Responsible AI camera deployment is a list of files on the device, not a paragraph in a brochure.

It means the answer to seven questions is decided at install, not assumed at procurement. Where do video frames live (on the device or in a cloud bucket). How long does anything persist (retention window in hours or days, written into a config file). What is searchable and by whom (operator role, not a single shared login). What is logged when an operator pulls a clip (an audit row, not a vague access log). What is never recorded (zones the polygon explicitly excludes, like the inside of a unit door). What gets shared with the police on a subpoena (the clip and metadata, not the live feed). And what happens to all of this when the property changes management (a documented data export and wipe). On a Cyrano retrofit those answers are files on the device. /var/lib/cyrano/meta/outbox.ndjson holds the alert audit trail. /var/lib/cyrano/clips/ holds the rendered clips with a retention sweep. The zone JSON holds the exclude polygons. None of those are screenshots, they are inspectable artifacts.

Because the model location decides whether a video frame ever leaves the property. A cloud-only product encodes every camera frame, ships it over the network to a remote inference cluster, and depends on someone else's logging, retention, and access policy to decide what happens next. Responsibility for the frame is now split across vendors, contracts, and a network you do not control. An edge product runs the perception, state, and planner tiers on a unit at the property, so the frame is processed in the same physical room as the DVR. The only outbound traffic is the alert text, the structured metadata, and a clip URL that an authorized on-call can tap. Frames stay local unless the on-call explicitly serves one. That is a structural difference, not a wording difference, and it is the cleanest way to satisfy a tenant communication that says we do not upload your hallway to a third party.

Inside a tenant unit door, regardless of whether the camera can see the inside (it usually can a few inches in when the door swings). Bathrooms and locker rooms in shared amenity spaces. Pool areas during designated tenant-only hours if state law treats those as private. Mailbox interiors. Anywhere a state or municipal statute marks as expectation-of-privacy. To confirm exclusion after install, open the zone JSON on the device (the file holds an array of zone objects with a polygon field and an exclude flag) and walk the property with the install tech. For each excluded zone, point a person at the area and watch the dashboard. If a detection fires, the polygon is wrong. The exclude pass should generate zero detections. This is a five-minute walk-through and it is the difference between a deployment that is responsible by design and one that is responsible by hope.

Two clocks, not one. Clip retention is a function of how often you actually pull a clip for an investigation. On a 180-unit multifamily we typically configure 30 day clip retention with an automatic sweep that deletes anything older. Metadata retention (the alert rows in outbox.ndjson, with no video, just the structured fields) we configure for 365 days because the rows are tiny and useful for trend reports to ownership and insurance. The retention sweep is a cron-like job on the unit that walks the clips directory once a night and unlinks anything past the window. After the sweep runs, the clips are gone from the device disk. There is no cloud copy to forget about. If a police subpoena arrives 60 days after an incident, the clip is no longer on disk and you say so on the record. That is the responsible answer. The irresponsible answer is a 5-year cloud archive that nobody knows exists until a discovery motion finds it.

Three operator roles on a typical property. On-call (can view alerts and pull clips during their shift, write access to the outbox audit trail), property manager (can view alerts and pull any clip during business hours, can change zone polygons), and admin (can change retention settings, change dispatch tree, add or remove operators). Each role is a token, not a shared password. Every clip pull writes a row to a separate audit file (/var/lib/cyrano/meta/access.ndjson) with the operator id, the alert id, the camera, the zone, and the timestamp. That audit file is where you go when a tenant asks who looked at the lobby footage at 2 AM last Tuesday. A vendor that cannot produce that file on request is selling an access policy that does not exist.

Notice has to say four things to be defensible. First, that AI-assisted monitoring is in use on common areas (not the inside of units). Second, that footage is processed locally on a device at the property and not uploaded to a cloud. Third, the retention window in plain English (clips up to 30 days, structured event logs up to one year). Fourth, the property contact for a tenant who wants to ask a question or request access to a clip that involves them. The signage at every entry should mirror lines two and three because tenants who only ever see the sign should still know that frames stay on site. None of this is gold-plating. It is what makes the deployment defensible if a tenant raises a concern in a leasing review or to a city housing board. We have a sample notice and a sample sign in the dashboard, and we customize them per state.

On residential multifamily, no. The reason is not that the technology is bad, it is that facial recognition introduces a separate body of law (BIPA in Illinois, similar statutes in Texas, Washington, and other states) and a separate consent regime (biometric data, opt-in, retention rules, deletion rights), and the operational lift to comply is significant. The detections that actually drive incident reduction at a 180-unit property are person, vehicle, package, and dwell, none of which require identifying who the person is. We deliberately do not run face recognition on the perception tier. The dashboard says masked man near gate as a description, not a name. If a property has a specific reason for face recognition, like a gated community with a known-resident allow list, that is a separate conversation with separate consent flows and a separate per-property opt-in, and it does not happen by default.

Two trails. The alert trail (outbox.ndjson) records every detection that crossed dwell and was promoted to an alert, with the camera, zone, dwell, threat level, and clip path. The access trail (access.ndjson) records every operator action that touched a clip or a config: who looked at what, who changed which polygon, who edited retention. Both files are append-only and live on the device disk. The honest audit row is the row that exists when nothing happened: the operator who never looked at a clip during a quiet shift produces no rows, which is the right answer. The dishonest version is a vendor that says we log everything but cannot produce a row for a specific request because the log is in a cloud system the property does not control. On a Cyrano unit you can tail both files on a console.

A documented data handoff. Three steps. Export the metadata audit trails (outbox and access ndjson) for whatever window the new owner needs, usually 12 months. Render and bundle any clips that are tied to open incidents or pending litigation hold, and transfer them out of band. Then run a wipe pass on the device that unlinks every clip, truncates the audit files past the export window, and rotates the operator tokens. The new owner gets a clean device with their own tokens and their own retention config. The old owner has a documented export and a documented wipe. We do this on every management transition because in the absence of a policy, devices accumulate years of footage that nobody owns and nobody can defend. The handoff is a 30 minute task; not having one is a years-long liability.

Five questions. Where does inference run, on the device or in the cloud (a real answer names a chip and a process). What is the file path of the audit trail (a real answer is a path; a non-answer is a UI screenshot). What is the default retention for clips and for metadata, and where do I change it (a real answer is a config file; a non-answer is contact support). What is on the exclude polygon for a unit-door camera by default (a real answer describes the polygon math; a non-answer is we will work with you). What happens if the cellular link drops for two hours during an incident (a real answer is the alert lands locally and replays in order on reconnect; a non-answer is the cloud handles failover). A vendor who answers all five with file paths, config flags, and concrete numbers has built a system you can verify. A vendor who answers with adjectives is selling a posture.