GDPR by design. Reviewed by humans.
Certified by auditors.
Eight commitments. Two ISO certifications. UK data residency. The compliance kit your DPO needs before the call, and the answer to “what about the ICO?”
What we hold ourselves to. Audited, every year.
The rules below aren't aspirational. They are enforced in code, regression-tested on every release, and audited annually by an external ISO/IEC 27001 body.
A human decides, every time
Nothing happens to anyone until an authorised manager has reviewed the event and approved it. QuantumEye flags; it never acts on its own.
Face data is kept apart from footage
A person's face data is stored separately from the video — never tucked inside a clip, a record or a log.
False alarms are anonymised
If a reviewer marks an event a false alarm, the faces in that clip are blurred before anything is kept.
Records can't be quietly changed
Every review and decision is written to a tamper-evident audit trail that can't be edited or deleted — your legal record of who did what, and when.
Data is kept only as long as it's needed
Face data for people who aren't on a watchlist is removed after 30 days by default. Watchlist records clear once a ban is lifted, plus a short grace period.
Right to erasure, honoured
Erasure requests are actioned while the audit trail is preserved, exactly as the law requires. Records are never hard-deleted by anyone.
Camera connections are encrypted
The details used to reach each camera are encrypted, with a separate key per store. Nothing is ever stored in the clear.
Sensitive details handled with care
Sensitive classifications are restricted, every access is logged, and they're never shown without a clear, recorded reason.
Independently certified. By British Assessment Bureau.
Both certifications are UKAS-accredited and subject to annual surveillance assessments. Certificate numbers below are verifiable directly with the certifier.
ISO 9001:2015
- Certificate
- 267400
- Holder
- QuantumEye Limited · Hove, BN3 2PD
- Issued
- 13 January 2026
- Expires
- 12 January 2029 (annual surveillance)
- Issued by
- British Assessment Bureau (Amtivo Group) · UKAS 8289
ISO/IEC 27001:2022
- Certificate
- 268054
- Holder
- QuantumEye Limited · Hove, BN3 2PD
- Issued
- 13 January 2026
- Expires
- 12 January 2029 (annual surveillance)
- Issued by
- British Assessment Bureau (Amtivo Group) · UKAS 8289
- SoA
- Statement of Applicability Version 1.0, dated 14 June 2025
Where it lives. How long. Who can see it.
The data path is the answer to the DPO's first question. Here it is, in one diagram.
Who we share data with. And why.
A short list, because the architecture is small. Updated within 30 days of any change, notification sent to all DPAs in place.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting, storage and encryption | eu-north-1 · Stockholm |
| Telegram Messenger | Alert delivery to nominated channels (optional) | Global |
| Apple / Google | Mobile push notifications | Global |
| Anthropic(optional · Alex chat) | In-product AI assistant. Disabled per-tenant on request. | Disclosed in DPA |
The full pack for your DPO and InfoSec.
DPIA template, security whitepaper, sub-processor list, and a one-page exec summary, bundled into one PDF.
Have a specific compliance question?
Our team has answered ICO questions, retail DPO challenges, and InfoSec evaluations every week. Bring your hardest compliance question to a 20-minute call.