Post

Privacy Policy

Disclaimer

This policy shall neither supersede nor amend any domestic law, organisational policies, or other legal requirements applicable to an organisation deploying Macha EST. It is expressly understood that this policy is intended solely as an application guideline and shall not be construed as a document of legal authority, contractual obligation, or possessing any legal standing.

Introduction

Macha EST provides swift and reliable access to crucial data, even files with sizes in the range of TerraBytes. The software solution maintains the highest security standard. Users can trust that the sensitive evidence is protected and accessible only to those with the necessary credentials.

Macha EST has been built on a cloud-backed service that uses a desktop application to encrypt files as they are streamed to the cloud. Security is highly compartmentalised, and a unique encryption key protects each case. Even keys are never stored centrally, except when protected by a unique user-specific key. Using the Intel SGX hardware solution, the server’s memory is encrypted, even preventing highly privileged administrators access to evidence, investigative files or any data associated with an operation/investigation.

Deployment

Macha EST is designed to be deployed within a cloud environment, which is directly controlled by the organisation in which the software is deployed. While the solution is deployed in a cloud environment, the type of infrastructure is not dependent on a prescribed solution. Cloud deployment can be defined as:

Private Cloud: The deployment of an application in a private cloud environment, which is only accessible within an organisation’s network. The infrastructure hosting the cloud environment can be an on-premise solution (i.e. an organisation’s own data centre/ server) or isolated in a commercial data centre with restricted and exclusive physical access by authorised representatives.

Virtual Private Cloud (VPC): Offered by third-party providers (i.e. Google, AWS, Azure, or another online public service provider). VPCs permit the creation of an isolated network environment in which the organisation can control access to resources.

Network Access Control Lists (ACLs): A method to restrict inbound and outbound traffic to an organisation’s cloud resources. The restriction is at the transport layer, specifically the Internet Protocol (IP) addresses, permitting or denying access to resources with a cloud environment.

Data Ownership

Scope of Data: This clause covers all forensic evidence files, reports, and other investigative materials related to the organisation. This includes personal data, evidence used in criminal prosecutions, civil and criminal disclosures, and other sensitive information.

Ownership: The data is owned by the organisation, the corresponding Government agency, and the Government under which the organisation operates.

Rights of the Data Owner:

  1. The data owner has the authority to access the data under lawful authority.
  2. Direct modification of the data by the data owner is prohibited.
  3. Data will only be deleted following State, Federal, and Organizational policies and includes any expressed or implied requirements through a legal instrument, statute or legislative directive.

Data Sharing and Disclosure: Data sharing is restricted to organisational policies, judicial proceedings, lawful orders, or other means directed by lawful orders of compulsion, legislative requirements or a statute of law or directive.

Security and Confidentiality Measures

Encryption: Data will be stored in Macha EST using asymmetric encryption keys. Hardware-based encryption will ensure memory encryption, preventing the visibility of keys, data, and file names.

Authority to Access: The organisation deploying Macha EST shall be the exclusive entity vested with the authority to grant access to its specific instance. This authority to access shall operate independently of Rigr AI Limited, the software owner. Rigr AI Limited shall possess no authority, function, or decision-making rights concerning the creation, deletion, suspension, or assignment of roles for users within the organisation’s instance of Macha EST.

Access Controls: Each user will have a unique user identifier and a Public-Private Key for accessing data designated to a case created or shared with them.

Audits: A full audit log will be maintained, capturing:

  1. Users who logged on and the data they accessed, including date and time stamps, IP addresses and any other information required by the organisation.
  2. Share link creation details, including recipients and their unique user IDs.
  3. Data deletion details, including the user who deleted it, when, and the volume of data deleted.
  4. Engineering team access details, including date, time, user ID, and IP address. The engineering team will need direct access to the data.

Jurisdiction of law

Jurisdiction Based on Organisation Location

The jurisdiction of law for this privacy policy is based on the location of the organisation’s Primary Headquarters. This applies to cloud deployments accessed by agents in multiple states or regions.

Primary Headquarters Determination

In cases where the organisation has multiple headquarters or operates internationally, the jurisdiction will be determined by the location of the Primary Headquarters. A Primary Headquarters is defined as the organisational premises that are lawfully registered in a country by the legal requirements of that country, have overall control of the organisation, and have direct financial and operational control of the deployment of Macha EST.

Conflict of Jurisdictions

In the event of a conflict of jurisdictions, the laws relating to the location of the organisation’s Primary Headquarters will be considered the governing jurisdiction.

European Union (EU): If the primary jurisdiction is in Europe, the Law Enforcement Directive 2016/680 will be the primary legal framework referenced.

European Economic Area: For operations within the European Economic Area (EEA), different justifications may be applicable based on local regulations and directives.

All other jurisdictions (outside the EU): For all other jurisdictions, local State, Federal, Commonwealth, national or domestic laws and regulations specific to the location of the Primary Headquarters shall apply.

Dispute Resolution: Dispute resolution will be handled according to the legal framework and local laws of the Primary Headquarters’ jurisdiction in accordance with legislative and legal requirements.

This post is licensed under CC BY 4.0 by the author.