Security and customer content storage policy

Telestream follows “The Motion Picture Association of America (MPAA) best practices” for securely storing, processing and delivering protected media and content http://www.mpaa.org/content-security-program/.

Infrastructure security

Telestream Cloud is hosted on multiple public cloud providers - Microsoft Azure, Google Cloud Platform, and Amazon Web Services, spanned across multiple regions and availability zones. All of the vendors are providing PCI, HIPAA, SOC, ISO 27001, ISO 27018, and SSAE-16 compliance/certifications within their environment. The cloud vendors also follow the MPAA guidelines.

The list of certifications, qualifications, regulatory requirements etc. is growing every day and the major cloud provider’s assurance and certifications can be found here:

• Google Cloud Assurance information
• Amazon Web Services information
• Azure Cloud Trust Center

By running within these cloud providers, we are able to extend their security commitments to our customers. Network security and monitoring, physical security and compliance are all handled directly within cloud vendor provided SLAs and compliance.

Cloud platform security

Communication with our API or Telestream Cloud Console is established through the TLS (HTTPS) protocol. Every request to Telestream Cloud Services (API, Console) has to be authenticated and authorized. The Telestream Cloud Identity and Access Management(IAM) layer ensures that customers have access to resources they want to access. Telestream Cloud IAM enables customers to add users to the account and grant them limited access roles to selected services and resources.

All of the API communication is secured using Hash-based message authentication code (HMAC-256).

Customer content storage

Assets flow/retention depends on the chosen submission method and selected output store.

Content submitted through resumable uploader or accessible source media URLs

This scenario applies to source content uploaded to Telestream Cloud using the resumable uploader available in our web console or by using the resumable upload API, as well as content submitted using accessible source media urls (http/https/ftp/fasp) which are not S3 or GCS locations.

• Source content once uploaded is put on Telestream Cloud managed intermediate storage (either on AWS, Azure or Google, depending on the output store)
• A Worker instance fetches media from Telestream Cloud intermediate storage for processing by the Worker.
• Jobs are executed in isolation - one job cannot interfere with any other job data
• On success, output file(s) are uploaded to customer output store
• On successful or failed jobs, all data is purged from the instance
• Content staged on intermediate storage is purged within 24 hours

Content submitted through S3 or GCS location URLs

• Source content is fetched from customers S3 or GCS location directly to the Worker instance
• Jobs are executed in isolation - one job cannot interfere with any other job data
• On success, output file(s) are uploaded to customer owned S3 or GCS bucket
• Source content as well as output content for successful and failed jobs is purged from the worker instance immediately

External validation

In addition to the security planning and precautions, we periodically perform penetration testing and PCI testing. For these purposes we leverage the following external vendors to perform testing and reporting:

• Security Metrics to perform periodic PCI penetration scan tests.
• Paladion Networks (www.paladion.net) to perform periodic standard penetration testing.

We take security seriously. Securing the infrastructure and keeping data safe is one of the primary design considerations that has gone into the development, deployment, and maintenance of all services running on the Telestream Cloud platform.