Obscreen Docs

Appearance

Customer Data Encryption Policy

This policy describes the encryption measures applied to customer data processed by Obscreen and the Obscreen Cloud platform. It complements the Information Security Policy, the Systems Security and Integrity Policy, the Privacy Policy, the Terms of Service, and the Subprocessors page.

1. Introduction

The protection of customer data is a priority for Obscreen. This policy describes the encryption measures applied to customer data, both in transit and at rest, in order to ensure the confidentiality and integrity of information when it is transmitted between systems and users, and when it is stored on our infrastructure.

2. Objectives

  • Ensure the confidentiality of customer data while in transit on public and internal networks.
  • Protect the integrity of information against any unauthorized alteration or interception.
  • Protect data at rest stored on our infrastructure against unauthorized access in case of physical or logical compromise.
  • Regulatory compliance with applicable data protection standards and laws, in particular the GDPR.

3. Scope

The technical measures described in sections 4, 5, and 6 of this policy describe what Obscreen implements and maintains for the services it operates, namely:

  • The Obscreen Cloud platform (Studio control plane, customer accounts, license records, customer media stored on Obscreen Cloud).
  • The public websites and APIs operated by Obscreen (obscreen.io, lic.obscreen.io, motd.obscreen.io, updates.obscreen.io, support.obscreen.io, docs.obscreen.io, and any other domain operated by Obscreen).

For self-hosted deployments of the Obscreen software, the security configuration of the installation is the sole responsibility of the customer, in accordance with the Terms of Service. This includes:

  • The deployment of TLS certificates and the configuration of HTTPS for the customer's Studio and Player endpoints.
  • The authentication mechanisms used to protect the customer's Studio and APIs.
  • The encryption of data at rest on the customer's infrastructure.
  • The protection of network access to the customer's installation.

The recommendations and best practices described in this document may serve as guidance for self-hosted deployments, but Obscreen does not implement, monitor, or guarantee them on infrastructure that it does not operate.

4. Encryption of Data in Transit (Obscreen-Operated Services)

The measures in this section apply to the services operated by Obscreen (Obscreen Cloud, public websites, license / update / status APIs). For self-hosted deployments, the configuration of TLS, certificates, and authentication is the responsibility of the customer; this section may be used as guidance.

4.a Protocols Used

  • HTTPS (HTTP Secure) : Web communications with the services operated by Obscreen are secured via the HTTPS protocol.
  • TLS (Transport Layer Security) : Modern and secure versions of TLS (TLS 1.2 and TLS 1.3) are used to establish encrypted connections. Legacy versions (SSL, TLS 1.0, TLS 1.1) are disabled.
  • Strong Key Sizes : Server certificates rely on RSA keys of at least 2048 bits, or on equivalent ECDSA keys, in accordance with current industry recommendations.

4.b Implementation

  • SSL/TLS Certificates : Certificates issued by recognized Certificate Authorities (such as Amazon Trust Services, Let's Encrypt, or those provided by our CDN partner Cloudflare) are deployed on the public-facing services operated by Obscreen.
  • Secure Server Configuration : Obsolete or vulnerable cryptographic protocols and cipher suites are disabled. HSTS is enabled where appropriate.
  • Regular Validation : Tests are performed regularly to ensure that certificates are up to date, that automatic renewal works, and that configurations follow current best practices.

4.c Access to APIs and Internal Services

  • Public APIs operated by Obscreen : The public APIs operated by Obscreen (Obscreen Cloud Studio, license issuance, update / status services) are accessible only via HTTPS, with secure authentication where applicable.
  • Player-to-Studio Communications (Obscreen Cloud) : Communications between Player clients and the Cloud-hosted Studio operated by Obscreen use HTTPS / WSS. For self-hosted deployments, the protocol used between Players and the customer's Studio depends on the customer's configuration; deploying TLS is strongly recommended and remains the customer's responsibility.
  • Inter-Service Communications (Obscreen Cloud) : Communications between internal services within our Cloud infrastructure may use unencrypted channels inside the trusted network boundary, but external access is strictly prohibited without authenticated VPN access (see Systems Security and Integrity Policy).

5. Encryption of Data at Rest (Obscreen-Operated Services)

The measures in sections 5.a and 5.b apply to data stored on the infrastructure operated by Obscreen as part of Obscreen Cloud and the supporting services. Section 5.c covers self-hosted deployments.

5.a Current Policy

Customer data stored on the Obscreen Cloud infrastructure is encrypted at rest, leveraging the encryption capabilities provided by our managed cloud services.

  • Databases : PostgreSQL hosted on Hetzner (Germany) is configured with disk-level encryption at rest, using the encryption features provided by the underlying infrastructure.
  • Primary object storage (media files, exports) : Cloudflare R2 (Western Europe region, WEUR) is used for object storage and provides server-side encryption at rest natively.
  • Database backups : automated backups of certain databases are encrypted and stored on AWS S3 in the Paris region (eu-west-3), providing an additional layer of redundancy on a separate provider, while remaining within the European Union.
  • Workstations : no customer or production data is stored locally on the laptops used by employees and contractors to access Obscreen systems; the security of those workstations relies on the absence of local sensitive data, screen locking, and up-to-date operating systems rather than on full-disk encryption.

5.b Complementary Security Measures

In addition to encryption at rest, the following measures protect stored customer data:

  • Strict Access Controls : Access to production databases and storage is restricted to authorized users through a secure VPN.
  • Granular Permissions : Permissions are granted following the principle of least privilege.
  • Monitoring and Audit : Access and activity on the database and storage are monitored and logged to detect any suspicious activity.
  • Physical Security : The data centers used by our subprocessors (Hetzner, Cloudflare, AWS, Google) provide robust physical security measures to protect the underlying hardware infrastructure.

5.c Self-Hosted Deployments

For self-hosted deployments, the encryption of data at rest is the responsibility of the customer. Obscreen recommends:

  • Enabling full-disk encryption on the host running Obscreen Studio.
  • Configuring the underlying database with encryption at rest where the database technology supports it.
  • Backing up the configuration and media in a secure, encrypted location.

6. Key Management (Obscreen-Operated Services)

The measures in this section apply to the services operated by Obscreen.

  • Encryption keys for managed services used by Obscreen Cloud are stored and managed by the cloud providers' Key Management Services (KMS), in accordance with their published security and compliance documentation.
  • TLS private keys for the public-facing services operated by Obscreen are generated and stored in secure environments, and are rotated according to industry best practices.
  • Access to key management systems is restricted, audited, and protected by multi-factor authentication.

For self-hosted deployments, the management of encryption keys is the sole responsibility of the customer.

7. Responsibilities

  • Technical Team : Implement and maintain the appropriate encryption protocols and configurations.
  • Information Security Officer : Monitor compliance with this policy and propose improvements where necessary.
  • Employees and Collaborators : Follow security procedures when handling customer data.
  • Customers (self-hosted) : Implement appropriate encryption measures on their own infrastructure, in accordance with the recommendations above and the Terms of Service.

8. Compliance and Regulation

  • GDPR : The encryption measures described in this policy contribute to our compliance with the GDPR's requirements regarding the protection of personal data, in particular the obligation of "appropriate technical and organizational measures" (Article 32).
  • Technology Watch : We continuously monitor technological and regulatory developments to maintain and improve our security posture.

9. Training and Awareness

  • Training Sessions : Employees and contractors receive training on the importance of encryption and associated best practices.
  • Continuous Awareness : Regular communications are shared on updates to security protocols and on emerging threats.

10. Policy Review

  • Updates : This policy is reviewed at least once a year or whenever there is a significant change in the technological or regulatory environment.
  • Future Improvements : Where applicable, we evaluate the introduction of customer-managed keys (CMK / BYOK), end-to-end encryption for specific data flows, and additional cryptographic controls to further strengthen the protection of stored information.

11. Acceptance and Adherence

  • Commitment : All employees and collaborators must read this policy and commit to following it.
  • Non-Compliance : Any breach of this policy may result in disciplinary measures, up to and including termination of the employment or service contract.

12. Contact

For any question regarding this Customer Data Encryption Policy, or to report a security incident or vulnerability, please contact us at [email protected].