Did you know? All Video & Audio API plans include a $100 free usage credit each month so you can build and test risk-free. View Plans ->

Stream.io Security

Effective Date: April, 2024

Keeping our customer data safe and secure is our top priority. We take threats very seriously and work hard to protect our customers and their data.

Stream uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Stream employees undergo background checks prior to employment and are trained on security best practices during company onboarding and on an annual basis. Security is directed by Stream’s Head of Information Security, and all the teams within Stream collaborate and share responsibilities to continuously improve our security posture.

Trust Center

To request Stream's compliance documents and get additional information on Stream's security posture, please refer to Stream's Trust Center

Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns, please contact security@getstream.io.

Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are receivied, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

Stream is currently looking into starting a Bug Bounty program, updates should follow in the near future.

If you would like to encrypt sensitive information that you send us, our PGP key can be found on keyservers with the fingerprint:

0516 4FF6 B859 FD5C E63B  1F9D B6D4 4887 A7CF 6024

Compliance

At Stream we are committed to ensure we comply with the relevant industry standards and best pratices.

Stream complies with the following Security standards:

  • ISO 27001:2013 (27001:2022 reports will be available in June 2024)
  • SOC2 Type II
  • ISO 20243. The register is available at: O-TTPS Certification Register

Stream complies with the following regulations pertaining to health data:

  • HIPAA

Stream complies with the following privacy regulations:

  • GDPR
  • CCPA
  • DPF. the registration can be checked by searching for "Stream" in the DPF list page
  • Local regulations applicable on the regions where processing is offered.

Video API was luanched in 2024 and it will be formally included in the ISO 27001:2022 and SOC 2 Type II audit in the next audit window.

More information, including requesting available compliance reports, can be found in the Trust Center page.

Infrastructure and Network Security

Physical Access Control

Stream is hosted on Amazon Web Services (AWS), a platform that maintains a rigid security program and has a world-class facility infrastructure. It deploys a comprehensive security architecture:

  • Network security
  • State of the art data centers
  • Access control
  • Network Monitoring and Protection

The data stored in the AWS data centers are housed in nondescript facilities, and have the following characteristics to keep your data as safe as possible:

  • Controlled physical access
  • Fire detection and suppression
  • Power
  • Climate and temperature
  • Management

Stream employees do not have physical access to AWS data centers, servers, network equipment, or storage.

Penetration Testing

We do black box and/or grey box penetration testing conducted by an idependent third-party agency on an annual basis. Furthermore, Stream security team performs internal penetration tests, as necessary.

Vulnerability Management

Stream regularly scans all its relevant assets for known vulnerabilities and remediates accordingly, prioritising issues with higher severity.

Third-Party Audit

Stream runs its services on Amazon Web Services. As such Stream verifies, at least on a yearly basis, the posture of its critical third parties.

Amazon Web Services undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.

Data segregation

All Customer's data will always be segregated from other Customer's data through application logic and authorization controls.

Addtionally, we offer two options: multi tenant and single tenant. Customers that need a higher level of security and segregation can request a dedicated shard. A dedicated shard is a set of infrastructural resources.

Business Continuity and Disaster Recovery

High Availability

The Stream architecture was designed with fault tolerance and redundancy from the beginning. We deploy redundant servers at every level of the service, from load balancers to databases, and routinely test for failures of each part of the system.

Enterprise plans include a Service Level Agreement.

Business Continuity

All data sent to Stream is stored in multiple availability zones for immediate failover access. Should one availability zone fail, the service will immediately switch to the next available zone.

Stream performs daily backups and stores them in a separate location. Please note that Stream will not transfer your backups in a different geographical location to avoid issues with data transfers or regulations. Backups are tested routinely for continuity and disaster recovery by our operations team.

Disaster Recovery

In the highly unlikely event of an entire AWS region failure, we can quickly scale up and divert traffic to a separate region.

Doing so will require explicit Customer's approval, to avoid running into issues with data transfers and different regulations that may apply.

Data Security and Privacy

Data Encryption

Stream encrypts data at rest, using AWS KMS CMK (Customer Managed Keys). The latter ensures that Amazon Web Services does not have access to the keys, which are managed exclusively by Stream.

Off-site backups are encrypted at rest. Server configurations and secrets are stored in a distributed and secure storage. All access to secrets is logged.

Data in transit to and from Stream servers is encrypted with HTTPS Transport Layer Security (TLS) using modern cipher suites.

Stream does not natively support End to End Encryption. For the moment, it's possible to use external solutions as described in one of our blog posts: Stream E2EE Chat

Data Removal

Our API provides endpoints that allow our Customers to manage their data, including its deletion.

Alternatively, it is possible to request deletion of the data, and eventually the account, by sending an email to legal@getstream.io

Application Security

Two-Factor Authentication

Users can enable 2FA to improve the security of their accounts. Plan administrators have the ability to see a list of users, including whether 2FA is enablaed on their accounts.

User Management

For each organization, users with administrative privileges will be able to provision other users and change their privileges. Currently we support regular users and admin users.

Single Sign-On

We offer SSO via GitHub Organizations.

SAML 2.0

Stream offers assertion markup language (SAML)-based SSO as a standard feature to customers on its Enterprise plan. SAML 2.0 enhances user-based security and streamlines signup and login from trusted portals to enhance user experience, access management, and auditability. More information are available in consultation.

Email Security

We may send password reset tokens and information about account usage via email. We never send secrets such as passwords or API keys over email. We avoid spoofing/spam using industry best practices, such as Sender Policy Framework (SPF) DNS records.

Secure Application Development (Application Development Lifecycle)

Stream practices continuous delivery in our software development. All code changes require one or more reviewers and must pass a series of automated tests before they can be merged and deployed. This process ensures the best code quality and response time to bugs or other code issues. Furthermore, Stream performs dependency scanning as well as automated tests that run as part of our development pipelines.

Audit Logs

Organizaiton administrators can see an activity log of actions that have taken place within their organization and its applicaitons. Actions logged include user invitations, creation, and modificaiton, as well as various application changes such as modifying feed groups or truncating data.

Corporate Security

Security Policies

Stream has a set of internal best practices that all employees must follow. These include:

  • Using Two-Factor authentication on all services
  • Using strong passphrases and unlock codes for all devices and private keys
  • Using full disk encryption on all devices
  • Never leaving devices unattended, and setting aggressive auto-lock timeout policies
  • Proper physical security best practices in and around office spaces

In addition to many others. For additional questions, feel free to reach out at security@getstream.io.

Stream's security requirements are defined in Stream's Security policies, defined according to ISO 27001:2013 and SOC2 Type II.

Background Checks

Stream conducts background checks for all new hires, according to local applicable regulations, eventually including verification on the following:

  • Identity verification
  • Sex offender registry check
  • Global watchlist check
  • National criminal records check
  • County criminal records check

Incident Management

Stream notifies customers of any data breaches as soon as possible via email and phone call, followed by multiple periodic updates throughout each day addressing progress and impact. We will send communication within 72 hours after becoming aware of the breach.

Stream Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations. Stream maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page.

For all relevant incidents, we will provide our customers with as much information as possible to enable them to communicate on their end where necessary.

Stream performs Root Cause Analysis for the relevant incidents, after which improvements are identified and implemented, in order to ensure the problem won't occur again.

Additional Information

Please refer to our FAQ page to see the answer to the most frequent security and privacy related questions.

As a Customer, you might want to have more detailed information than the one described in this page. Depending on your subscription tier, we will be able to provide compliance reports, penetration tests and pre-filled questionnaire as well as Customer provided questionnaires. Please reach out to your Stream representative to evaluate the options.