Summary | Security

Product Description

Light Blue Optics sells Kaptivo, a whiteboard capture camera.  It is designed to mount above a standard dry-erase whiteboard and capture the content on the whiteboard.  The Kaptivo is a network-based camera and the default way to view and save the content is by connecting to its embedded web interface. The Kaptivo provides live-view of the board, but also stores images in a historic timeline as content is erased.

Connectivity Modes

Kaptivo Enterprise can operate in two modes: Cloud Connected Mode or Local (Self-Hosted) Mode. 
Kaptivo Business is limited to Cloud Connected Mode.

In Cloud Connected Mode, all Kaptivo connections are routed via our secure SSL-encrypted cloud service. No data is stored here, this is a connection proxy only.

In this mode, the camera will create an outbound connection using secure HTTPS (TCP/443) to Kaptivo servers in AWS at boot time, and maintain that connection open so that remote users can access and view whiteboard content through the web-service https://kaptivo.live. In this manner remote users do not need direct network access the camera.
Only hosts in the kaptivo.live domain are accessed, and only via TCP/443.  The Kaptivo.live web service may further secure connections by requiring users to authenticate via SSO (Google, Microsoft or OKTA), which in turn allows for Kaptivo administrators to limit remote access to specific user domains.
In cloud-mode Kaptivo cameras will download firmware automatically, and send usage-metadata to Kaptivo.

In Local (Self-Hosted) Mode, Kaptivo connections are available only within your local network (or VPN), and no data is transmitted to or received from the Internet.

In Local Self-Hosted mode the camera will run a limited version of its onboard web-app, and users will connect directly to the camera itself via IP Address (or DNS hostname if assigned).  The Local network traffic can be encrypted as the Kaptivo uses an onboard certificate from a well-known public CA to secure the HTTPS session, requiring only that the end-user PC can do a public DNS lookup to validate. No SSO is available, and some features and sharing options are unavailable* because of lack of cloud connectivity.  Self-hosted mode allows the Kaptivo administrator to independently configure the device to allow/disallow  over-the-air (OTA) firmware upgrades, and sending of usage meta-data to Kaptivo. [*no SSO or OCR, 15 participant max limit. Content share options limited to download & print]

Authentication

Only people physically in the meeting room can start a Kaptivo session. Viewing the whiteboard then requires an invitation or an approval from someone already part of the Kaptivo session. No-one outside your session can access your session content.  

Furthermore for Enterprise models it is possible for the administrator to setup the Kaptivo to require single-sign-on (SSO) authentication and enforce policies that only allow users from certain domains to access the Kaptivo.

Data Storage

No whiteboard data is stored in the cloud, and whiteboard data is stored only temporarily (during the meeting) on Kaptivo itself during normal operations. 
All Kaptivo communications are encrypted and content at rest is encrypted as well.

Whiteboard content is kept only for the duration of the Kaptivo sharing session, plus a 60-minute grace period. During this 60 minutes, no new live data is created, but connected users can still download stored content. At the end of the grace period the content is erased.

Some basic usage statistics may be sent to Kaptivo (metadata only no whiteboard content) to help us improve our service. This data is available for Enterprise users to view through our online portal.

Personally Identifiable Information

No personally identifiable information (PII) is gathered by the Kaptivo.  The only exception is when SSO is in-use, Kaptivo will keep a record of the participant's login name with the usage meta-data.