Security @ Stream

Keeping our customer data safe and secure is our top priority. We take threats very seriously and work hard to protect our customers and their data.

This page gives an highlight on our security procedures and gives an overview on how we keep our infrastructure safe. Information about Data Security and Incident Response can be found here

Stream uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Stream employees undergo background checks prior to employment and are trained on security practices during company onboarding and on an annual basis. Security is directed by Stream’s Chief Technology Officer and maintained by Stream’s Security & Operations team.

Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns, please contact security@getstream.io.

Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

If you would like to encrypt sensitive information that you send us, our PGP key can be found on keyservers with the fingerprint:

0516 4FF6 B859 FD5C E63B 1F9D B6D4 4887 A7CF 6024

Infrastructure and Network Security

Physical Access Control

Stream is hosted on Amazon Web Services (AWS), a platform that maintains a rigid security program and has a world-class facility infrastructure. It deploys a comprehensive security architecture:

  • Network security
  • State of the art data centers
  • Access control
  • Network Monitoring and Protection

The data stored in the AWS data centers are housed in nondescript facilities, and have the following characteristics to keep your data as safe as possible:

  • Controlled physical access
  • Fire detection and suppression
  • Power
  • Climate and temperature
  • Management

Stream employees do not have physical access to AWS data centers, servers, network equipment, or storage.

Penetration Testing

We do black box penetration testing conducted by an idependent third-party agency on an annual basis.

Third-Party Audit

Amazon Web Services undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.

Business Continuity and Disaster Recovery

High Availability

The Stream architecture was designed with fault tolerance and redundancy from the beginning. We deploy redundant servers at every level of the service, from load balancers to databases, and routinely test for failures of each part of the system.

Enterprise plans include a Service Level Agreement.

Business Continuity

All data sent to Stream is stored in multiple availability zones for immediate failover access, and backups are sent to different regions periodically. Backups are tested routinely for continuity and disaster recovery by our operations team.

Disaster Recovery

In the highly unlikely event of an entire AWS region failure, we can quickly scale up and divert traffic to a separate region.

Data Security and Privacy

Data Encryption

All off-site backups are encrypted at rest. Server configurations and secrets are stored in a distributed and secure storage. All access to secrets is logged.

All data in transit to and from Stream servers is encrypted with HTTPS Transport Layer Security (TLS) using modern cipher suites.

Data Removal

User data can be deleted upon customer request.

Application Security

Two-Factor Authentication

Users can enable 2FA to improve the security of their accounts. Plan administrators have the ability to see a list of users, including whether 2FA is enablaed on their accounts.

Single Sign-On

We offer SSO via GitHub Organizations.

SAML 2.0

Stream offers assertion markup language (SAML)-based SSO as a standard feature to customers on its Enterprise plan. SAML 2.0 enhances user-based security and streamlines signup and login from trusted portals to enhance user experience, access management, and auditability.

Email Security

We may send password reset tokens and information about account usage via email. We never send secrets such as passwords or API keys over email. We avoid spoofing/spam using industry best practices, such as Sender Policy Framework (SPF) DNS records.

Secure Application Development (Application Development Lifecycle)

Stream practices continuous delivery in our software development. All code changes require one or more reviewers and must pass a series of automated tests before they can be merged and deployed. This process ensures the best code quality and response time to bugs or other code issues.

Audit Logs

Organization administrators can see an activity log of actions that have taken place within their organization and its applicaitons. Actions logged include user invitations, creation, and modificaiton, as well as various application changes such as modifying feed groups or truncating data.

Corporate Security

Security Policies

Stream has a set of internal best practices that all employees must follow. These include:

  • Using Two-Factor authentication on all services
  • Using strong passphrases and unlock codes for all devices and private keys
  • Using full disk encryption on all devices
  • Never leaving devices unattended, and setting aggressive auto-lock timeout policies
  • Proper physical security best practices in and around office spaces

In addition to many others.

Background Checks

Stream conducts background checks for all new hires via Checkr, including verification on the following:

  • Identity verification
  • Sex offender registry check
  • Global watchlist check
  • National criminal records check
  • County criminal records check

Disclosure Policy

Stream notifies customers of any data breaches as soon as possible via email and phone call, followed by multiple periodic updates throughout each day addressing progress and impact. Stream Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations. Stream maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page.