Compliance & Privacy

Compliance,
honestly explained.

Audience analytics on a camera will always raise good questions from privacy, legal and security teams. Here's what SignIQ actually does, what we don't, and what your procurement process will want to see.

Request DPA & procurement packDownload privacy notices

Product guidance only. This page is not legal advice for your specific deployment.

Privacy posture

Built so privacy isn't a policy decision.

The architecture does the work that policies usually have to. Video stays on the device, only aggregates leave, and the way the data flows fits cleanly inside UK GDPR, EU GDPR and the EU AI Act.

Privacy by design

Video is processed and discarded on the device. Only anonymous, aggregate numbers ever leave the hardware. No faces stored, no individuals tracked, no raw footage in the cloud.

GDPR & EU AI Act

Built to fit cleanly within UK GDPR, EU GDPR and the EU AI Act. Our audience analytics fall under the Act's Limited Risk tier — transparency, not high-risk authorisation.

Security posture

The controls in operation today.

We operate the day-to-day controls that frameworks like ISO 27001 and SOC 2 expect — encryption, access management, change management, incident response. We'll be honest about formal certification: we don't hold it today.

Aligned

ISO 27001 alignment

Our Information Security Management System is mapped to ISO 27001 Annex A — covering access control, data classification, encryption, change management and incident response. We don't currently hold formal certification.

Aligned

SOC 2 Trust Services Criteria

Our controls are designed against the SOC 2 framework. We don't hold formal attestation today — happy to walk procurement through what we operate.

Procurement team needs more detail on our controls? Email compliance@signiq.cloud — we'll walk you through what we operate today.

What SignIQ measures

Anonymous, aggregate numbers.

How many people pass each screen and zone
How long people stop and look
Attention events — when someone is oriented toward a display
Aggregate, ≥5-minute audience patterns by time of day and zone
Hourly rollups and forward forecasts

What SignIQ never does

Identity-led and prohibited uses.

No face matching, identity resolution, or biometric templates
No remote biometric identification in public spaces
No emotion recognition or mood scoring
No inference of sensitive attributes (race, religion, political views, health)
No individual-level profiles or cross-site tracking
No raw video stored or exported from the cloud

Partner alignment

Designed to fit inside ISO-certified stacks.

Many of the CMS and signage platforms we integrate with — Embed Signage among them — are ISO 27001 certified. SignIQ is built so that adding us to their stack doesn't put their certification at risk.

Mutual DPA in place

We sign a Data Processing Agreement with every partner who re-sells or integrates SignIQ. Article 28 obligations, sub-processor transparency and breach notification all covered.

Same-stack security controls

Encryption in transit and at rest. Role-based access on every dashboard. Audit logging on sensitive actions. The control set your partner's auditor expects to see.

Clear data flow boundaries

SignIQ processes video on the device and only transmits anonymous aggregates. Easy to draw on a data-flow diagram, easy to defend in a security review.

Shared responsibility

We do the product controls.
You decide deployment policy.

SignIQ ships the architecture, documentation and templates. The operator at the venue still owns the deployment decisions that compliance frameworks expect to see written down.

The operator still owns

Where cameras get installed and which zones are active.
Which aggregate outputs are enabled per site.
Privacy notices and signage at the venue.
Lawful basis, retention windows and access controls.
Any DPIA review your internal process requires.

For procurement

The documents your team will ask for.

Email compliance@signiq.cloud — we'll get whatever you need back to you, usually same business day.

Data Processing Agreement

Standard DPA template available on request — covering Article 28 obligations, sub-processors, audit rights and breach notification.

Request DPA

Sub-processor list

We maintain a current list of sub-processors (cloud infrastructure, AI providers, payments) with their roles, regions and security posture.

Request the list

Security overview

A short pack covering our ISMS, encryption, access control, vulnerability management, and incident response — usually enough for procurement teams.

Request the pack

Deployment materials

Print these.
Stick them up.

Camera notices and privacy signage your venue can use the day a SignIQ node is installed. PDF for printing, SVG if your design team wants to brand it.

Read the privacy overviewRead the security overview

Downloadables

A4

Privacy Notice

Standard notice for entrances, foyers, lifts, and most indoor screen areas.

PDF + SVG
Download PDFSVG source

A3

Privacy Notice

Larger format for mall entries, shared public spaces, and busy corridors.

PDF + SVG
Download PDFSVG source

Quick notice

Camera Notice

Compact helper notice for nearby mounting points, counters, and screen surrounds.

PDF + SVG
Download PDFSVG source

This page is product guidance, not legal advice. If your rollout is high-sensitivity, public-sector, or otherwise unusual, get a review from your legal or privacy team before deployment.

Need our DPA
or security pack?

Drop us a note with the framework your team works to — GDPR, ISO 27001, SOC 2, internal — and we'll come back with the documents to match.

Email compliance@signiq.cloudTalk to us