Security & Compliance

At Zype, we understand that your data is the lifeblood of your business. When you entrust to us not only your content, but also viewership analytics, subscriber data, and anything else managed through our platform, we are committed to providing best-in-class security on all aspects of that data.

For that reason, we are proud to host and manage our infrastructure and your data to be compliant with industry-standard certifications including SOC2, PCI, ISO 27001 and GDPR & CCPA.   We monitor our network and perform penetration testing internal and externally to ensure we are meeting and exceeding standards.  And for your streaming video content, we offer multiple levels of content security, including available DRM encryption in partnership with industry leading standards and services.

How we host and manage your data

Zype hosts services using the following cloud infrastructure providers, who are themselves covered by the appropriate compliance standards under a shared responsibility model. The underlying provider assumes responsibility for physical hardware and security and virtualization controls. Additionally, the provider assumes responsibility for software it is running on Zype’s behalf, such as database platforms or content distribution. Zype assumes responsibility for the security and management of guest operating systems, configuration of firewalls and pre-existing software, and the development and deployment of custom applications.

Amazon Web Services

Zype uses AWS to deliver both internal and external parts of its infrastructure under the shared responsibility model for the following security and compliance standards:

ISO 27001

MPA

ISO 27017

SOC 2

ISO 27018

GDPR

Google Cloud Platform

Zype uses GCP to deliver both internal and external parts of its infrastructure under the shared responsibility model for the following security and compliance standards:

ISO 27001

MPA

ISO 27017

SOC 2

ISO 27018

GDPR

Stripe

Zype uses Stripe to offer payment processing options to its customers, under the following card processing standards:

PCI DSS Level 1

PSD2

SOC 2

Recurly

Zype uses Recurly to offer payment processing options to its customers, and to process payments for the Zype platform itself, under the following card processing standards:

PCI DSS Level 1

PSD2

SOC 2

Braintree

Zype uses Braintree to offer payment processing options to its customers, under the following card processing standards:

PCI DSS Level 1

PSD2

SOC 2

SOC 2

Zype is currently in the process of certifying its overall infrastructure as SOC 2 compliant. This assertion demonstrates that our computing infrastructure and company procedures ensure proper controls on data security, availability, processing integrity, confidentiality and privacy. Specific details of this certification are available upon request under an NDA.

PCI

Zype has self-certified its PCI compliance on payments for the Zype platform in accordance with our payment provider partners, and regularly reviews the PCI compliance of its partners. Specific details of this self-certification are available upon request under an NDA.

Personal Data and Privacy Rights

Zype is committed to protecting personal data and ensuring privacy for all customers worldwide. As part of that commitment, we are compliant with GDPR for services provided in the EU and CCPA for services provided in California.

At the customer’s request, our standard Data Processing Agreement can be executed on a customer’s behalf.

Our detailed Privacy Policy can be found below in the footer of our website.

Network Monitoring and Security

As part of Zype’s commitment to security and availability, we maintain logging and monitoring related to our infrastructure. All services are regularly monitored in real time for unusual activity, for performance tuning and for resolving unexpected issues. Access to Zype’s infrastructure is strictly controlled through a combination of secure authentication with a tiered authorization model as well as managed firewall rules to limit network access to well-known sources. Infrastructure is managed using a version-controlled source of truth that highlights any unexpected changes. All changes to infrastructure are audited and logged for review.

Penetration Testing

Zype conducts security penetration testing in order to discover flaws in our coverage. Our most recent third-party audit was conducted by Synack, which revealed 8 vulnerabilities which were all resolved by the end of the audit period.

Content Security

All traffic between Zype and any external user is encrypted using industry-standard protocols. In all possible cases, we adhere to the recommendations set by Mozilla for the “Intermediate” compatibility tier in order to service the largest number of configurations while maintaining security.

In one specific edge-case related to older devices, metadata related to media content may be accessed using a subset of legacy ciphers that were carefully reviewed and deemed to be acceptable for this narrow purpose.

All content stored with Zype is encrypted at rest, and internal access is granted on an extremely limited basis as needed. Content is always encrypted when moving between parts of the infrastructure, such as from storage to a Content Distribution Network.

DRM - Digital Rights Management 

DRM (e.g. “Hollywood DRM”,  MultiKey DRM, Studio DRM) is an available option for customers leveraging a DRM partner.  Zype supports EZ-DRM and BuyDRM at this time.

DRM leverages the following industry standard content protection formats that rely on trusted video players: 

  • Google Wildvine
  • Microsoft Playready
  • Apple Fairplay