commitment. In the event of a confirmed security incident affecting customer data or customer operations, we commit to notifying affected customers without undue delay and no later than 72 hours after discovery, consistent with regulatory standards under GDPR and PIPL. The notification will include what we know, what we do not yet know, actions already taken, and next steps.

For coordinated vulnerability disclosure from external researchers, please see the "Reporting a vulnerability" section below.

We believe the most privacy-preserving data is the data never captured. Our Action Compliance product supports a structure-only mode in which the system emits events and metrics (timestamps, step labels, sequence compliance flags) without storing or transmitting the raw video frames that generated them. This mode is suitable for workplaces where continuous video capture would raise privacy concerns.

Our Visual Inspection product supports configurable retention of inspection images, including modes where only failures are retained for review and successful inspections are discarded immediately after the OK/NG decision.