We are committed to protect integrity, availability and confidentiality of our information systems and customers data. In the following we are providing you with an overview of the measures we take to keep your data secure.
1. Provider
Videosync is developed and maintained by Inderes Oyj, a Finnish company listed in the Nasdaq First North Stock Exchange in Helsinki, Finland (FI22776002).
2. Cloud security
Data Center Physical Security
Videosync uses infrastructure from Amazon AWS for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.
Amazon AWS employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others. Read more about Data Center Controls at AWS https://aws.amazon.com/compliance/data-center/controls/
AWS Physical Security measures are described here https://aws.amazon.com/compliance/data-center/perimeter-layer/
Encryption
Communication with Videosync is encrypted with TLS 1.2 or higher over public networks. All Videosync data is encrypted at rest: For database we use Mongodb Atlas which stores data on encrypted storage volumes. For video and asset storage we use Amazon S3 buckets with encryption enabled.
Vulnerability scanning
We perform regular internal checks for potential system vulnerabilities using Github Dependabot. Dependabot is a crucial tool in our security measures, as it continuously monitors the third-party libraries and docker images that we use. If Dependabot discovers any potential security vulnerabilities, it alerts our developers promptly. Moreover, our team is dedicated to keeping our product dependencies up to date to ensure improved security.
Environment segregation
Our dev, staging and production environments are logically separated from each other. Customer data is never used in the development or staging environments.
Access control
Access to our services is kept minimal for our staff, only as much as needed for them to perform their duties. To ensure secure access and availability, we employ practices such as two-factor authentication and personal credentials. We are utilizing password managers for storing shared secrets and passwords.
3. Availability and Continuity
Videosync is deployed on public cloud infrastructure. Services are deployed to multiple AWS availability zones.
Scheduled maintenances, service- and security incidents are communicated to Videosync admin users via email and in the admin user interface. Major solution updates are communicated also via email to all registered admin users.
Backups and snapshots.
We have deployed several mechanisms to make sure that our customer data stays safe in case of accidental deletion or malfunction.
When a user or scheduled automation deletes an event, the event is first marked as “soft deleted”. The soft deleted events are hard-deleted after 1 month. During this 1-month period the events can be quickly recovered by support.
In addition to soft deletion, we have enabled following processes to protect customer data:
- Point in Time Database restore
- Hourly Database snapshots
- Daily Database backups
- Asset storage versioning (S3)
- Daily assets storage backups to another AWS region
Uptime and monitoring.
We are using Datadog to monitor our servers and for external uptime monitoring. All abnormal behaviour is reported to the development team with slack, email and SMS alerts.
4. Data location and EU-related requirements
As mentioned in ’Availability and Continuity’, availability in different geographical areas is secured with multiple availability zones. In practise, events or video streams originating in US, are handled with ingest servers based in US, whereas streams originating in Europe are handled with ingest servers in Europe.
However, we have multiple clients who are requesting, that their data is kept in EU-region. And our infrastructure is built to respond to this demand. Should our client require their data not to be stored outside EU, we accommodate this request. Per default, the data of our clients residing in EU will be stored and handled solely in EU region.
Certain features are using subprocessor which can transfer data to USA. See the vendor listing at the end of this document for details.
5. Personal security
Admin access control
Root level accounts are used only by the developers responsible for the infrastructure and the accounts are used only when needed. Access to customer’s accounts is restricted only to the users defined in the account settings. User access of Videosync staff is revoked upon termination of employment or change of job role.
Audience access to customer content can be controlled by using IP, Password, referrer protections or by enabling Oauth 2.0 login with Azure (Microsoft 365) or Google login.
Audit trail
All logins and access to customer’s account are being logged into detailed audit trail. If there is a suspicion of unauthorized access to the account, it is discoverable which account was used and access can be blocked temporarily.
Confidentiality and code-of-conduct
All employees with access to Videosync environment are required to sign Non-Disclosure and Confidentiality agreements.
5. Data privacy
Videosync maintains compliance with the European Union’s General Data Protection Regulation (GDPR). We use the E.U Commission approved standard contractual clauses for data transfer from the EEA to the United States, if data transfer is necessary. As mentioned in Chapter 3, Videosync can be operated without moving any data to the United States.
6. Third Party Security
Complying with our security standards is priority one, when evaluating new vendors. Only vendors meeting our criteria for security are accepted to move forward with. Selected vendors are monitored on an ongoing basis to ensure, that the vendors do not cause potential security issues.
| Subprocessor | Purpose | Data processed | Data location |
| Amazon Web Services EMEA SARL | Hosting of Videosync services (EC2, ECS), video data storage (S3), CDN (Cloudfront), transactional registration emails (SES). |
Video files & video metadata, IP-addresses, e-mail addresses |
EU |
|
Nice People at Work |
NPAW Suite video analytics service collects IP-addresses and video viewing analytics. | IP-addresses, video viewing analytics, Videosync registration user id | EU |
|
Datadog |
Application and server monitoring, collection of access and application logs | IP-addresses, user ids | EU |
|
MongoDB Limited / Mongodb Atlas |
Database hosting | IP-addresses, all registration data that the event viewer gives in Videosync event registration form (for example Name, email, phone number). This applies only if event has registration feature enabled and the fields are customizable by event organizer. | EU |
Optional Videosync applications/features and their subprocessors
|
Videosync applications and features |
Subprocessor |
Purpose of Subprocessing |
Data categories processed |
Data location |
|
Teleconference |
TurboBridge 4905 Del Ray Avenue, Suite 300 Bethesda, MD 20814-2558 |
Turbobridge provides a teleconference bridge for Videosync teleconferences. |
Ip-addresses, name, company name, phone number of users calling to teleconference |
US |
|
Web studio Talkback Breakout rooms |
Daily Suite 39113 SAN FRANCISCO, California 94104 |
Provides real-time communication technology for Videosync Breakout rooms and Web-studio |
Anonymized IP addresses and names of users that are connecting to web studio, talkback or breakout room. |
US |
|
Subtitle and Transcription orders |
Amberscript Amberscript Global B.V. Keizersgracht 209 1016DT Amsterdam, Netherlands |
Machine and Human-made subtitle and transcription orders |
Video and audio recording of the events where automatic or machine generated subtitles or transcripts are being ordered |
EU |