Milestone Systems A/S proved that its video management software (VMS) “XProtect Corporate” facilitates its privacy compliant use. Users of XProtect Corporate are controllers in respect of the processing of personal data that results from the use of their respective video surveillance systems which are managed by XProtect Corporate. They are provided with guidance on how to comply with EU data protection law in a comprehensive privacy guide and by means of online trainings. If they stick to this guidance, they can be sure to act in compliance with EU data protection law.
Seal extended to 2022 R1 (released on March 8, 2022) after additional review
Qualification: IT product
Version of Certification Criteria
17/09/2021 – 30/09/2023
Initial Certification: 07/2019
Milestone Systems A/S
Milestone Systems informs the users of XProtect Corporate about privacy relevant matters in an exemplary manner by means of documents (in particular, a privacy guide and a hardening guide) and an online training. Users are also provided with useful templates/samples (e.g., for a video surveillance policy and an on-the-spot notice).
XProtect Corporate comes with a sophisticated privacy masking functionality. If there should be a need to export video data, it allows the users to encrypt, sign and mask the footage, to prevent it from being exported again and to audit exports through corresponding log entries.
XProtect Corporate facilitates its privacy compliant use and may contribute to the legitimate implementation of a video surveillance system. However, the use of XProtect Corporate alone does not guarantee in itself that a video surveillance system complies with EU data protection law. Rather, the legitimacy of the video surveillance system needs to be evaluated separately on a case by case basis by the operator of the video surveillance system (i.e. the user of XProtect Corporate).
XProtect Corporate is a universal video management software (VMS) that allows operating small video surveillance installations with a single or few video cameras on a single site up to installations with thousands of cameras distributed over many different locations. XProtect Corporate is the enterprise version of a product family that ranges from a free community edition over different intermediary variants up to the scalable and redundant product (the ToE) for multi-site installations with distributed operation. Customers of this variant of the product line are midrange to large enterprises and public authorities of any kind. Due to the general purpose nature of the product its usage neither is limited to a specific industrial or public sector nor to a certain area of application.
With 2022 R1, new functionalities / interfaces have been added to XProtect Corporate. However, these functionalities / interfaces are excluded from the current target of evaluation:
- Use of third party Identity Providers (IDP) & OAuth2
- REST gateway to the MIP API
ToE has been supplemented by two service aspects:
- Online help function
- Partner insights service (telemetry function)
Overall, the ToE still qualifies as an IT product. The re-evaluation showed that XProtect Corporate meets all applicable EuroPriSe requirements. For details, please cf. the short public report.
Initial Cert 2019/07:
The ToE consists of the following XProtect components:
- Smart client
- Management client
- Service channel
- Management server
- Recording server
- Media database
- Event server
- Log server
- Data collector (enabled by default but no personal data involved)
- OAuth authorisation server
Not part of the target of evaluation (ToE) are
- Plugins available on Milestone’s marketplace [external link / TLS]
- Milestone XProtect Mobile server (disabled by default)
- Milestone Mobile and Web client
- Milestone XProtect Access (disabled by default)
- Milestone XProtect Transact (disabled by default)
- Milestone Interconnect
- Digital Living Network Alliance integration server (DLNA)
- Processing of audio data
- Processing of meta data
- Processing of data from input and output devices
- XProtect Corporate’s basic users
- Microsoft SQL server (ToE environment)
- Microsoft Active Directory (not mandatory but strongly recommended – ToE environment)
- IP video cameras
- E-mail server
- Milestone XProtect (BYOL) as provided via https://aws.amazon.com/marketplace/pp/B089DKW36G
The evaluation showed that XProtect Corporate meets all applicable EuroPriSe requirements. Further information can be found in the short public report that is available here: