Last updated - December, 2024

Introduction

This document highlights our security and conformity procedures.

Architecture

We use Amazon Web Service (AWS) as our cloud provider. Our architecture is built on top of their services, which have robust availability and are among the highest durability available on the market. They also built a global network allowing us to deliver content to users around the world with the best performances (using CloudFront).
Our architecture is deployed in multiple regions (North America and Europe), with multiple Availability Zones (AZ) in each region to ensure high availability and resiliency.
We use serverless technologies such as Lambda or ECS which allow us to scale up and down based on the demand, keeping our platform performances constant.
We deployed our components on a private network that can’t be accessed from the internet to keep it secure.
We follow AWS and software best practices and stay on top of new technologies.

Most of our customer data are media. We use AWS S3 to store them which offers 99.999999999% durability and 99.99% availability.
Our customer data is always encrypted at rest and in transit and we designed our architecture to protect from cross-tenant access. Encryption is implemented using AES-256 standards for data at rest and TLS 1.2/1.3 for data in transit.
We also use database technologies such as AWS RDS to store the organization information (collections, tags, etc), with multiple replicas across multiple AZs.
We use mechanisms like versioning and soft delete to protect from accidental deletion. We also have automated backups of our systems. Backup restoration tests are conducted quarterly to ensure data integrity and availability.

Authentication to the platform can be done via basic auth (email/password) or via SSO (available on request from the organization). Basic auth enforces a password length and complexity to make sure it’s secure and not predictable.
Account creation is done in two ways: through an invitation link to be sent to the user to create an account on their own or by entering the user's information into the platform so that they receive an invitation email. In both cases, the user chooses their password.
The user can reset their password by themselves at any time.
Platform admins have full control over who has access to what. When creating different types of accounts, the admin can select feature by feature and page by page what this type of account can see or do.
Access to content is controlled by admins. Our tagging system provides limited access to content by associating a user with a series of tags to which they have access or not.