One Platform. Many Jurisdictions. One Audit Trail.

A modern security platform owes you three things, before anything it puts on a feature page.

1. Data sovereignty. Each site's footage lives in a jurisdiction you can defend in front of a regulator, an insurer, a court, or a board - even when the portfolio spans several countries.
2. One centralised login across every site, every country. One operator, one screen, one set of credentials for cameras, intruder, access control and monitoring across the whole estate. Not three apps stitched together, and not one login per country.
3. One audit trail. Every login, every export, every alarm, every door event, every camera view, with a timestamp and a name against it - regardless of which site or country it happened in.

Almost every conversation that gets called "cloud CCTV" or "AI gateway" or "PSaaS" or "VSaaS" is really a conversation about whether the system in front of you delivers those three things or not. They are not nice-to-haves. They are what makes the platform usable when something real happens.

This post is about why those three are the test, why the test needs a bridge on site to pass (the industry also calls these "gateways" - same architecture, same job), and why the popular trigger for the conversation right now (Martyn's Law) is just one of several places the test gets failed.

1. Data sovereignty: where does the footage live?

A camera at your loading bay records a person, a numberplate, a behaviour, an injury. The moment that frame is recorded, it is personal data under whichever regime governs the site. UK Data Protection Act 2018 and UK GDPR. EU GDPR. Australian Privacy Principles. Canadian PIPEDA and Quebec Law 25. India's Digital Personal Data Protection Act 2023. Each of these has something to say about where that frame is allowed to be stored, who can access it, how long for, and what happens when somebody asks for a copy.

A cloud security platform that ships the entire stream to a US-headquartered datacentre and tells you "do not worry, we are SOC 2" is not answering the sovereignty question. SOC 2 is an operational control attestation. It is not jurisdiction. Where the bits physically sit, under whose subpoena, is the question.

For most estates the right architecture is not "everything in the cloud". It is local-first recording, with selective cloud per camera. The full-rate footage stays on a bridge at the site, on storage you (or your installer) chose, under the jurisdiction of the building it watches. Only the events that need to leave the site - a clip flagged by an analytic, a sequence requested by an investigator, an alarm to a monitoring station - travel up to the cloud. And when they travel, they travel inside an outbound-only encrypted tunnel.

That is the TetherBox Bridge architecture. The cameras stay behind it on the LAN, no direct Internet exposure, no inbound ports. Cloud is optional, per camera, switchable at any time. The cloud side runs on infrastructure that is ISO 27001 and SOC 2 attested at the infra layer (Wasabi), with AES-256 at rest, TLS 1.2+ in transit, and a 4096-bit VPN between the TetherBox Bridge and the cloud.

The sovereignty advantage is not marketing. It is concrete:

• UK Data Protection Act 2018 / UK GDPR, EU GDPR, Australian Privacy Principles, PIPEDA / Quebec Law 25, India's DPDP Act 2023. TetherX is built in the UK and Australia, with local representatives in Canada and India, and supports sites across the EU, North America and APAC under one console. The jurisdiction lead is built into the company's geography, not retrofitted to a US-hosted platform.
• Restricted-camera ringfencing. If your estate still runs Hikvision, Dahua or Uniview cameras (and most UK and AU estates over five years old do), the TetherBox Bridge keeps those cameras off the public Internet entirely. UK Cabinet Office 2022, Australian Defence ban 2023, Canadian federal ban 2025, India STQC import ban from 1 April 2026, NDAA Section 889 in US-touching procurement, EU NIS2 - the compliance picture keeps moving, but the architecture that handles it does not need to change every time it moves.
• Phased replacement, not panic replacement. Sovereignty buys you time. You replace cameras on your budget cycle, not on the procurement department's panic schedule.

If the conversation has not covered where the frames live, the conversation has not started.

2. One login, across every site and every country

The second test is operational. When something happens at any site in the portfolio, can one person, on one screen, with one login, see and do everything that has to happen - whether the site is in Manchester, Melbourne, Mumbai or Montreal?

This is the test that surprises buyers, because the kit list looks complete. Cameras, intruder panel, access control, public address, mass notification, monitoring connection. The boxes are on the wall. But they are sitting in four or five different vendors' apps, four or five different operator logins, four or five different mobile apps on the security manager's phone. When the moment comes, the operator alt-tabs.

A platform that integrates only video, with everything else as a separate product, is not a security platform. It is a CCTV product. The distinction matters because real incidents do not stay inside the video tile.

What is on one TetherX dashboard today:

• Cameras. Any major IP brand. Any ONVIF (the open camera standard) or RTSP device. 1,000+ integrations supported. No per-lens licensing on multi-sensor cameras.
• Intruder panels. Texecom natively over serial, plus Hikvision AX Pro, Honeywell, DSC, Bosch, Risco, Vanderbilt, Inim, Napco, Johnson Controls, ADT and Siemens through the IP communicator path (SIA DC-09 / Contact ID).
• Access control. Paxton Net2 shipping now, on the same TetherBox Bridge as the cameras.
• Alarm Receiving Centres. Immix, Sentinel, CONXTD, MASterMind, Bold Patriot Manitou and Stages. Your monitoring contract stays where it is. We are not selling you a Security Operations Centre; we connect to the one you already use.
• Public address, mass notification, third-party integrations. Through the same API surface the rest of the platform runs on.

One login. Organisations and sub-organisations mapped to the customer's actual org chart. Regional manager sees their stores. National director sees everything. Vendor sees what the customer chose to share. No external identity workaround required.

The operator does not need to remember which subsystem owns which response. They press the action. The doors close, the access tokens narrow, the priority cameras pop, the monitoring centre receives the live event, the staff app fires the notification. The platform routes; the operator decides.

That is integration. Anything less is a kit list.

3. One audit trail: who pressed what, when

The third test is the one most buyers do not ask about until they need it, and then it becomes the only test that matters.

After the event - the breach, the dispute, the investigation, the insurance claim, the regulator's letter, the dismissal that is heading for tribunal - someone is going to ask: who saw the footage, who exported it, who let that person in, who silenced that alarm, who changed retention from 30 days to 7 last quarter. If the answers live in five different system logs, with five different operator namespaces, you do not have an audit trail. You have homework.

A platform with a single login has, by definition, a single audit trail. Every export carries a timestamp, an operator, a reason field. Every alarm and every door event is logged on the same timeline as the camera view that watched it. Cloud exports carry SHA-1 checksums and tamper-evident packaging on every minute of recording, so the chain of custody holds in front of a court or an insurer.

The audit trail is not just defensive. It is also where you find out how your operators actually use the system. Which cameras get reviewed. Which alarms get dismissed. Which sites have a procedural gap. Without one trail across the whole platform, you are guessing.

Why this needs a multi-system bridge, not five single-product ones

The words "bridge" and "gateway" hide a quiet problem. They sound like a single device that joins your site to a smarter platform - and that is exactly what they should be. But most products that ship under either name are single-product bridges. A video bridge. An alarm bridge. An access-control bridge. A monitoring bridge. Each one is a competent box at what it does, and each one is sold with its own cloud, its own app, its own login, and its own audit trail.

A real estate ends up with three to five of these on the same site. Five vendors. Five bridges humming away in the comms cupboard. Five clouds. Five apps on the operator's phone. Five audit trails the buyer is expected to merge by hand when something goes wrong.

The hidden cost is correlation. The questions that matter in any real incident are almost never inside one subsystem - they are between subsystems:

• Did anyone use a valid access card in the minute before that alarm tripped?
• Whose face was on the camera at the time the door opened?
• Did the staff member silence the alarm before or after the contractor entered?
• Was the loading-bay shutter open when the loss showed up on the stocktake, and which camera was watching it?
• The card reader logged a valid swipe at 02:14. Did the lock actually release, did the door actually open, and did anything cross the camera?

Every one of those is a question that needs the door event, the alarm event, the camera frame and the operator action on the same timeline, joined by the same login, recorded in the same audit trail. Inside a single-product bridge, you can answer half the question. Across five single-product bridges, you can answer it only if a human bounces between five apps, screenshots the timestamps, and merges them in a spreadsheet. That works fine until an insurer, a regulator or a tribunal needs the answer to stand up.

Add a second site, in a second country, and the merge job multiplies. Two sites, three subsystems each, six audit trails to reconcile by hand. Now do it for a portfolio of fifty.

You cannot deliver the three pillars from a cloud-only product either. Cloud-only products record into the cloud unconditionally - fine until the regulator, the insurer or the broadband disagrees. Integration sits at the API layer, so the moment the broadband drops, the integration stops. Recording stops with it on some products. The audit trail you needed lives in someone else's datacentre.

The architecture that passes the three tests is a multi-system bridge on site. One device that bridges the cameras, the intruder panel, the access controller and the monitoring connection into the same platform at the same time, on the local network, with one set of credentials, writing one log. Local-first recording. Selective cloud per camera. The cloud side exists to give the operator the portfolio view, not to be the recording medium.

That is what the TetherBox Bridge is. Not a video-only bridge. Not an AI accelerator that ships your stream to the cloud and bills you per camera. Not one of five single-product gateways. A software-defined, multi-vendor bridge that runs on hardware you already have (or on a TetherBox Bridge unit we ship to the UK, Canada or India), covers cameras + intruder + access + monitoring + notification under one operator UI, records locally, and pushes only what should leave the site.

One bridge. One platform. One trail. The correlation work that used to happen in a spreadsheet now happens at the moment the event is recorded.

Martyn's Law is one example. Here are others.

A useful way to ground all of this is to walk through the situations where the three pillars get tested in the real world. Martyn's Law is the most-discussed one in the UK right now, but it is not the only one and arguably not the biggest.

Martyn's Law (UK Terrorism (Protection of Premises) Act 2025). Named after Martyn Hett, killed in the Manchester Arena bombing in 2017. Royal Assent April 2025, two-year run-in before enforcement, regulated by the Security Industry Authority (SIA). Standard tier (200 to 799 capacity) requires documented lockdown, evacuation, invacuation and communication procedures. Enhanced tier (800+) adds a security document, risk assessment and a named accountable person. Applies to shopping centres, stadiums, theatres, hospitals, places of worship, hotels, large offices, transport hubs, festivals. The lockdown procedure has to be runnable in coordinated seconds. The test the platform has to pass: single login + one audit trail.

Insurance investigation after a loss. Theft, slip-and-fall, vehicle damage, employee injury. Insurer asks for footage from the period, plus access logs for who was in the building, plus the alarm log for the area. The test: one audit trail across cameras + access + alarms, with tamper-evident export.

Subject Access Request under GDPR / DPA 2018 / APP / PIPEDA / DPDP. A member of the public, an employee, a contractor asks for the personal data you hold about them, including any footage of them. You have 30 days (UK / EU). You need to find it, redact it, export it, log who did the redaction and why. The test: sovereignty + audit trail.

Internal HR or workplace incident. Workplace harassment, a dismissal, a grievance. Footage and access logs will be reviewed by HR, not by security. They need a controlled login that sees only what they are authorised to see, with their access logged separately. The test: single login with permissioning + audit trail.

Supplier or procurement due diligence. Your customer's procurement department is now asking where their footage lives, which country's law governs it, whether any restricted-list cameras are in scope, whether the platform vendor has a US export-controls exposure that affects the buyer. The test: sovereignty, named.

Multi-site portfolio review. A retailer, a housing association, a logistics operator, a hotel group. Twenty, fifty, two hundred sites. The headquarters operator needs one dashboard that shows alarm history, false-alarm ratio, camera health, drive health, access-control health across the lot, and can drill into any site without changing app. The test: single login + audit trail at portfolio scale.

Regulator audit. ICO (UK), OAIC (AU), CNIL (FR), OPC (CA), CERT-In (IN). Increasingly common after a complaint or a breach. The regulator wants to see your data flow diagram, your retention policy, your access log, your processor list. The test: sovereignty + audit trail, on paper, fast.

The pattern is the same in every one of these. The buyer who passes the three tests on a normal day passes them in front of a regulator, an insurer, an investigator or a tribunal on a bad day too. The buyer who has not passed them ends up reconstructing a story from screenshots, paper logs and three different vendor support tickets.

Two questions before you sign anything

There is no clever way to test all of this in a brochure. The two questions that cut through:

1. Where does the footage live, and who can subpoena it? If the answer is "in the cloud" without a jurisdiction named, the conversation is not finished. If the jurisdiction is the wrong one for the building, the answer is wrong.
2. Show me the audit trail for a single incident, end to end. Camera view, alarm, door event, export, operator, timestamp, reason. If the answer is "we would have to pull that from four systems and merge it", the platform is a kit list, not a platform.

If you want to run those two questions against your own estate, the TetherX software installs in minutes on hardware you already own (or on a TetherBox Bridge we ship to the UK, Canada or India). The full platform is free to trial for 30 days, no purchase order, no kit to send back.

Next step - why integrators choose TetherX, the TetherBox Bridge itself, or how software beats hardware over the lifetime of a deployment.

The three pillars are the test. Make sure the bridge you cross actually carries all of them.