We are committed to protecting the confidentiality, integrity and availability of our information systems and our customer’s data. We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution.

Here we provide an overview of some of the security controls in place to protect your data.

You can reach our security team at security@streamyard.com.

Cloud Security

Data Center Physical Security

Facilities

We use infrastructure from Google Cloud for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant. Learn more about GCP certifications and compliance standards at GCP Compliance offerings.

Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others. 

On-Site Security

GCP implements layered physical security controls to ensure on-site security including, vetted security guards, fencing, video monitoring, intrusion detection technology and more. Learn more about GCP Physical Security.

Network Security

In-house Security Team

We have a dedicated and passionate security team across the globe to respond to security alerts and events.

Third-Party Penetration Tests

Third party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place. 

Threat Detection

We leverage threat detection services within GCP to continuously monitor for malicious and unauthorized activity.

Vulnerability Scanning

We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.

DDoS Mitigation

We use a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize Cloudflare’s sophisticated CDN with built in DDoS protection as well as native GCP tools and application specific mitigation techniques.

Access Control

Access is limited to a least privilege model required for our staff to carry out their jobs. Plus, access is granted for a limited time and is scoped to the minimum number of services needed. Permissions are subject to frequent internal assessment, technical enforcement, and monitoring to ensure compliance. 2FA is required for all production systems.

Encryption

In Transit

We force HTTPS for all services using TLS. Inside the streaming studio, all incoming and outgoing video and audio streams are encrypted using DTLS v1.2. When a broadcast is live, video and audio data is decrypted on our servers so that the various video sources can be mixed and transcoded into the final outgoing feed. The final feed is encrypted for all social platforms that support RTMPS.

At Rest

StreamYard data is encrypted at rest with industry standard encryption algorithms managed by GCP, like AES. 

Availability & Continuity

Uptime

StreamYard is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load. A robust monitoring and alerting system is in place to ensure service reliability and rapid incident response. 

We maintain a publicly available status page that includes details on system availability categorized into product areas, scheduled maintenance windows, service incident history, and security incident details. 

Disaster Recovery

In the event of a major region outage, we have the ability to deploy our application to a new hosting region. We have proper monitoring and alerting rules that allow our engineers to immediately spot any anomalies and to promptly react to recover from any kind of disaster. 

Application Security

Quality Assurance

Our engineers review and test changes to our code base. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training, and security resources are provided to all engineers working on StreamYard.

Environment Segregation

Testing, staging, and production environments are logically separated from one another. No customer data is used in any development or test environment. 

Personal Security

Security Awareness

We deliver a robust Security Awareness Training program, which is delivered upon hiring and annually for all employees. 

Information Security Program

We have a set of information security policies covering a range of topics. These are delivered to all employees and contractors right after hiring.

Confidentiality Agreements

All employees are required to sign Non-Disclosure and Confidentiality agreements.

Access Controls

Access to systems and network devices is based upon a well-defined request process. Logical access to platform servers and management systems requires two-factor authentication. Access is further restricted by system permissions using the least privilege methodology and all permissions require documented need. User access is revoked upon termination of employment or change of job role.

Third Party Security

Vendor Management

We understand the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. 

PCI-DSS

As a card not present merchant, We outsource our cardholder functions to a PCI-DSS Level 1 service provider.

Third-Party Subprocessors

We use the following subprocessors to provide our services. Prior to engaging any third party, we assess its security and privacy posture.

Responsible Disclosure

We consider the security of our system a top priority and believe that working with a skilled security researcher community helps improve our security posture.

If you believe you have discovered a potential vulnerability, please contact us at security@streamyard.com to request a disclosure form. 

We do not offer cash rewards for reporting vulnerabilities through our Responsible Disclosure Policy.