At StreamYard, we are committed to protecting the confidentiality, integrity and availability of our information systems and our customer’s data. We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution.
Here we provide an overview of some of the security controls in place to protect your data.
You can reach our security team at security@streamyard.com.
Cloud Security
Data Center Physical Security
Facilities
StreamYard uses infrastructure from Google Cloud for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant. Learn more about GCP certifications and compliance standards at GCP Compliance offerings.
Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others.
On-Site Security
GCP implements layered physical security controls to ensure on-site security including, vetted security guards, fencing, video monitoring, intrusion detection technology and more. Learn more about GCP Physical Security.
Network Security
In-house Security Team
StreamYard has a dedicated and passionate security team across the globe to respond to security alerts and events.
Third-Party Penetration Tests
Third party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place.
Threat Detection
StreamYard leverages threat detection services within GCP to continuously monitor for malicious and unauthorized activity.
Vulnerability Scanning
We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.
DDoS Mitigation
StreamYard uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize Cloudflare’s sophisticated CDN with built in DDoS protection as well as native GCP tools and application specific mitigation techniques.
Access Control
Access is limited to a least privilege model required for our staff to carry out their jobs. Plus, access is granted for a limited time and is scoped to the minimum number of services needed. Permissions are subject to frequent internal assessment, technical enforcement, and monitoring to ensure compliance. 2FA is required for all production systems.
Encryption
In Transit
StreamYard forces HTTPS for all services using TLS (SSL). Inside the streaming studio, all incoming and outgoing video and audio streams are encrypted using DTLS v1.2. When a broadcast is live, video and audio data is decrypted on the StreamYard servers so that the various video sources can be mixed and transcoded into the final outgoing feed. The final feed is encrypted for all social platforms that support RTMPS.
At Rest
StreamYard data is encrypted at rest with industry standard encryption algorithm.
Availability & Continuity
Uptime
StreamYard is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load. Simulated load tests and API response time tests are incorporated into our release and testing cycle.
StreamYard maintains a publicly available status page that includes details on system availability categorized into product areas, scheduled maintenance windows, service incident history, and security incident details.
Disaster Recovery
In the event of a major region outage, StreamYard has the ability to deploy our application to a new hosting region. Our Disaster Recovery plan ensures the availability of services and ease of recovery in the event of such a disaster. This plan is regularly tested and reviewed for areas of improvement or automation.
DR deployment is managed by the same configuration management and release processes as our production environment ensuring that all security configurations and controls are applied appropriately.
Application Security
Quality Assurance
StreamYard’s Quality Assurance function reviews and tests changes to our code base. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training, and security resources are provided to Support QA.
Environment Segregation
Testing, staging, and production environments are logically separated from one another. No customer data is used in any development or test environment.
Personal Security
Security Awareness
StreamYard delivers a robust Security Awareness Training program which is delivered within 30 days of new hires and annually for all employees.
Information Security Program
StreamYard has a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and contractors and acknowledgement tracked on key policies such as Acceptable Use, Information Security Policy, and our Employee Handbook.
Employee Background Checks
All StreamYard employees undergo a background check prior to employment which covers 5 years of criminal history where legal and 5 years of employment verification.
Confidentiality Agreements
All employees are required to sign Non-Disclosure and Confidentiality agreements.
Access Controls
Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires two-factor authentication. A periodic verification is performed to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is further restricted by system permissions using the least privilege methodology and all permissions require documented need. Exceptions identified during the verification process are remediated. Business needs revalidation is performed on a quarterly basis to determine that access is commensurate with the user's job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.
Data Privacy
GDPR
StreamYard is committed to ensure your data protection and privacy rights in accordance with the GDPR, the CCPA, and the applicable privacy laws and regulations.
PCI-DSS
As a card not present merchant, StreamYard outsources our cardholder functions to a PCI-DSS Level 1 service provider.
Privacy Policy
StreamYard’s privacy policy, which describes how we process personal data, can be found in the Privacy Policy section of the Help Center. For any other privacy related questions, please contact us at privacy@streamyard.com.
Third Party Security
Vendor Management
StreamYard understands the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them.
Third-Party Subprocessors
StreamYard uses third-party subprocessors to provide core infrastructure and services that support the application. Prior to engaging any third party, StreamYard evaluates a vendor’s security as per our Vendor Management Policy.
Vendor | Location | Service Provided |
Google LLC | USA | Cloud Services Platform |
Stripe | USA | Payment Processing |
Zendesk Inc | USA | Customer Support |
SendGrid | USA | Email Messaging |
Amplitude Inc | USA | Analytics |
Segment | USA | Analytics |
Profitwell | USA | Payment Management |
Hubspot | USA | Sales / Marketing Platform |
Cloudflare | USA | Content Delivery and Traffic Filtering |
Cloudinary | USA | Data Storage and Image Processing |
OpenAI |
USA |
Only if the user opts in to use:
|
Pinecone | USA |
Only if the user opts in to use Collab by StreamYard: Vector database for storing embeddings |
Responsible Disclosure
At StreamYard, we consider the security of our system a top priority and StreamYard believes that working with a skilled security researcher community helps improve our security posture.
Below is the list of vulnerabilities that qualify to receive Hall of fame:
- Server-side Remote Code Execution (RCE)
- SQL Injection
- Authentication Bypass
- Private data access
- Access Control vulnerabilities
- Server-Side Misconfiguration
- Stored cross-site scripting
- Server-side applications using default credential
Disclosure Policy:
- If you believe you have discovered a potential vulnerability, please let us know by emailing security@streamyard.com. Encrypt your email using our PGP key to prevent this critical information from falling into the wrong hands.
- We accept solo submissions only
- All the testing should be done within your own account only
- Currently, we do not allow disclosure of the vulnerability
- Please do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting/modifying/accessing other people's data. Only use the accounts you own or for which you have explicit permission from the account holder.
- Provide us a reasonable amount of time to resolve the issue before disclosing it to the public or third parties and provide sufficient information to reproduce the vulnerability.
- We recommend you include the following information when you report a security bug:
- Finding Name
- Domain
- Severity
- URL
- Proof-of-Concept to reproduce the finding
- Evidence such as screenshots/videos
Exclusions and things we do not want to see:
While researching, we would like you to refrain from:
- Denial of Service (DOS) and Distributed Denial of Service (DDOS)
- Spamming
- Clickjacking
- Email bombing/Flooding/rate limiting
- Social Engineering or phishing of StreamYard employees or contractors
- Any attack against StreamYard's physical property or data centers
- Scanning StreamYard infrastructure or products using automated vulnerability scanners.
- Vulnerabilities in Third-party SaaS applications and integrations we use
- Username/E-mail enumeration
- Missing HTTP security headers or issues related to HTTP headers
- Missing DANE, and CAA records
- Logout Cross-Site Request Forgery
- EXIF and geolocation-related vulnerabilities
At the moment, we do not have a bug bounty program in place. We know it is an important way to show appreciation for independent researches and it helps to legally define and encourage vulnerability research activities within our products. If we consider it feasible for our company, we'll introduce it in the future.
StreamYard does not offer cash rewards for reporting vulnerabilities through our Responsible Disclosure Policy. We do appreciate and thank researchers by listing their names in the Hall of Fame.
Thank you for helping to keep StreamYard and our users safe!
Updated