Authentication
Every Hover deployment runs as an isolated session. A session has two pieces of identity:
- A unique session identifier (a 32-bit value).
- A session-specific API key — a pre-shared secret, provisioned by Anarion at deployment time.
The field proxy and the operator client both present the session ID and use the API key to sign every packet they send to the relay using HMAC-SHA256. The relay verifies the signature on every packet. Forged or replayed traffic is rejected; legitimate traffic is forwarded between the matched proxy and client. Two deployments cannot see each other's traffic, by design.
API keys are not embedded in source code. They are issued per-deployment, communicated through agreed channels, and rotatable on request.
Transport
| Leg | Protocol | Authentication | Encryption |
|---|---|---|---|
| Drone → field proxy | RTSP / RTP (drone's local network) | Drone vendor's mechanism | Per drone vendor |
| Field proxy ↔ relay | UDP, custom binary | HMAC-SHA256 per packet | Authenticated, not encrypted today |
| Relay ↔ operator client | UDP, custom binary | HMAC-SHA256 per packet | Authenticated, not encrypted today |
| Public viewer (browser) | WHIP / HLS over HTTPS | HTTPS / TLS 1.2+ | TLS 1.2+ end-to-end |
| Admin pages (operator + proxy) | HTTP on localhost only | None (loopback-bound) | n/a (loopback) |
Transport is HMAC-authenticated on every packet, which prevents tampering and replay. Confidentiality of the in-flight video stream relies on the network path; this is consistent with how most operational drone-streaming products work today, and is the standard public-safety procurement teams evaluate against. Per-session encryption of the relay legs is on the roadmap. If your procurement requirements demand it before that ships, raise it during discovery.
What we log
Hover keeps two kinds of operational data:
Session-control logs (server-side)
Connection events: when a proxy or client registers, when a session goes idle, retransmit and reorder counters, error events. These exist to operate the platform — to triage incidents, to verify health, to prove a customer's deployment was working during a given window. They contain no video and no MAVLink command payloads. They are retained for 30 days by default.
Field-side logs (on your hardware)
The proxy and operator client write their own logs to disk on your machines. The admin pages on ports 8080 (proxy) and 8081 (operator client) display these logs and a live loss chart. They never leave your hardware unless you choose to share them.
What we don't keep
- No cloud-side video archive. Hover does not maintain a server-side recording of your video. Video is recorded field-side, to an SD card on the proxy, under your custody. Hover's relay forwards video bytes; it does not retain them.
- No MAVLink command archive. Telemetry packets are forwarded and discarded.
- No customer-data warehouse. We do not aggregate customer video, telemetry, or identifying data into a shared analytics surface.
What lives where
- Cloud. Single AWS US region. Anarion-managed account, monitored by us. No cross-region replication today.
- Field SD card. Recordings are written to a labeled exFAT card. Operator swaps the card and hands it to evidence — same workflow as a body-worn-camera card.
- Operator laptop. Local logs and the admin page only. No persistent video storage on the operator side.
Compliance posture
Plain answer. Hover has not been audited or certified against CJIS, SOC 2, FedRAMP, or HIPAA as of today. The platform is built with the standard practices these frameworks expect (per-session secrets, HMAC integrity, AWS-hosted compute, no warehousing of customer data) but does not carry a third-party attestation. If your procurement requires one, that is a conversation to have during discovery — Anarion will tell you whether the framework you need is on a credible path or whether Hover is the wrong fit for that procurement.
Data ownership
Customers retain ownership of all video, telemetry, location, and operational data generated through the platform. Anarion processes that data only to operate and support the platform. Anarion may use anonymized, aggregated operational telemetry — packet-loss histograms, latency distributions, retransmit counters — to improve the platform. We do not aggregate identifying customer data. The full data-ownership terms live in the master services agreement.
Incidents and disclosure
Anarion will notify customer points of contact promptly when we identify a security incident affecting a deployment. Coordinated disclosure to end users (the agencies your customers serve) remains a customer responsibility. Specifics live in the MSA.
FAQ — the questions public-safety teams ask first.
FAQ →