|
The Hidden Risks in AI Video Analytics Contracts A GDS Technology Case Study | Vendor Risk Management Industry:
Commercial Real Estate | Services: Cybersecurity Advisory, Vendor
Risk Assessment |
The Question Every Business Needs to Ask
When a
vendor offers your company a no-cost pilot of cutting-edge AI technology, the
answer probably feels obvious. What's the harm in trying it? The answer, as one
of our clients discovered, depends entirely on what you agreed to — and most
organizations have no one in the room to find out before it's too late.
An institutional commercial real estate
operator managing a multi-state property portfolio was presented with an
opportunity to pilot an AI-powered video analytics platform. The technology
promised significant operational value: automated slip-and-fall detection,
package monitoring, foot traffic analytics, and searchable event retrieval —
all delivered through the cloud by connecting to existing on-premise security
cameras.
The proposal came through a well-regarded
national property management firm. The vendor had a polished presentation. The
pilot was no-cost. And the technology was genuinely interesting.
GDS Technology was already engaged as the
organization's IT and Cybersecurity Partner — the designated technical
authority between the client and any third-party vendor seeking access to their
infrastructure. That designation meant something. Before any pilot could
proceed, GDS evaluated it.
What we found stopped it cold.
The Situation
The pilot involved connecting the vendor's
software agent to on-premise video recording servers at a selection of
properties in the portfolio. Once installed, the agent would pull sub-streams
from existing cameras and transmit them — encrypted — to cloud storage (AWS
S3), where the AI analysis would occur. The vendor would then provide a web
portal with search and alert capabilities.
On its face, the technology architecture
was reasonable. The problem wasn't how it worked. The problem was what the
vendor's legal agreements said about what they could do with the data once they
had it.
What We Found
GDS conducted a full pre-deployment risk
evaluation — reviewing the vendor's Terms of Service, Privacy Policy, Cyber
Assessment Questionnaire responses, and the transcript of the onboarding call.
Four critical issues surfaced:
1. A Perpetual AI Training License in the Terms of Service
The vendor's Terms of Service contained
language granting the company a broad, perpetual license to use customer video
data for AI model training and improvement. This directly contradicted what the
vendor's CEO stated verbally during the onboarding call — where they assured
participants that customer footage was never used for training purposes.
Verbal assurances are not contractual
commitments. When the written terms contradict what was said on a call, the
written terms govern. In an institutional setting where video footage may carry
operational sensitivity, this alone was disqualifying.
2. No Data Processing Agreement
The vendor had no Data Processing Agreement
(DPA) in place — a foundational document for any vendor relationship that
involves processing personal or sensitive data on behalf of another
organization. Without a DPA, there is no contractual framework governing data
handling obligations, security standards, breach notification requirements, or
deletion timelines. For a business operating across multiple regulatory
jurisdictions, proceeding without one creates direct legal exposure.
3. No Legal Demand Notification Obligation
Once video footage leaves a property and is
transmitted across state lines to cloud storage, it is subject to federal and
out-of-state legal processes — subpoenas, warrants, civil discovery. The
vendor's agreement contained no obligation to notify the client if their
footage was the subject of a legal demand. The client could have their video
content produced to a third party without ever knowing it happened.
In a portfolio with properties that carry
operational sensitivities, this is not a theoretical concern. It is a real one.
4. Unconfirmed Infrastructure Isolation
The vendor's cloud infrastructure ran on a
shared AWS environment. The organization's assessment questionnaire responses
did not confirm per-customer data isolation at the storage or processing layer.
In a multi-tenant cloud environment, the absence of confirmed isolation means a
client's sensitive footage may coexist in a shared environment with footage
from other unrelated organizations — and the data handling controls depend
entirely on the vendor's internal architecture, not the client's.
5. Technical Gaps in Enterprise Readiness
During the onboarding call, it became
apparent that the vendor's technical team was unfamiliar with enterprise-grade
Video Management Systems (VMS) used at institutional commercial real estate
properties. Their experience appeared oriented toward small business DVR
systems rather than the access-controlled, credential-managed enterprise camera
architectures in use at the portfolio. This raised legitimate questions about
whether the deployment would function as described — and who would be
responsible for troubleshooting if it did not.
|
5 |
0 |
Perpetual |
HIGH |
|
Critical risk findings identified |
Contractual protections for the client
in vendor TOS |
Duration of AI training license buried
in the agreement |
Final risk rating: Do Not Proceed |
The Recommendation
GDS issued a formal Vendor Risk Assessment
Report to the client's ownership group and outside legal counsel. The overall
rating: HIGH — DO NOT PROCEED.
The report documented each finding in
detail, provided the contractual language that created the risk, explained the
gap between verbal representations and written terms, and outlined what a
compliant vendor relationship would need to include before any deployment could
be authorized.
The key remediation requirements GDS
identified:
•
A fully executed Data Processing Agreement with
specific data handling, retention, deletion, and breach notification
obligations
•
Removal of the perpetual AI training license from the
Terms of Service, or a written addendum superseding it
•
A contractual notification obligation requiring the
vendor to alert the client before responding to any legal demand for their
footage
•
Written confirmation of per-customer data isolation in
the cloud environment
•
A complete network profile for the on-premise agent,
including all outbound destinations, ports, protocols, and permissions required
•
ThreatLocker allowlisting review and approval before
any agent installation on a managed endpoint
The Outcome
The pilot was placed on hold pending vendor
remediation. The client did not proceed to installation. No footage was
transmitted. No agent was deployed.
More importantly: the client now had a
documented, defensible record of due diligence — the kind that matters when
legal counsel, ownership, or a regulator asks what process was followed before
a third-party vendor was given access to sensitive infrastructure.
"A free
trial is never free if you don't know what you're agreeing to. The value of an
IT partner isn't just in keeping systems running — it's in being the one who
reads the fine print before you sign it."
— Jonathan
Fitzgerald, Managing Partner, GDS Technology
Is Your Vendor a Real Partner?
Most organizations don't have someone in
the room whose job it is to read third-party vendor agreements before a pilot
goes live. Most technology evaluations focus on what the product does — not on
what the vendor's legal terms say they can do with your data.
GDS Technology serves as the technical
authority and cybersecurity partner for organizations that need someone who
will ask the hard questions, document the answers, and tell the truth about
what they find — even when the answer is "not yet."
|
Industry |
Commercial Real Estate |
|
Client
Type |
Multi-state institutional
property operator |
|
Services |
Vendor Risk Assessment,
Cybersecurity Advisory, Contract Review Support |
|
Outcome |
Pilot halted; formal risk
report delivered to ownership and outside counsel |
|
Risk
Rating |
HIGH — Do Not Proceed |
|
Think your vendor agreements might have gaps? GDS
Technology can help. Contact us at gdstech.tech | 404-719-5222 |
