TimeStack — Data Flow & Architecture

Erbacci LTD · All processing runs in a single AWS account (region eu-west-1). TimeStack captures still snapshots only — no live video, no audio, no AI/analysis. Encryption: TLS 1.2+ in transit, AES-256 at rest.

Data flow between systems

Ring Camera customer-owned snapshot via Ring API (TLS) Capture Lambda EventBridge cron (scheduled) S3 — captures/ (private) AES-256 · auto-expire 180 days reads frames Stitch Lambda daily · ffmpeg → MP4 S3 — reels/ (private) AES-256 · auto-expire 365 days presigned URL (6 h, time-limited) Customer Dashboard CloudFront (HTTPS) · play + download Ring Webhook API Gateway → Lambda · HMAC DynamoDB (metadata & OAuth tokens — encrypted at rest) tables: timestack-users · -projects · -captures · -reels · -webhook-events (tokens purged on unlink)

Account linking (one-way): Ring posts an OAuth code to our Token Exchange URL; we exchange it for access/refresh tokens and store them encrypted; Ring then redirects the user to our Account Link URL, where they sign in before nonce matching completes the integration.

Data storage locations and systems

DataSystem / locationProtectionRetention
Camera snapshots (JPEG)Amazon S3 — captures/ (eu-west-1, private bucket, public access blocked)SSE AES-256 at rest; TLS in transitAuto-deleted after 180 days
Time-lapse reels (MP4)Amazon S3 — reels/ (eu-west-1, private)SSE AES-256; served only via short-lived presigned URLsAuto-deleted after 365 days
Account metadata, project config, Ring OAuth tokensAmazon DynamoDB (eu-west-1)Encryption at rest; least-privilege IAM; tokens purged on unlinkUntil account deletion / unlink
Application & access logsAmazon CloudWatch / CloudTrailWithin the AWS account; least-privilege access~30 days

No customer data leaves AWS. Sole sub-processor: Amazon Web Services (AWS), governed by the AWS DPA. Contact: info@erbacciltd.com.