/
Data protection and biometric security in BAS-IP devices

Data protection and biometric security in BAS-IP devices

BAS-IP devices are designed with strong attention to security and responsible care for user data. Protecting personal information and ensuring safe system operation are core principles of the BAS-IP platform.

This article explains how BAS-IP devices safeguard stored data, how information is handled on the device, and how biometric technologies are implemented with privacy protection in mind:

Compliance with international IoT security standards

BAS-IP devices are developed according to widely accepted cybersecurity practices for connected systems.

The security architecture follows the principles defined in the ETSI EN 303 645 cybersecurity standard for consumer IoT devices, which establishes requirements such as:

  • protection against unauthorized access to devices and services;

  • secure storage of sensitive information and credentials;

  • secure communication between devices, servers, and applications;

  • mechanisms for maintaining device integrity through firmware updates;

  • protection of personal and biometric data.

Devices participating in this program may also appear in the Secure Connected Device accreditation program maintained by the Secured by Design initiative.

 

Device security architecture

BAS-IP devices implement multiple layers of protection designed to prevent unauthorized access and ensure secure system operation. An overview of BAS-IP security principles is available on the official BAS-IP security page.

• Authentication and access control

Access to device settings and configuration interfaces is restricted through authentication mechanisms. Only authorized administrators can access the web interface or system configuration tools.

Within BAS-IP Link systems, administrators can also implement role-based access control, which limits system configuration and administrative actions according to user roles and permissions.

• Secure communication

Communication between BAS-IP devices, servers, and applications is performed through secure communication mechanisms. When properly configured, data exchanges are protected using encrypted communication channels.

This ensures that information transmitted between devices and applications cannot be intercepted or altered by unauthorized parties.

• Firmware integrity and updates

Regular firmware updates help maintain device security by addressing potential vulnerabilities and improving system stability.

Only legitimate firmware provided by BAS-IP can be installed on the device.
Secure update mechanisms prevent unauthorized or modified firmware from being installed.

Keeping firmware up to date is an important part of maintaining the overall security of the system.

 

Protection of data stored on the device

BAS-IP devices may store operational information necessary for access control and communication functionality.

Examples of stored information may include:

  • device configuration parameters;

  • identifiers used for access control;

  • system event logs;

  • network configuration settings.

Sensitive parameters such as authentication credentials and security keys are protected within the device environment in accordance with secure storage practices recommended for connected devices.

Access to this data is restricted to authorized administrators through authenticated system interfaces.

 

Storage and processing of biometric data

Some BAS-IP devices support biometric identification technologies such as face recognition.

To protect user privacy and prevent misuse of biometric information, the system follows several important security principles.

• Biometric templates instead of images

When biometric identification is used, the system does not store full facial photographs as credentials.

BAS-IP devices do not store facial photographs as biometric credentials.
Instead, the system stores a mathematical biometric template used only for identification comparison. This template cannot be converted back into the original image.

The stored template contains only numerical feature data used by the recognition algorithm.

• Local processing

Biometric recognition is performed locally by the device whenever possible.

Biometric data is processed locally.
It does not need to be transmitted to external servers during the recognition process.

Local processing significantly reduces the risk of data interception and improves overall privacy protection.

• Restricted access to biometric data

Biometric templates and related data are accessible only to authorized administrators through system configuration tools.

Regular users and external systems cannot directly access biometric templates stored within the device.

 

Independent security verification

Security claims for BAS-IP devices are supported by independent certification programs.

The following BAS-IP devices have received IASME IoT Cyber Assurance Level 2 certification: AZ-07L, AA-14FBIS, AT-07L, and AA-07FBI, which confirms compliance with strict IoT cybersecurity requirements and includes independent security assessment.

This certification process verifies several key security aspects, including:

  • protection against common cyber threats;

  • secure configuration of connected devices;

  • secure software update mechanisms;

  • protection of sensitive data stored on the device.

Devices accredited under the Secured by Design initiative are also listed in the Secure Connected Device product catalogue, which includes independently assessed connected devices designed with security as a priority.