stillsense
Security & compliance

Security & Compliance Sheet

A summary of how Stillsense protects data and meets compliance expectations, for procurement and security evaluation. It states our current posture honestly — including what is planned rather than yet in place.

Vendor: Stillsense AS · Møre og Romsdal, Norway · org. no. to be confirmed

Document: v1.0 · Security contact: security@stillsense.no

01Data protection by design — the foundation

  • No camera, no microphone, no recording. Stillsense creates no image, video, or audio — the most sensitive data category simply does not exist.
  • Edge processing. Sensing and inference run on a local device in the home; raw Wi-Fi signal data does not leave the premises. Only derived events/alerts are transmitted to defined endpoints.
  • Data minimisation. Only the inferred events/states needed for the safety purpose (presence, motion, bed-exit, fall, timestamps) are processed and retained.

02Data handled

  • Personal data processed: inferred events/states and alerts; device/room identifiers; alert-handling records. account/contact data confirmed per deployment
  • Special-category data: inferences relate to health/care status and are treated as health data.
  • Not processed: images, video, audio, biometric identifiers.

03Encryption

  • In transit: TLS 1.2 or higher for all event/alert transmission and management traffic.
  • At rest: AES-256 for stored events and configuration.
  • Key management: documented. specifics on request

04Access control

  • Role-based access with least-privilege; MFA for administrative access.
  • Customer data separation / multi-tenant isolation. model detailed on request
  • Audit logging of administrative and data access.

05Hosting & data location

  • Edge: sensing/inference on-device, in the home.
  • Cloud/management plane (if any): hosted within the EU/EEA. provider and region confirmed per deployment
  • Data residency: data is kept within the EEA; no transfer outside the EEA without documented safeguards.

06Sub-processors (underdatabehandlere)

  • A current sub-processor list is maintained and provided to the controller — minimal by design, given the edge-first architecture. list on request
  • Controller notified of changes; right to object per the data processing agreement (Art. 28).

07Device & software security

  • Secure, signed software/firmware updates for edge devices.
  • Device hardening and secure provisioning.
  • End-of-support and patching policy documented. details on request

08Vulnerability & risk management

  • Secure development practices; dependency and vulnerability monitoring.
  • Penetration testing / third-party security assessment. planned
  • Responsible disclosure / security contact: security@stillsense.no.

09Availability & continuity

  • Local-first design: core sensing and alerting continue without cloud connectivity.
  • Backup, recovery, and uptime commitments defined per agreement. SLA on request
  • Incident response and breach notification: a process supports the controller's GDPR Art. 33/34 obligations.

10Privacy & GDPR / personvern posture

  • Data processor (databehandler) acting on the controller's documented instructions; databehandleravtale (Art. 28) provided.
  • Supports the controller’s DPIA (personvernkonsekvensvurdering) — template provided.
  • Lawful-basis alignment for care: public-task (Art. 6(1)(e)) and health-data conditions (Art. 9(2)); see DPIA template.
  • Supports data-subject-rights handling (access, objection, deletion) and defined retention/deletion routines.

11Integration & standards

  • Built for journal/EPJ integration via the Velferdsteknologisk knutepunkt (VKP).
  • Integrates with response-centre platforms and the tools care teams already use.
  • Developed with the direction of IEEE 802.11bf (WLAN Sensing) in mind.

12Medical device / regulatory posture

  • Care features are provided as non-medical safety (“trygghet”) technology: presence, movement, bed-exit, and fall alerting as decision-support, not diagnosis.
  • Fall detection is offered with an independent validation study underway; it is decision-support, not a guaranteed safety device.
  • Clinical vital-sign monitoring (e.g., breathing) is not offered for clinical decisions today. If introduced for clinical use, Stillsense will follow the appropriate EU MDR (2017/745) pathway and clinical validation — that line will not be blurred.

13Certifications & assurances

  • Current: no certifications are claimed that are not held.
  • Planned: ISO 27001 alignment and CE marking as the product matures. target dates confirmed as they firm up
  • Stated honestly: certifications not yet held are marked planned, not implied.

The supporting documents

Pair this sheet with the databehandleravtale (Art. 28) and the DPIA template, available on request.

Request the documents Evidence & trust

This sheet states current posture honestly; items marked to be confirmed are completed with verified specifics before issue, and certifications not yet held are marked planned, not implied. © 2026 Stillsense.

stillsense

Sense everything. See nothing.

Product

Company

Legal

stillsense

Stillsense — ambient safety for the home, built in Norway. Watched over by the room, never by a camera.

© 2026 Stillsense