Security and Compliance
Effective October 30, 2024
This document outlines our commitment to safeguarding the security and privacy of the data you entrust to us. Here, you will find detailed information about how we host and manage our services, our compliance with international security standards, our data protection practices, and the measures we take to ensure the integrity and availability of our systems.
Hosting
Our application components are hosted across multiple services:
- Firebase: Manages user authentication and backend functionalities and hosts static assets and client-side code.
- Google Cloud Platform: Serves our Websocket API.
Third-party services
The following third-party tools are implemented within our tool:
- OpenAI’s GPT API: We use the GPT API from OpenAI in order to parse and import CSV rundowns into Rundown Studio. Data is only shared with this third-party tool when the user explicitly uploads a rundown in CSV format and manually begins the import process. In addition, the only data shared with the tool is the CSV contains uploaded by the user.
Authentication
Users can access our Services using either Email/Password authentication or Google OAuth 2.0. Currently, we do not support Two-Factor Authentication.
Session Management
Session tokens are automatically renewed unless explicitly revoked by the user. We implement an invalid password lockout policy to enhance security.
Compliance Certifications
Our servers and infrastructure providers are compliant with major security standards:
- Firebase: ISO 27001, SOC 1, SOC 2, and SOC 3 compliant. More Info
- Google Cloud Platform: ISO 27001, SOC 1, SOC 2, and SOC 3 compliant. More info
Data Storage
Data related to events and rundowns (cues, cell content, etc) is stored in Firebase Firestore located in multiple European regions (Belgium, Netherlands and Finland), with backups retained for 7 days. Images (cell uploads, logos, etc.) are stored in a Google Cloud Platform storage bucket under an “EU (multiple regions in European Union)” policy.
Security Practices
- Data Deletion: Upon deletion, rundown data and user accounts are purged from our systems within 30 days. All backups are also erased within 30 days.
Backup and Recovery
Our data recovery strategy includes:
- Daily Snapshots: Taken every day with a retention period of 7 days.
- Weekly Snapshots: Taken every Sunday with a retention period of 30 days.
System Integrity and Redundancy
- Testing: We perform automated tests prior to any system update to ensure the integrity of critical functions.
- Redundancy: Critical systems maintain at least triple redundancy to guarantee high availability. Our system’s reliability can be monitored on our status page.
Security Measures
- Data Encryption: All data in transit is encrypted using SSL. However, data stored on our systems is not encrypted at rest but is safeguarded through strong authentication and security protocols.
- Third-Party Access: Access to live user data is strictly limited to authorized staff. Confidentiality agreements are in place with contractors and business associates, and where feasible, they work on test or anonymized data to prevent unauthorized access to sensitive information.
For more details on which third-party services we use that may receive personal information, please refer to our Privacy Policy.