What encryption does Visylix use?

Visylix enforces TLS 1.2+ for all external connections with TLS 1.0/1.1 disabled. WebRTC media streams use DTLS-SRTP with ECDSA P-256 certificates. All stored credentials are encrypted with AES-256 (Fernet). HTTPS is enforced across the dashboard, API, and all management interfaces.

Does Visylix support RBAC?

Yes. Visylix provides four built-in roles: Super Admin, Admin, Operator, and Viewer. Each role has granular permissions across 30+ permission categories covering live view, recordings, camera configuration, AI configuration, and system settings.

How does Visylix handle privacy masking?

Visylix supports dynamic privacy masks that black out configurable regions in both live view and recordings. Masks are applied server-side before video reaches any viewer, ensuring privacy enforcement cannot be bypassed. Each camera can have its own mask configuration.

What is evidence management in Visylix?

Evidence management in Visylix includes timestamped bookmarks with headlines, descriptions, 6 color-coded priorities, and tags. Evidence locks make recordings tamper-proof with SHA-256 integrity verification. Full chain of custody tracks who locked evidence, when, and why.

Is Visylix GDPR compliant?

Yes. Visylix supports on-premise deployment for complete data sovereignty with no cloud dependency required. Configurable retention policies with automatic cleanup ensure data minimization. Dynamic privacy masking protects personal data in video streams.

Does Visylix have an audit trail?

Yes. Every action in Visylix is logged with a timestamp, IP address, user agent, and detailed action information. The comprehensive audit trail covers user logins, configuration changes, evidence access, and all administrative operations.

Does Visylix support 2FA?

Yes. Visylix supports optional per-user two-factor authentication (2FA) for an additional layer of security beyond password-based login. 2FA can be enabled or disabled on a per-user basis by administrators.

Can Visylix be deployed in air-gapped environments?

Yes. Visylix is fully air-gap compatible and can operate without any internet connection after initial installation. All AI inference, video processing, and management functions run locally with no external dependencies.

Security & Privacy

Encrypt, Authenticate, Audit

TLS 1.2+, DTLS-SRTP, RBAC with 30+ permissions, 2FA, dynamic privacy masks, SHA-256 evidence locks, and a complete audit trail. Built into Visylix from day one, not bolted on as an add-on.

Talk to Security

Encrypted at every layer.

No legacy ciphers, no plaintext fallbacks, no shortcuts. Security by configuration, not by remembering.

TLS 1.2+ enforced

TLS 1.0 and 1.1 disabled outright. Strong cipher suites only, on every external endpoint, dashboard, API, WebSocket, and stream egress.

DTLS-SRTP for WebRTC

Every WebRTC media stream encrypted with DTLS-SRTP using ECDSA P-256 certificates. Sub-second latency without weakening transport security.

HTTPS everywhere

Dashboard, API, and admin surfaces refuse plaintext HTTP. HSTS preloaded. Certificates auto-rotate when deployed against ACME providers.

Internal service isolation

Only ports 80/443 exposed at the edge. Microservices speak over a private network with mTLS optional, with no path for an external client to reach internals directly.

Hardened response headers

X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and a strict Content-Security-Policy on every response. Closes whole classes of web attacks by default.

Multi-layered access control.

Defense in depth from the IdP to the RTSP socket. Every gate has a lock.

JWT-based session tokens

Stateless JWT auth with configurable expiry on every API and dashboard session. Easy revocation through short-lived access + refresh pairs.

RFC 2617 Digest auth on RTSP

Camera RTSP connections use Digest auth, never Basic. Credentials never traverse the network in the clear, even on legacy ONVIF cameras.

Account lockout

10 failed logins inside 15 minutes triggers an automatic lockout. Configurable thresholds. Stops credential stuffing without locking out real users.

Rate limiting per IP and per route

Token-bucket limits at the gateway protect login, API, and stream endpoints from DoS, brute force, and noisy integration bugs alike.

RTSP credential sanitization

Passwords stripped from every RTSP URL the moment they hit logs, errors, or API responses. Camera passwords never leak through observability tooling.

Constant-time hook verification

Webhook payload signatures compared in constant time. No timing oracle on shared secret verification, even under load.

Identity that fits your stack.

Plug Visylix into the IdP and second-factor system you already operate. No extra password vault.

Single Sign-On (SSO)

SAML 2.0 and OIDC out of the box. Okta, Azure AD, Google Workspace, Auth0, JumpCloud, and any standards-compliant IdP. Centralized lifecycle, group-to-role mapping, and just-in-time provisioning.

Learn about SSO

MFA + Passkeys

TOTP authenticator apps, WebAuthn passkeys, and recovery codes. Per-user enrollment, admin-enforced MFA policies per role, and lockout protection that survives a lost device.

Learn about MFA + Passkeys

Granular role-based access.

Four predefined roles, 30+ permissions. Everyone gets what they need, nothing more.

Role	Live view	Recordings	Camera config	AI config	System settings
Super Admin	Full	Full	Full	Full	Full
Admin	Full	Full	Full	Full	Full
Operator	Full	Full	Full	View only	No
Viewer	View only	Playback only	No	No	No

30+ granular permissions across live, recording, AI, and admin surfaces

Invite-based registration, no open self-signup against your tenant

Per-user API keys, scoped and revocable independently of UI sessions

Password reset and forgot-password flows with rate-limited delivery

Account activation and deactivation without data loss

Optional 2FA per user, admin-enforceable per role

Configurable session and token expiration per tenant

Privacy by design.

Masking, sovereignty, and retention built in from day one, not retrofitted under audit pressure.

Dynamic privacy masks

Black out arbitrary polygonal regions in live and recorded footage. Mask configuration is per-camera, multi-zone, and editable without downtime.

Server-side enforcement

Masks are applied before frames leave the server. No client-side bypass, no clever DevTools tricks, no privacy regressions when a viewer client misbehaves.

On-premise data sovereignty

Footage and metadata stay inside your network. No mandatory cloud round-trip. Useful for GDPR, NIS2, India DPDPA, and locales with strict data-export rules.

Air-gap compatible

Fully operational without internet after initial install. AI inference, streaming, recording, and management run locally. Works in classified, OT, and isolated industrial networks.

Configurable retention

Per-camera or global retention policies with automatic cleanup. Aligns with data-minimization obligations and storage budgets without manual purges.

GDPR / HIPAA workflow ready

Privacy masks, retention policies, audit trails, and on-premise deployment combine into the workflow that compliance teams actually sign off on.

Tamper-proof evidence chain.

Bookmarks, hashes, and chain-of-custody so footage holds up the day a lawyer asks for it.

Timestamped bookmarks

Bookmark a clip with headline, description, six color-coded priorities, and freeform tags. Pick a precise time range, no clicking through frames blind.

Tag-based forensic search

Search across every camera and every day by tag. Surface "incident-2026-014" or "loading-dock" instantly without scrubbing terabytes.

Evidence Lock

Locked clips skip the nightly retention sweep. They survive even when older than your retention window. Only admins can release a lock.

SHA-256 integrity at lock time

Hash sealed when the lock applies, verified on every subsequent access. A single byte change breaks the chain, tampering becomes provable.

Chain of custody trail

Who locked, when, and why. Every share and access stamped with timestamp, IP, and user agent. Exportable as a court-ready bundle.

Configurable lock duration

Lock indefinitely or until a specific date. Re-lock and extend without losing the original chain. Built for litigation hold workflows.

See full Evidence Lock + Case Sharing

Defense in depth at the data layer.

Encryption, validation, and audit logging stacked together. One control failing does not compromise the rest.

AES-256 (Fernet) credential storage

Camera passwords, integration tokens, and API keys stored under AES-256 (Fernet). Master key lives outside the database. Compromise of the DB alone does not expose secrets.

Request body size limits

Tunable per-route body-size caps stop oversized-payload DoS, runaway uploads, and accidental memory exhaustion from misbehaving clients.

Path traversal protection

All filesystem-touching paths normalized and confined to allowlisted roots. No "../" tricks, no escape from media or evidence directories.

Strict CORS policy

Cross-origin requests confined to declared origins. Production warns loudly on permissive wildcards instead of letting them silently ship.

Content Security Policy

CSP restricts script sources, frame ancestors, connect targets, and inline execution. XSS and injection have nowhere to land.

Comprehensive audit log

Every authenticated action recorded with timestamp, IP, user agent, and full payload diff for sensitive ops. Streamable to your SIEM.

Security the security team signs off on.

Free 7-day trial, no credit card. Self-hosted, air-gap, or hybrid, your call.

Start Free Trial See Pricing

Role

Live view

Recordings

Camera config

AI config

System settings

Super Admin

Full

Admin

Full

Operator

Full

View only

Viewer

View only

Playback only