Topics included in this article:
- Trust and Security at Rhombus
- Secure Design Principles
- Encryption & Data Protection
- Secure Operations and Maintenance
- Third-Party Validation and Compliance
- Company-Level Security Practices
- Security FAQ
- Helpful Links
- Contact Support or Sales
Trust and Security at Rhombus
At Rhombus, protecting customer data and maintaining trust are at the core of everything we do. Security is not something added at the end of development -- it is built into every product, process, and control we operate. Rhombus applies a security-first philosophy that ensures confidentiality, integrity, and availability across our entire platform.
Article Summary
- Designs products securely using zero-trust principles.
- Applies encryption and data protection at every stage of the lifecycle.
- Operates and maintains secure, resilient infrastructure.
- Undergoes third-party audits and validations.
- Enforces company-level security practices across employees and processes.
- Answers frequently asked customer questions about trust and compliance.
Responsible Disclosure
Rhombus welcomes collaboration with the security community. If you believe you have identified a vulnerability, please contact us at responsibledisclosure@rhombus.com or submit a ticket through Rhombus Support. All legitimate reports will be investigated, and we will work with researchers to remediate verified issues.
Secure Design Principles
Security at Rhombus begins with design. Our systems are engineered from the ground up with safeguards that protect customer data and ensure resiliency in high-stakes environments. These principles provide the foundation for our compliance with frameworks like SOC 2, HIPAA, GDPR, and CCPA, and they guide every aspect of how our platform is built and maintained.
Zero-Trust Architecture
- Minimizes the risk of unauthorized lateral movement.
- Enforces strict verification of all requests.
- Ensures only trusted devices and users interact with the platform.
Security-First Development
- Confidentiality of customer data.
- Integrity of video, metadata, and system records.
- Availability of systems in mission-critical environments such as healthcare, education, and public safety.
Customer-Controlled Access
- Limited to the minimum necessary scope.
- Fully logged, monitored, and auditable for accountability.
Principles of Least Privilege
- Role-based access control (RBAC) ensures users only have the permissions required to perform their roles.
- Temporary, time-bound access is provided for limited support activities.
- Internal employee accounts are restricted and reviewed regularly to prevent privilege creep.
Defense in Depth
- Hardened firmware and secure boot processes on devices.
- TLS encryption for communications between devices, applications, and the cloud.
- AWS-native controls such as VPC segmentation and DDoS protection.
- Continuous monitoring and automated alerting for suspicious activity.
Secure by Default
- Devices ship with no open inbound ports.
- Encryption is automatically enabled for data in transit and at rest.
- Automatic firmware and software updates are enabled by default, ensuring vulnerabilities are patched quickly.
Resilience and Reliability
- Cloud backups protect against local data loss.
- Physical and visual tamper detection features provide rapid alerts when devices are compromised.
- Redundant infrastructure ensures services remain available, even during disruptions.
Foundation for Compliance
- SOC 2 trust services criteria.
- HIPAA safeguards for PHI.
- GDPR requirements for personal data protection.
- CCPA/CPRA consumer privacy obligations.
Encryption & Data Protection
Encryption at Rest and in Transit
- At Rest: AES-256 encryption protects data stored locally on devices using Linux Unified Key Setup (LUKS) and data stored in the cloud through AWS Server-Side Encryption with Key Management Service (SSE-KMS).
- In Transit: Communications between cameras, sensors, mobile apps, and cloud services are protected using TLS 1.2 or higher, with TLS 1.3 support where available.
Encryption Standards
- AES-256 for secure data storage.
- TLS 1.2+/TLS 1.3 for secure communication channels.
- SHA-256 or stronger for message integrity and hashing.
Key Management
- Automated key rotation ensures keys are refreshed regularly.
- Role-based access controls limit who can interact with keys.
- Segregation of duties prevents any single individual from having full control over data and its keys.
- Auditable logs provide traceability of all key usage.
Data Lifecycle Protection
- Creation: Data is encrypted at the moment of capture on devices.
- Transmission: Video and metadata are encrypted during transfer to the cloud.
- Storage: Cloud and device data remain encrypted at rest.
- Deletion: Data is securely deleted once retention periods expire, ensuring it cannot be recovered.
Segregation of Customer Data
- Assigning unique encryption keys to each customer.
- Applying logical data separation within cloud storage.
- Ensuring that compromise of one tenant does not affect another.
Device-Level Security
- Each device is provisioned with a unique digital certificate that authenticates it to the Rhombus Cloud.
- Devices ship hardened with no open inbound ports.
- Firmware and software updates are digitally signed and verified before installation.
Tamper Protection and Device Trust
- Physical tamper alerts notify customers within seconds if a device is disturbed.
- Visual tamper alerts notify customers when a camera's view is obstructed.
- Device logs provide a full record of activity for auditing and investigation.
Compliance Alignment
- SOC 2: Confidentiality and logical separation of customer data.
- HIPAA: Protection of PHI/ePHI through encryption and access controls.
- GDPR: Data encryption to support privacy and protection mandates.
- CCPA/CPRA: Technical safeguards supporting consumer privacy rights.
- PIPEDA: Encryption and lifecycle management for Canadian privacy compliance.
- NIST SP 800-53: Alignment with federal encryption and data protection standards.
Secure Operations and Maintenance
Automatic Updates
- Signed Firmware & Software Updates: All updates are cryptographically signed and verified before installation. Prevents unauthorized code from being installed on devices.
- Automated Deployment: Updates are deployed automatically, ensuring that security patches are applied consistently and without customer intervention.
- Frequency: Updates are delivered continuously, typically on a monthly cadence or sooner if critical vulnerabilities are identified.
Infrastructure Hardening
- Virtual Private Clouds (VPCs) to segment workloads and isolate resources.
- DDoS protections to prevent disruption from denial-of-service attacks.
- Multi-tenant Isolation to ensure customer data is strictly segregated.
- Redundancy and availability zones to provide resilience against outages.
Monitoring and Logging
- Detailed logging of system and user activity, including authentication, configuration changes, and video access.
- Customer visibility through the Rhombus Console, giving administrators accountability and audit support.
- Automated anomaly detection to flag suspicious behavior such as unusual login patterns or unauthorized configuration attempts.
- Real-time alerting sent to Security teams receive real-time alerts for potential threats, enabling rapid investigation.
Incident Response and Business Continuity
- Documented response procedures guide consistent, rapid handling of incidents.
- Backup and recovery mechanisms ensure customer data can be restored quickly.
- Transparent communication is provided to customers in the event of a confirmed incident affecting their data.
Compliance Alignment
- SOC 2: Operational controls, audit logging, and incident response practices.
- HIPAA: Monitoring and patching safeguards to protect PHI.
- NIST SP 800-53: Federal cybersecurity operational requirements.
- GDPR & CCPA/CPRA: Transparency and accountability in how systems are operated and monitored.
Third-Party Validation and Compliance
Independent Assessments and Certifications
- SOC 2 Audits: Rhombus has achieved its SOC 2 Type I certification, verifying the design of key security, availability, and confidentiality controls. Work toward SOC 2 Type II is ongoing, with reports made available to customers under NDA.
- Third-Party Penetration Testing: Annual penetration tests are performed by independent security firms. All findings are remediated, retested, and tracked to ensure closure. Summaries of results are available under NDA.
- Internal Audits: Regular internal audits are performed to verify compliance with security controls, review system configurations, and identify opportunities for improvement.
Regulatory and Legal Compliance
- NDAA/TAA: Devices use compliant chipsets and exclude banned components.
- HIPAA: Technical and administrative safeguards protect PHI and ePHI.
- GDPR: Features support lawful processing, subject rights, and data breach notification.
- CCPA/CPRA: Consumer privacy rights are supported with transparency and deletion capabilities.
- PIPEDA: Encryption and lifecycle controls support Canadian privacy obligations.
- BIPA: Biometric data protections include opt-in consent and secure handling.
- NIST, CMMC, and CJIS: Practices align with federal cybersecurity frameworks and requirements for defense and law enforcement customers.
Supply Chain and Vendor Risk Management
- Evaluate suppliers and partners for security and compliance risks.
- Require contractual assurances that vendors meet Rhombus's security standards.
- Monitor suppliers for ongoing risks and maintain approved sourcing practices.
Data Retention and Disposal
- Data is retained only for as long as legally or operationally required.
- At the end of its lifecycle, data is securely deleted to prevent recovery.
- Disposal of both physical and electronic media follows industry best practices.
Transparency and Documentation
- SOC 2 reports.
- Penetration test summaries.
- Security questionnaires and compliance mappings.
Compliance Alignment
- SOC 2 Trust Services Criteria for security, availability, and confidentiality.
- NIST SP 800-53 for federal cybersecurity alignment.
- HIPAA Security Rule safeguards.
- GDPR and CCPA/CPRA privacy requirements.
Company-Level Security Practices
Employee Access Controls
- Multi-Factor Authentication (MFA) is required for all internal systems and administrative access.
- Role-based access control (RBAC) enforces least-privilege, ensuring employees only have the access necessary for their responsibilities.
- Access reviews are conducted periodically to verify the appropriateness of user permissions.
- Immediate revocation of access occurs when roles change or employment ends.
Security Monitoring
- Anomalous login behavior (e.g., unusual geolocation or time-of-day patterns) is flagged and investigated.
- Privileged account activity is closely monitored for signs of misuse.
- Internal logs are reviewed to ensure compliance with company policies and to detect insider threats.
Security Culture
- Mandatory security awareness training is provided to all employees upon hire and refreshed regularly.
- Periodic tabletop exercises test readiness for incidents and reinforce best practices.
- Clear policies and standards ensure that security responsibilities are well understood at every level.
Accountability and Transparency
- All employee activity is logged for auditability and traceability.
- Enforcement actions are applied consistently in cases of policy violations.
- Transparency with customers and partners ensures confidence in how internal practices support external trust.
Compliance Alignment
- SOC 2: Logical access controls, monitoring, and employee accountability.
- HIPAA: Administrative safeguards protecting PHI and ePHI.
- GDPR & CCPA/CPRA: Organizational measures to support lawful, secure data handling.
- NIST SP 800-53: Federal requirements for personnel and operational security.
Security FAQ
Do Rhombus employees have access to my video or data?
- Any authorized access is time-bound, limited in scope, and performed only when necessary.
- All actions taken by Rhombus personnel are logged and auditable for accountability.
How are encryption keys managed?
- Keys are rotated regularly and automatically to minimize risk.
- Role-based access controls ensure only authorized personnel can interact with keys.
- Segregation of duties prevents any one individual from having full control over both data and keys.
- All key activity is logged for auditability.
How quickly are tamper events detected?
- Physical tamper alerts are typically generated within 2-4 seconds.
- Visual tamper alerts notify customers within approximately 30 seconds if a camera's view is obstructed.
- Cloud backups run continuously, with data replication generally within 4 minutes of capture.
Is Bluetooth secure on Rhombus devices?
What about compliance with COPPA and child privacy protections?
- Parental or organizational consent is required where applicable.
- All data remains encrypted at rest and in transit.
- Rhombus employees cannot access customer data unless explicitly authorized, and such access is fully logged.
Does Rhombus comply with privacy regulations like GDPR and CCPA?
- GDPR: Customers benefit from features supporting data subject rights, lawful processing, and breach notification.
- CCPA/CPRA: Rhombus supports consumer privacy rights such as transparency, access, and deletion.
Helpful Links
- Rhombus Security and Compliance
- The Ultimate Guide to Cybersecurity for Cloud Video Surveillance & IP Security Cameras
Contact Support or Sales
Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.
Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.
Comments
0 comments
Please sign in to leave a comment.