Do I have to replace my existing cameras?

No. Closely integrates with your existing infrastructure via the NVR (Dahua, Hikvision, Milestone and other RTSP standards). The hardware you already have stays valid — Closely just adds the intelligence layer on top.

Does Closely take autonomous physical actions?

Never. Every incident our agents detect is sent to your operator at the monitoring center, who validates or dismisses before any action. Human-in-the-loop is a design principle, not an option.

How does Closely handle data privacy and compliance?

Privacy is built into how Closely operates, not bolted on. All video is encrypted in transit and at rest, we process only what's needed and store event clips rather than continuous streams, and your organization always remains the data controller — Closely acts solely as a processor under a formal data processing agreement. We deploy on major cloud infrastructure (GCP) with security and access controls aligned to international standards. On local regulation: in Colombia we operate in line with Ley 1581 on personal data protection, including the controller/processor (responsable/encargado) framework and SIC requirements. In Mexico, we align with the LFPDPPP and its data-protection principles. In every market we enter, we adapt to the applicable local data-protection law — and we're happy to walk your team and legal counsel through the specifics for your jurisdiction.

Does it run on-premise or only in the cloud?

Closely is 100% cloud. This makes us 40 times faster than local alternatives, lets us scale instantly, and eliminates server maintenance costs. Latency from your NVR to an actionable alert is in seconds.

What if the detection generates a false positive?

Your operator can dismiss the alert in one click. That feedback retrains the model for your specific environment — the light, the flow, the people who do belong. False alarms drop measurably over time.

What types of incidents can you detect?

Watcher detects intrusion, loitering, tailgating, open doors, masked persons and anomalous guard behavior (sleeping, phone distraction). Rules are configurable per camera in plain language.

How many cameras can Closely handle?

The pipeline is optimized via native NVR triggers — only 5% of events reach deep analysis. This lets us scale to hundreds of cameras per client without performance degradation or prohibitive costs.

What's the pricing model?

Monthly subscription per active camera with volume discounts. Includes Watcher, Investigator and Reporter agents. First week is free. Contact us for a quote tailored to your operation.

Does it support multiple buildings and operators?

Yes. Closely is designed for monitoring centers covering multiple buildings, with camera assignment per operator, routed alerts and consolidated per-site reports.

What languages does it support?

UI, alerts and reports in Spanish and English. Model reasoning runs natively in both — Reporter generates reports in the language of your monitoring center.

Ley 1581 and AI Video Analytics: A Compliance Guide for Colombian Security Companies

Colombia's Ley 1581 creates specific obligations for companies that process video footage with AI. Understanding what counts as personal data, what requires consent, and how cloud-based AI video processing fits within the regulatory framework.

Miguel Castro

Co-founder, Closely

June 5, 20268 min read

Ley 1581Colombiadata protectionAI compliance

Colombia's data protection framework — anchored by Ley 1581 of 2012 and its implementing decree, Decreto 1377 of 2013 — was written before AI-powered video analytics existed as a commercial product. The law nonetheless applies to it, and security companies deploying smart surveillance systems need to understand exactly what obligations they take on.

This is a practical guide, not legal advice. For specific compliance questions, consult a Colombian attorney specializing in data protection. But the framework below reflects how the Superintendencia de Industria y Comercio (SIC) has approached digital surveillance and personal data processing.

What Makes Video Data "Personal Data" Under Ley 1581

Ley 1581 defines personal data as any information linked or that can be linked to a natural person. In the context of video surveillance, this creates a key distinction:

Raw video footage that captures identifiable individuals is personal data. A recording of a person entering a building, showing their face or distinguishing characteristics, constitutes personal data under the law.

Aggregated, anonymized analytics — counting people in a space, measuring occupancy, detecting motion patterns — generally do not constitute personal data if the underlying individuals cannot be re-identified from the output.

AI-generated inferences about specific individuals — "this person has been present for 47 minutes" or "this person was seen at Camera 3 at 14:32" — link data back to identifiable individuals and are therefore personal data.

The practical implication: smart video analytics that generates insights about specific individuals triggers Ley 1581 obligations. Analytics that only produces aggregate, anonymous metrics typically does not.

Key Obligations for Security Companies

If your AI video analytics system processes personal data (which most incident-detection systems do), here are the primary obligations under Ley 1581:

1. Notification to Data Subjects

The people being filmed must know they are being filmed and what the data is used for. In a physical security context, this is typically accomplished through visible signage indicating the presence of surveillance cameras and the identity of the responsible party.

The SIC has consistently upheld the "visible notice" standard as sufficient for public and semi-public spaces like building lobbies, parking lots, and retail floors. The notice must identify: that surveillance is in place, the purpose (security), and how to exercise data rights.

2. Defined Retention Limits

Colombia's data protection framework does not specify a universal retention period for security footage, but the principle of data minimization applies: you should not retain data longer than necessary for the stated purpose.

In practice, most legal counsel in Colombia recommends 30 days as a defensible default for routine security footage. Footage associated with a specific incident — filed as evidence or part of an investigation — can be retained longer, but should be formally documented as such.

AI-generated event records (metadata about detected incidents, timestamps, confidence scores) are subject to the same retention limits as the underlying footage they reference.

3. Security Measures and Data Processor Obligations

When a security company engages a cloud provider to process video data (as in the case of cloud-based AI analytics), both the security company and the cloud provider are considered data processors. The security company acts as the data controller with respect to its clients' footage.

This creates a data processing chain: the building owner (or the company contracting security services) → the security company → the cloud AI provider.

Ley 1581 requires that data processing agreements be in place between each link in this chain. The security company must ensure its AI vendor has appropriate data security measures, and must be able to demonstrate this to the SIC on request.

4. Sensitive Data Considerations

The law creates a special category of "sensitive data" that includes biometric information. Facial recognition technology — where video analytics identifies specific individuals by analyzing facial geometry — falls into this category and requires explicit consent, which is a significantly higher bar than the notice standard for routine surveillance.

AI video analytics that detects behaviors (loitering, intrusion, tailgating) without identifying specific individuals by identity does not trigger the sensitive data provisions. The distinction matters: detecting that someone is in a restricted area is different from detecting that this specific named person is in a restricted area.

How Closely Is Designed for Compliance

Closely's architecture was designed with these obligations in mind.

Event-based storage, not full-stream recording. Closely stores clips associated with detected events, not continuous footage streams. This supports the data minimization principle and makes retention management tractable: you know exactly what's stored and why.

No facial recognition. The Watcher agent detects behaviors and objects — masked persons, loitering, intrusion — without identifying individuals by identity. This keeps the system out of the biometric sensitive data category.

Encrypted processing on GCP. Video data is encrypted in transit and at rest on Google Cloud Platform. The security company maintains control over its client data; Closely is a processor, not a controller.

Documented processing agreements. Closely provides data processing agreements (DPAs) for its clients that satisfy the Ley 1581 requirements for processor contracts.

Configurable retention. Retention periods for event clips can be configured per installation to match the client's data governance policy.

Practical Steps for Compliance

For a security company deploying AI video analytics today in Colombia, the minimum compliance checklist looks like this:

Install visible surveillance notice signage at all monitored locations — lobbies, parking lots, restricted access zones. Signage must identify the responsible party and state the security purpose.
Establish retention policies and configure your AI system to automatically purge event records and associated clips after the defined period (30 days is a common default; incidents under active investigation should be explicitly flagged for extended retention).
Sign data processing agreements with your AI analytics provider. Verify that the provider can demonstrate appropriate security measures (ISO 27001 certification or equivalent) and will support your response to any SIC investigation.
Establish a data rights response process. Under Ley 1581, individuals can request access to their personal data, correction, and deletion. Your operation needs a defined process for handling these requests, including knowing where to find the relevant footage.
Avoid facial recognition unless you have obtained explicit consent from each individual who will be processed. For most commercial security applications, behavior-based detection accomplishes the security objective without triggering the biometric data requirements.

The Regulatory Direction of Travel

The SIC has been increasing its enforcement activity around digital surveillance. In 2024 and 2025, the agency published guidance making clear that smart surveillance — including AI-assisted monitoring — falls within the scope of Ley 1581.

Colombia is also watching developments in the EU's AI Act and Brazil's LGPD, both of which impose stricter requirements on high-risk AI applications including surveillance. While Colombian law currently tracks behind these frameworks, the trend is toward greater scrutiny.

Security companies that build compliance into their AI video deployments now will be better positioned as regulation tightens. The cost of retrofitting compliance onto an existing operation is always higher than designing for it from the start.

The good news: for security operations focused on incident detection rather than identity profiling, the compliance path is straightforward. Know what you're storing, why you're storing it, for how long, and how you'll respond if someone asks.

Miguel Castro

Co-founder, Closely

Closely · Bogotá, Colombia

Closely

See Closely in action.

Book a demo and see how AI agents transform your security operation — detection, dispatch, and reporting in one platform.

Book demo