Data security and privacy

Data encryption

Casting Cloud uses industry-best practices concerning the encryption of data when stored and while in transmission.

Encryption at rest

All data, including backups, is encrypted at-rest using AES-256 encryption.

Encryption in transit

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Secure Sockets Layer

Secure Sockets Layer (SSL) certificates are issued and managed through Let's Encrypt, and HTTP Strict Transport Security (HSTS) is enabled. We score an A+ rating on Qualys SSL Labs tests.

Data retention

Deleting data

Users can delete data within Casting Cloud if they have the correct access rights. Deleted production data is kept for up to 60 days before it is permanently deleted. It can take up to 30 days for all data to be removed from backups.

Deleting productions

Users can delete their entire Casting Cloud production if they have the correct access rights. This will delete all data that you have provided to Casting Cloud. It can take up to 30 days for all data to be removed from backups.

Subscription cancellation

Following the cancellation of a Casting Cloud subscription, you will have at least 30 days to download your customer data from Casting Cloud. After this period, we have no obligation to maintain or provide any customer data to you. We will delete all customer data provided to us after this period.

Free subscriptions

For Free Plans, data will be retained in the workspace until a cancellation is submitted. Casting Cloud reserves the right to, upon prior written notice to Customer, delete accounts for Free Plans (and all Customer Data contained therein) that have been inactive for more than 90 days.

Subprocessors

To support delivery of our Services, Casting Cloud engage and use data processors with access to certain Customer Data or Personal Information (each, a “Subprocessor”). This page provides information about each Subprocessor. Please email security@castingcloud.com if you have any questions.

Vercel vercel.com

• Location: Covina, United States
• Security certifications: ISO27001, SOC2.
• Data processed: User provided content
• Use: CDN, DNS, SSL, domain management, application hosting, data capture, transformation and progressing.
• DPA signed: Yes – incorporated into terms.

Google Cloud Platform (GCP) cloud.google.com

• Location: Sydney Australia Region (australia-southeast1).
• Security certifications: Privacy Shield, ISO27001, SOC3.
• Data processed: Anonymized content, user-added content, email address, IP address.
• Use: Data storage, user authentication, backups.
• DPA signed: Yes – incorporated into terms.

MUX mux.com

• Location: South Carolina, United States (us-east1) & N. Virginia, United States (us-east4)
• Security certifications: ISO27001.
• Data processed: Video content.
• Use: Video encoding, video streaming, data storage.
• DPA signed: Yes – incorporated into terms.

Stripe stripe.com

• Location: San Francisco, United States.
• Security certifications: PCI.
• Data processed: Billing contact name, email, address, card details.
• Use: Payment processing and subscription management.

Data breach disclosure

Casting Cloud is committed to taking all reasonable measures to secure your customer data.

In the unlikely event of a data breach, Casting Cloud is prepared to take steps to limit the effects of any data breach and to assist any customers potentially affected by a data breach with meeting their obligations under law.

Data breach definition

Casting Cloud defines a data breach as any unlawful destruction, loss, alteration or unauthorized disclosure of access to customer data.

Notification

Casting Cloud will notify customers without undue delay after becoming aware of a data breach. Customers will be contacted by email and phone (when provided), and followed by multiple periodic updates throughout each day addressing progress and impact.

Australian Privacy Act

As an Australian-based business, Casting Cloud is obligated to comply with the Australian Privacy Act. Under the Notifiable Data Breaches scheme Casting Cloud must notify individuals about an eligible data breach when:

• there is unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information, that Casting Cloud holds
• this is likely to result in serious harm to one or more individuals, and
• Casting Cloud hasn't been able to prevent the likely risk of serious harm with remedial action

Data Security

Logical separation

Casting Cloud utilizes a multi-tenant architecture where all customers share the same computing resources. Logical separation of data between customers and correct access is enforced through Google Service Rules. Transaction-scoped configuration variables are leveraged in Google Rule policies to ensure the correct access permissions before any data is transmitted to users.

Development Practices

Software development life cycle

Casting Cloud follows standard Software Development Life Cycle (SDLC) policies and procedures to guide in implementing and documenting application and infrastructure changes.

Development environments

All code is deploy and tested in a staging (development) environment that is functionality equivalent to production environments. Casting Cloud performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.

Version control

Casting Cloud employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.

All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the Casting Cloud code base and insulates Casting Cloud from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.

Code review

Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved before it can be merged. Automatic and integrated testing is also performed with each pull request, and all tests must pass before a code change can be merged.

Security bugs

Security bugs represent key issues and will be resolved quickly to maintain the security, confidentiality, privacy, processing integrity, and availability of the Casting Cloud service. Casting Cloud uses Vercel's provided SLA benchmarks to ensure compliance and timely resolution of bugs.