Effective Date: March 15, 2021
Keeping our customer data safe and secure is our top priority. We take threats very seriously and work hard to protect our customers and their data.
Stream uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Stream employees undergo background checks prior to employment and are trained on security practices during company onboarding and on an annual basis. Security is directed by Stream’s Chief Technology Officer and maintained by Stream’s Security & Operations team.
If you would like to report a vulnerability or have any security concerns, please contact email@example.com.
Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are receivied, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.
If you would like to encrypt sensitive information that you send us, our PGP key can be found on keyservers with the fingerprint:
0516 4FF6 B859 FD5C E63B 1F9D B6D4 4887 A7CF 6024
Infrastructure and Network Security
Physical Access Control
Stream is hosted on Amazon Web Services (AWS), a platform that maintains a rigid security program and has a world-class facility infrastructure. It deploys a comprehensive security architecture:
- Network security
- State of the art data centers
- Access control
- Network Monitoring and Protection
The data stored in the AWS data centers are housed in nondescript facilities, and have the following characteristics to keep your data as safe as possible:
- Controlled physical access
- Fire detection and suppression
- Climate and temperature
Stream employees do not have physical access to AWS data centers, servers, network equipment, or storage.
We do black box and/or grey box penetration testing conducted by an idependent third-party agency on an annual basis.
Amazon Web Services undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
Business Continuity and Disaster Recovery
The Stream architecture was designed with fault tolerance and redundancy from the beginning. We deploy redundant servers at every level of the service, from load balancers to databases, and routinely test for failures of each part of the system.
Enterprise plans include a Service Level Agreement.
All data sent to Stream is stored in multiple availability zones for immediate failover access, and backups are sent to different regions periodically. Backups are tested routinely for continuity and disaster recovery by our operations team.
In the highly unlikely event of an entire AWS region failure, we can quickly scale up and divert traffic to a separate region.
Data Security and Privacy
All off-site backups are encrypted at rest. Server configurations and secrets are stored in a distributed and secure storage. All access to secrets is logged.
All data in transit to and from Stream servers is encrypted with HTTPS Transport Layer Security (TLS) using modern cipher suites.
User data can be deleted upon customer request.
Users can enable 2FA to improve the security of their accounts. Plan administrators have the ability to see a list of users, including whether 2FA is enablaed on their accounts.
We offer SSO via GitHub Organizations.
Stream offers assertion markup language (SAML)-based SSO as a standard feature to customers on its Enterprise plan. SAML 2.0 enhances user-based security and streamlines signup and login from trusted portals to enhance user experience, access management, and auditability.
We may send password reset tokens and information about account usage via email. We never send secrets such as passwords or API keys over email. We avoid spoofing/spam using industry best practices, such as Sender Policy Framework (SPF) DNS records.
Secure Application Development (Application Development Lifecycle)
Stream practices continuous delivery in our software development. All code changes require one or more reviewers and must pass a series of automated tests before they can be merged and deployed. This process ensures the best code quality and response time to bugs or other code issues.
Organizaiton administrators can see an activity log of actions that have taken place within their organization and its applicaitons. Actions logged include user invitations, creation, and modificaiton, as well as various application changes such as modifying feed groups or truncating data.
Stream has a set of internal best practices that all employees must follow. These include:
- Using Two-Factor authentication on all services
- Using strong passphrases and unlock codes for all devices and private keys
- Using full disk encryption on all devices
- Never leaving devices unattended, and setting aggressive auto-lock timeout policies
- Proper physical security best practices in and around office spaces
In addition to many others. For additional questions, feel free to reach out at firstname.lastname@example.org.
Stream conducts background checks for all new hires, according to local applicable regulations, eventually including verification on the following:
- Identity verification
- Sex offender registry check
- Global watchlist check
- National criminal records check
- County criminal records check
Stream notifies customers of any data breaches as soon as possible via email and phone call, followed by multiple periodic updates throughout each day addressing progress and impact. Stream Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations. Stream maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page.