Part of the Bend Source Library. Primary source documents on the Deschutes County Sheriff’s Office body-worn camera, fleet camera, and Taser procurement (Contract No. 2026-0327), the December 2025 Internal Audit of the existing camera program, and the Oregon State CISO letter on SB 1516 end-to-end encryption.
Deschutes County / DCSO materials
BOCC meeting packet — June 3, 2026
- Deschutes County BOCC Meeting Packet — June 3, 2026 (246 pp.) — includes Item 4 staff report, Contract No. 2026-0327 (Axon body-worn cameras, fleet cameras, Tasers), Exhibit A quote (Axon Fleet 3, Axon Body 4, Auto-Transcribe, Auto-Tagging, Fusus, Dedrone line items), Axon Cloud Services Privacy Notice (Sept. 26, 2025), Service Level Agreement, and Sourcewell Master Agreement 101223-AXN
Deschutes County Internal Audit
- Audit Report A0134: Body-Worn and In-Car Camera Program — Foundations in Place, Improved Oversight and Reporting Needed (December 1, 2025) — Deschutes County Office of the Internal Auditor, Elizabeth Pape. Findings include scope impairment (DCSO refused footage access), unpublished quarterly reports, inconsistent supervisor review, CJIS-standard security gaps, and zero public records releases in sample. Management response includes formal disagreement with recommendation to publish program statistics publicly.
Oregon State CISO letter — SB 1516 encryption
- Oregon State CISO Ben Gherezgiher — Letter to Senator Prozanski, Senate Committee on Judiciary re: SB 1516 End-to-End Encryption (February 14, 2026) — confirms Axon does not employ E2EE architecture; law enforcement agencies using Axon Evidence do not retain encryption keys to their own data; platform is built on FedRAMP-authorized Microsoft Azure Government Cloud and meets CJIS standards via access controls and personnel screening rather than technical E2EE.
SOC 2 Type II certification — what it is and what it doesn’t cover
- American Bar Association — “What SOC 2 Type II Certification Means” (Law Technology Today, 2014) — Explains that SOC 2 Type II audits whether a vendor’s internal controls operate as the vendor describes them, over a 6–12 month period. The Privacy principle requires only that data be handled in accordance with the vendor’s own privacy notice — not in accordance with state law. SOC 2 does not require end-to-end encryption and does not audit compliance with Oregon SB 1587 or SB 1516. Axon’s SOC 2 certification confirms its controls work as Axon describes them; it does not rebut the Oregon State CISO’s February 14, 2026 finding that Axon does not employ E2EE architecture and that agencies do not retain encryption keys to their own data.
DCSO procedural record — DPA produced morning of vote
- Crystal Morton (DCSO Project Manager) to Brenda Fritsvold (BOCC staff) — Subject: “AXON for BOCC meeting” — June 3, 2026, 8:07 AM, plus Axon Data Processing Agreement pages 19–25 (PDF, photographed at BOCC meeting) — Email confirms the DPA was not included in the original Board packet and was transmitted to BOCC staff the morning of the vote. CC: Jeff Price, Bryan Husband, Jonathan Spring. Attachment: 2026-0327 AXON-2.pdf. Marked High importance. The DPA (pages 19–25 of 171, marked Privileged & Confidential) covers: definitions; roles and scope (DCSO as Controller, Axon as Processor); processing restrictions (no sale of Personal Data, no targeted advertising); data security measures; 72-hour security breach notification; subprocessors (pre-authorized list at Axon Storyblok-hosted PDF, August 2024; 30-day objection window); audit rights (annually, at Customer expense, 14 days notice); data return/destruction on termination. Security Measures Annex covers information security policies, physical security, network security, access control, virus controls, personnel training, and business continuity. Not included in the publicly posted BOCC packet on the Deschutes County website. Photographed by BPA at the meeting. Also available via public records request to Deschutes County.
Meeting outcome — June 3, 2026
- Contract No. 2026-0327 approved unanimously by the Deschutes County Board of Commissioners. Condition adopted: ALPR capability on the Axon Fleet 3 may not be activated unless brought before the Board for a separate authorization vote. Axon’s attorneys stated through DCSO that Axon does not meet the definition of “data broker” under Oregon SB 1587 — this is Axon’s legal position, not a judicial or agency determination. No ALPR policy was introduced or published. DCSO policy manual last modified September 23, 2025 as of date of meeting.