Security & Compliance

We understand that your data is the lifeblood of your business. When you entrust to us not only your content, but also viewership analytics, subscriber data, and anything else managed through our platform, we are committed to providing best-in-class security on all aspects of that data.

For that reason, we are proud to host and manage our infrastructure and your data to be compliant with industry-standard certifications including SOC2, PCI, ISO 27001 and GDPR & CCPA. We monitor our network and perform penetration testing internal and externally to ensure we are meeting and exceeding standards. And for your streaming video content, we offer multiple levels of content security, including available DRM encryption in partnership with industry leading standards and services.

Please reach out to security@zype.com with any security or privacy related incidents or inquiries.

How we host and manage your data

Zype hosts services using the following cloud infrastructure providers, who are themselves covered by the appropriate compliance standards under a shared responsibility model. The underlying provider assumes responsibility for physical hardware and security and virtualization controls. Additionally, the provider assumes responsibility for software it is running on Zype’s behalf, such as database platforms or content distribution. Zype assumes responsibility for the security and management of guest operating systems, configuration of firewalls and pre-existing software, and the development and deployment of custom applications.

Amazon Web Services

Zype uses AWS to deliver both internal and external parts of its infrastructure under the shared responsibility model for the following security and compliance standards:

ISO 27001	ISO 27017	ISO 27018
MPA	SOC 2	GDPR

More information available here.

Google Cloud Platform

Zype uses GCP to deliver both internal and external parts of its infrastructure under the shared responsibility model for the following security and compliance standards:

More information available here.

Stripe

Zype uses Stripe to offer payment processing options to its customers, under the following card processing standards:

PCI DSS Level 1

PSD2

SOC 2

More information available here.

Recurly

Zype uses Recurly to offer payment processing options to its customers, and to process payments for the Zype platform itself, under the following card processing standards:

PCI DSS Level 1

PSD2

SOC 2

More information available here.

SOC 2

Zype has received a SOC 2 ® Type II report asserting that our computing infrastructure and company procedures ensure proper controls on data security and service availability. This report is available upon request under an NDA.

PCI

Zype has self-certified its PCI compliance on payments for the Zype platform in accordance with our payment provider partners, and regularly reviews the PCI compliance of its partners. Specific details of this self-certification are available upon request under an NDA.

Personal Data and Privacy Rights

Zype is committed to protecting personal data and ensuring privacy for all customers worldwide. As part of that commitment, we are compliant with GDPR for services provided in the EU and CCPA for services provided in California.

At the customer’s request, our standard Data Processing Agreement can be executed on a customer’s behalf.

Our detailed Privacy Policy can be found below in the footer of our website.

Sub-Processors

Zype utilizes industry-recognized organizations to support its platform and services, so you can have peace-of-mind knowing your data is with trusted partners.

This list is current as of 2023-10-27.

 

Network Monitoring and Security

As part of Zype’s commitment to security and availability, we maintain logging and monitoring related to our infrastructure. All services are regularly monitored in real time for unusual activity, for performance tuning and for resolving unexpected issues. Access to Zype’s infrastructure is strictly controlled through a combination of secure authentication with a tiered authorization model as well as managed firewall rules to limit network access to well-known sources. Infrastructure is managed using a version-controlled source of truth that highlights any unexpected changes. All changes to infrastructure are audited and logged for review.

Penetration Testing

Zype has partnered with a reputable third party to conduct a manual penetration test on Zype systems at least annually and as-needed throughout the year. These tests identify system and app vulnerabilities, business logic flaws, and other opportunities for Zype to take its protection of data to the next level.

Content Security

All traffic between Zype and any external user is encrypted using industry-standard protocols. In all possible cases, we adhere to the recommendations set by Mozilla for the “Intermediate” compatibility tier in order to service the largest number of configurations while maintaining security.

In one specific edge-case related to older devices, metadata related to media content may be accessed using a subset of legacy ciphers that were carefully reviewed and deemed to be acceptable for this narrow purpose.

All content stored with Zype is encrypted at rest, and internal access is granted on an extremely limited basis as needed. Content is always encrypted when moving between parts of the infrastructure, such as from storage to a Content Distribution Network.

DRM - Digital Rights Management 

Zype's DRM implementation will encrypt video content, ensure that the viewer is authorized to consume the content, and then decrypt the video for playback.

DRM leverages the following industry standard content protection formats that rely on trusted video players: 

• Google Widevine (DASH)
• Microsoft PlayReady (HLS)
• Apple FairPlay (DASH)

For more information, please see Product > Video Meta CMS > DRM.