GDPR Policy - AVM 360

AVM-360: Global Data Protection & GDPR Compliance Policy

Effective Date: December 2025 Scope: This policy governs the processing of technical telemetry and metadata by the AVM-360 Hybrid Monitoring Platform.

1. Introduction and Role Definition

AVM-360 adheres to the “Privacy by Design” and “Privacy by Default” principles mandated by the General Data Protection Regulation (GDPR).

  • Data Processor: AVM-360 acts as the Data Processor, handling technical telemetry on behalf of the client.
  • Data Controller: The Client (The Organization) remains the Data Controller, maintaining full ownership and authority over their AV estate data.

2. Data Minimization: What We Collect (and What We Don’t)

In strict adherence to Article 5(1)(c), AVM-360 only collects data that is “adequate, relevant, and limited to what is necessary.”

  • Technical Telemetry (In-Scope): Device Manufacturer, Model, Serial Number, Firmware Version, IP/MAC Address, System Heartbeat, Lamp Hours, Internal Temperature, and Fan Speed.
  • Room Utilization Data (In-Scope via API): Aggregated metrics including meeting start/end times and room occupancy status (Occupied/Vacant).
  • Strictly Out-of-Scope (Non-Collection): AVM-360 does not have the technical architecture to access, record, or stream audio, video, screen-share content, or meeting chat logs. No Personal Identifiable Information (PII) of meeting participants is ever captured or stored.

3. Technical Architecture & Security (Article 32)

AVM-360 employs a Hybrid Architecture to ensure maximum data isolation:

  • Local Probe Discovery: The AVM-360 local node resides within the client’s secure VLAN. It performs local discovery via SNMP/ICMP. Sensitive network traffic never leaves the internal network.
  • Encryption in Transit: Data synced from the local probe to the AVM-360 Online Dashboard is encrypted using TLS 1.2/1.3 via Outbound Port 443.
  • Read-Only Access: The platform is configured for read-only telemetry. It cannot execute commands that would modify user settings or compromise the privacy of a live meeting.

4. Legal Basis for Processing

We process data under Article 6(1)(f): Legitimate Interests. The processing is necessary for the client to maintain the security, stability, and operational uptime of their corporate infrastructure.

5. Third-Party Integrations (Teams Pro & Zoom)

When connecting to Microsoft Graph or Zoom APIs:

  • Teams Rooms Pro: AVM-360 requests “Limited Scope” permissions. We only query the teamwork/devices and communications/callRecords endpoints. We do not request permissions for Calendars.Read (Subject lines) or Chat.Read.
  • Sub-Processors: AVM-360 utilizes Tier-1 cloud providers (e.g., Azure/AWS) located within the client’s preferred region (EU/UK/US) to ensure data residency compliance.

6. Data Subject Rights (Articles 15-22)

Although AVM-360 processes minimal PII, we fully support the rights of the Data Controller to:

  • Right to Erasure: Clients can wipe historical room logs and device metadata instantly upon request.
  • Right to Restriction: Monitoring can be disabled for specific “High-Security” rooms while maintaining visibility for the rest of the estate.
  • Right to Portability: All technical asset data can be exported in CSV/JSON format for auditing.

7. Data Retention Policy

Hardware telemetry and fault logs are retained for a default period of 90 days to facilitate the 14-Day AI Health Reports and historical trend analysis. Data older than 12 months is automatically purged or anonymized unless otherwise requested by the Controller.

Useful Links
Our Solutions