It is 9.14 am on a Tuesday morning in March. You’re in your operations office in Sesto San Giovanni; you’ve just finished allocating the week’s shifts, and the direct number of the facility manager for one of your most important clients appears on your phone – a business complex in Milan’s Bicocca district where your security guards have been carrying out three night patrols every night for the past fourteen months. You answer, expecting a routine operational request. The voice on the other end is friendly but matter-of-fact: “Listen, we had a board meeting last night; a discussion arose about the cost of security, and the chairman has asked me to provide objective evidence that your staff are actually carrying out all the checkpoints specified in the contract. The invoice isn’t enough; the signed log isn’t enough. We need data. When can you send me a report for the last week?”
You put the phone down, look at the screen, and realise that report doesn’t exist. You’ve got the duty rosters, you’ve got the USB stick containing the paper log that the guard fills in at the guardhouse, you’ve got the signatures from each shift. But objective evidence, checkpoint by checkpoint, with verifiable times and geolocation? No. Your security guards are good; you know Salvatore and Marco personally – they’ve been covering that site for months – and you know they really do carry out their patrols, but you also know that the facility manager isn’t asking for your word alone. He’s asking for data he can pass on to his board. And at that moment you realise two things: the first is that somewhere, they’re probably considering another agency that does provide that data. The second is that the €84,000-a-year contract might not be renewed in September.
This is the scenario currently playing out in hundreds of Italian private security firms right now. It’s no longer the small client asking for a discount. It is the medium-to-large client – banks, hospitals, business centres, logistics hubs, public buildings – who have stopped trusting paper logs and now demand a patrol documentation system that produces digital, exportable and tamper-proof evidence. Those who fail to adapt lose out on tenders. Those who do adapt – and do so effectively – shift the focus of the discussion from price to positioning. The point of this article is precisely this: what does it mean, today, to document a security patrol in such a way that it stands up to scrutiny by a client, an insurance surveyor and, in the worst-case scenario, a magistrate?
If the client from the banking sector asks for digital logs and you only have a paper log, two weeks’ delay shifts the conversation away from price.
No credit card required; up and running in 2 minutes.
Take a look at the sectorWhy a paper log is no longer enough for the client
For decades, security guards’ patrols were documented using a notebook in the guardhouse, a signature at the start and end of a shift, and possibly a stamp at key points along the perimeter. That system worked as long as the client trusted it out of habit: the invoice arrived, there was no theft, and the contractual relationship continued. Today, that arrangement has broken down. The boards of asset management companies, the risk managers at banks, and the management committees of healthcare facilities are demanding evidence. They do so because the insurance company in turn demands it of them, because the certifying body demands it, and because, when an incident occurs, the first document the deputy public prosecutor asks for is the ‘log of patrols during the twelve hours preceding the incident’. If that log is a single page from a notebook with a signature at the bottom, the problem becomes yours even before it becomes the client’s.
There is also a second factor that many organisations underestimate. Tenders for public contracts – from the Ministry of the Interior, AdR for airports, local health authorities (ASLs) and large local councils – have, over the last five years, incorporated increasingly stringent clauses regarding the traceability of patrols. Typically, these refer to an “electronic checkpoint detection system with verifiable time-stamping, geolocation of detections and the generation of exportable daily reports”, often with reference to data security standards. If you are not equipped to meet these requirements, your score will plummet during the technical evaluation phase, even if you offer the best price. And in the high-end private sector, the situation is the same: the facility manager at the Milan Bicocca business centre has incorporated that same logic into his requirements, even without specifying it in the tender documents.
The cost of not having a structured documentation system is not just losing the tender. It creates a knock-on effect: fewer contracts won means lower volumes; lower volumes mean less bargaining power over suppliers; less bargaining power means eroded profit margins; and eroded profit margins mean you can no longer invest in the tools that would have enabled you to win those contracts again. The security firms currently experiencing double-digit growth are those that closed this loop three or four years ago. Those that are closing branches and losing contracts share one common trait: they continue to document patrols in the same way as they did in 2010.
What is really needed for patrol documentation to stand up to scrutiny
When the facility manager says ‘I want proof’, they aren’t asking for a generic PDF. They are looking for a chain of evidence that begins with the security guard starting their shift and ends with the report that they can pass on to their board. The first link in the chain is the physical checkpoints around the site’s perimeter: weather-resistant NFC tags or QR codes, positioned at the contractually agreed points, such as entrances, emergency staircases, plant rooms, the outer perimeter and data centre rooms. When the security guard passes by, they tap the tag with their company smartphone, and at that moment four pieces of data are recorded simultaneously: the checkpoint ID, the exact time recorded by the time server, the GPS coordinates of the security guard’s smartphone, and the device identifier. Four pieces of data, a single action, which cannot be altered after the event.
The second layer is photographic evidence where required. At some sites, the client requests that the guard take a photo at the critical checkpoint – the data centre door, the main electrical switchboard, or the yard gate – to certify that everything was in order. The photo is taken from within the app, with timestamp and geolocation metadata embedded and visible on the image itself. This is not about monitoring the guard: it is about documenting that at 03:14 that door was locked and that the guard checked it in person. If, on that same night, someone forces the door open at 04:20, the photo taken at 03:14 becomes the evidence that protects both you and the security guard when faced with the inevitable question: ‘Why didn’t you spot it earlier?’.
The third link is managing the incident as it happens, not at the end of the shift. If, whilst on patrol, the security guard finds a ground-floor window ajar, a misaligned CCTV camera or a suspicious vehicle in the car park, they must be able to submit a report directly via the app, including a photo, description, geolocation and the time. That report goes straight into the queue for the operations centre operator and reaches the client within a few minutes, not in a service report emailed the following day. This radically changes the perception of the service: the client stops viewing security as a passive cost and begins to see it as an active risk management system.
The fourth element – and the most important one for finalising the contract – is the exportable report. At the end of the day or the weekend – depending on how the contract is structured – the system automatically generates a PDF document branded with your organisation’s logo: a list of patrols, the time of each checkpoint, a map showing the routes, attached photos, any reports of anomalies, the signature of the shift manager, and a cryptographic verification reference. That PDF is what you send to the facility manager on Tuesday morning at 9.30 am. It is not a Word document with a makeshift table: it is a document that looks like a bank statement, and which the facility manager can pass on exactly as it is to their board.







