ELSAG^® Cloud Storage Solution Security and Data Statement

Leonardo’s Security and Data Statement for ELSAG Cloud Storage Solution

At Leonardo US Cyber and Security Solutions, LLC, customer trust is our top priority. We deliver ELSAG automatic license plate recognition solutions and services to thousands of customers, including local, state, and federal law enforcement agencies and municipalities in 25 countries.  Additionally, we work with private sector companies who support enforcement operations such as parking and tolling.  Our customers trust us with some of their most sensitive information which is used to fight crime and keep communities safer.

We know that customers care deeply about privacy and data security. That’s why Leonardo, through its partnership with Amazon Web Services^® (AWS), gives you ownership and control over your data through simple, powerful tools that allow you to determine how your data will be stored, how long it will be stored, secure your data in transit and at rest, and manage who can access your data.  During your onboarding process, a Leonardo Technician will discuss and then configure your domain to your specifications. Through AWS, we also implement responsible and sophisticated technical and physical controls that are designed to prevent unauthorized access to or disclosure of your data.  Leonardo’s domain, group and user settings allow your data to be segregated from other customers using the ELSAG Cloud Storage Service. 

Maintaining customer trust is an ongoing commitment. Our system is designed to be CJIS-compliant and we work with our customer agency and their appointed CJIS Compliance Officer to assure that both parties work together on securing your data properly, including conducting background checks on server technicians where and when required.  We strive to inform you of our privacy and data security policies, practices, and technologies we’ve put in place. 

These customer data ownership and control commitments include:

Access
As a customer, you manage access to your data and user accounts through coordination with your ELSAG server technician. The system is built with data management, auditing and logging features that help all parties maintain the system for peak performance and help customers track user access effectively. We do not access or use your data for any other purpose without your consent.

Storage
Your data is stored on a CJIS-compliant cloud-based server through AWS.  Leonardo contracts with AWS to provide storage space for all our customers on the ELSAG EOC using the ELSAG Cloud Storage Service.  Using domain settings, we segregate each individual customer’s data from the rest of the users creating your own “storage bucket” that only your authorized users and ELSAG technicians have access to.  We do not move or replicate your data outside of the ELSAG Cloud Service without your consent.

Security and security assurance
The ELSAG Cloud Storage Service provides strong encryption for your data in transit and at rest. Through the AWS security assurance program, we use best practices for global privacy and data protection to help you operate securely and to make the best use of a security control environment. These security protections and control processes are independently validated by AWS through multiple third-party independent assessments.

Disclosure of customer data
We do not disclose customer data unless we are required to do so by law, or with a valid and binding order of a governmental or regulatory body. Unless we are prohibited from doing so or there is clear indication of illegal conduct in connection with the use of the ELSAG Cloud Service or AWS, Leonardo notifies customers before disclosing customer data so they can seek protection from disclosure.

How does Leonardo classify customer data?
Leonardo, like AWS, classifies customer data into two categories: customer data and account information.

We define customer data as any content, materials, data, and information derived and transmitted through the use of ELSAG ALPR systems.  This may include images, metadata, text, audio, or video that a customer or any end user transmits to the ELSAG Cloud for processing, storage, or hosting by AWS services in connection with the Leonardo account, and any computational results that a customer or any end user derives from the foregoing through Leonardo’s use of AWS services. Data from a standard ALPR transaction includes a black and white image of the license plate, color overview image of the vehicle, date and time stamp, GPS coordinates and possible officer notes.  

We define account information as information about a customer that a customer provides to us in connection with the creation or administration of a customer account. For example, account information includes names, usernames, phone numbers, email addresses, and billing information associated with a customer account.

Who owns customer data?
It’s simple, you do! As a customer, you maintain ownership of your data while our technicians coordinate standard system maintenance with your agency. We do not access or use your data for any purpose without your consent and direction. Additionally, while your data is in the ELSAG Cloud Service, you can also use the robust API/SDK to feed your data forward into other applications you may use.

If you choose to stop using the ELSAG Cloud Service, we will maintain your data for up to 90 days, subject to the established retention policy, while we help you develop a transition plan to either export it or delete it from the system.  

Who controls customer data?
As a customer, you control your data:

• You choose who has access to your data within the EOC
• You decide if you want to share data with other EOC users (by default data is not shared)
• You have the ability to send your data to external services for the cost of the data egress
• You control how long your data is stored (to comply with local ALPR data retention policy)
• You direct access to your content through established users, groups, permissions, and credentials

What happens when Leonardo receives a legal request for customer data?
We are focused on our customers' privacy. We do not disclose customer data unless we are  required to do so to comply with the law, or with a valid and binding order of a governmental or regulatory body. Governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders. We review all orders and object to overbroad or otherwise inappropriate ones. Unless prohibited from doing so, or there is clear indication of illegal conduct in connection with the use of the ELSAG Cloud Service or Amazon products or services, Leonardo will notify customers before disclosing customer data so the customer seek protection from disclosure.

Where is customer data stored?
Leonardo subscribes to Amazon Web Services for data storage. AWS data centers are built in clusters in various AWS regions around the globe. For US-based customers, Leonardo has chosen to store data in the continental US (specifically in AWS Region US-East-1A).  For customers outside of the US, data storage will be addressed on a case-by-case basis. Data will be backed up in the data center for recovery purposes only.

What is my role in securing data?
When evaluating the security of a cloud solution, it is important for you to understand and distinguish between the security of the cloud, and your security in the cloud. Security of the cloud encompasses the security measures that Leonardo and AWS implement and operate. We are responsible for security of the cloud. Security in the cloud encompasses the security measures that you implement and operate.  You are responsible for your security in the cloud, for example utilizing proper IT protocol for passwords and computer terminal access.

For a complete list of all the security measures AWS has built into their core cloud infrastructure, platforms, and services, see AWS’ Overview of Security Processes whitepaper.

What steps does Leonardo take to protect my privacy?
The AWS platform used in the storage solution complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance about ISO 27002 controls that is applicable to personally identifiable information (PII) processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage.

What is the EU-US Privacy Shield?
Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, 2016, the European Commission formally adopted it. The EU-US Privacy Shield replaces Safe Harbor.

To learn more about this topic in the context of AWS, visit AWS’s EU-US Privacy Shield page.