If you’ve experienced GUARDIAN RFID software in action – whether during a demo or at a neighboring facility – you know that our platform, Command Cloud, captures a ton of data. This data is not only textual but it can also be in the form of digital evidence, such as imaging or videos.
Every data point represents proof of proactive steps that your staff has taken to ensure compliance, refute deliberate indifference, and uphold elevated standards of internal governance.
You may be wondering: Where is this data stored? Whether you’re concerned about data ownership, planning technical resources, or protecting cloud security, we’ve got you covered.
This blog covers where GUARDIAN RFID data is stored, how it is protected, who owns it, and general data retention practices. Not legal advice, just a synopsis of what’s common among GUARDIAN RFID users.
In the Beginning
Since 2007, every instance of GUARDIAN RFID has been deployed as Software as a Service (SaaS). This means that we share one common milestone with Netflix: all GUARDIAN RFID software and services have been Cloud-native since they started their streaming service.
We’ve always been enthusiastic about the Cloud because of its capacity to offer convenient, cost-effective, and unfettered access to your data. Back then, jail administrators loved showing off how they were running their jails from their newly minted, first-generation iPhones, which so happened to launch the same summer as our first instance of GUARDIAN RFID cloud-native software.
The Cloud Environment and How Your Data is Protected
Command Cloud, our officer experience platform (OXP), is deployed to Amazon Web Services (AWS). AWS has two primary types (or regions) of Cloud server environments. Command Cloud supports both types:
-
Standard AWS Regions
Why do we support two regions? In some cases, state-level deployments, such as a state department of corrections, may prefer GovCloud because it has certain unique security capabilities, including:
-
FIPS 140-2 approved cryptographic modules for all AWS service API endpoints
-
Physical and logical restricted access for those staff supporting AWS GovCloud (US) to US Citizens
-
Authentication that’s completely isolated from Amazon.com
For agencies that prefer GovCloud, the choice ultimately comes down to preference rather than mandate. There’s no requirement for any county or state agency to use GovCloud. Currently, there are no present use cases supported in Command Cloud that involve generating or storing highly sensitive, unclassified data that would necessitate a Federal Risk and Authorization Management Program (FedRAMP) High categorization, which GovCloud supports.
In terms of Criminal Justice Information Services (CJIS) compliance, both AWS Standard Regions and AWS GovCloud are fully compliant. It’s a common misconception that only GovCloud meets these standards, but that is not the case. In fact, as Gerard Gallant, CJIS Senior Program Manager at AWS explains:
In addition to AWS GovCloud (US) Regions, public sector customers are now also deploying CJIS workloads in AWS US Commercial Regions, while meeting the data residency requirements of the CJIS Security Policy.
Protecting your Data
GUARDIAN RFID prioritizes security in every aspect of our purpose-built technology. For instance, GUARDIAN RFID is SOC 2 Type 2 compliant, demonstrating our commitment to robust internal controls that protect sensitive data. This compliance framework, developed by the American Institute of Certified Public Accountants (AICPA), ensures we adhere to the highest standards of cyber security.
To achieve SOC 2 Type 2 compliance, you must:
-
Undergo an audit by an external AICPA-accredited auditor
-
Have an independent auditor review the organization's practices and policies
-
Demonstrate that the organization's controls are designed appropriately and operate effectively
Our system architecture incorporates multiple security layers and protocols to secure maximum protection such as using sophisticated encryption for both data in transit and at rest. Additionally, we employ real-time monitoring tools, multi-factor authentication, and segregated environments for development, testing, and production, among other measures.
Data Ownership
You own your data. Our customers, America’s Warriors, have always owned their own data. We are committed to ensuring your data is accessible in several ways. Whether you want to visualize it using your own business intelligence software or periodically download a local copy to your network, all the data is yours and 100% available to you on your own time.
But if you’re like most agencies, you’ll likely want to add on Operational Intelligence to achieve insightful, visual, diagnostic analytics.
What is Business Intelligence? Business intelligence (BI) tools help jails and prisons analyze data to gain valuable insights that inform decisions. BI helps answer critical questions such as "What happened?" and "What needs to change?” For example, it can identify patterns like “Why are their compliance bottlenecks at the same time in the same location?”
Data Retention
So how long should you keep your data? That depends on the type of data and what your state requires – and certainly what your attorneys advise for compliance and risk mitigation. But as a general practice, nearly every Warrior agency meets at least these minimum retention requirements:
1. General inmate activity logs – 2 years
2. Inmate medication administration logs – 2 years
3. Biometric data – 2 years (or as applicable with state privacy laws)
Of course, we’re not dogmatic about what you need to do. Our main recommendation is to develop a retention policy based on your agency’s counsel’s guidance or outside legal representation to confirm it meets your specific requirements. By the same token, GUARDIAN RFID will act accordingly to expunge records based on court orders or clear guidance from your agency’s counsel regarding retention.
In summary, all the data you generate and store with GUARDIAN RFID is securely stored in our Cloud database. You own your data. Our responsibility is to ensure that it’s protected, secured, backed up, and accessible when you need it. We’ll retain it as long as you instruct us to, as mandated by your state’s laws.
GUARDIAN RFID is committed to creating a highly secure environment, as demonstrated by our SOC 2 Type 2 Compliance and the implementation of multiple security layers to protect the server and application environment.
