Obscreen Docs

Appearance

Information Security Policy

1. Introduction

Information security is essential for Obscreen, which provides digital signage software through both self-hosted (on-premise) and cloud-hosted deployments, and processes customer account, billing, licensing, and content data. This policy establishes the guidelines and procedures to protect the confidentiality, integrity, and availability of company and customer information.

Scope note. This policy describes the security framework applied by Obscreen to the services it operates (Obscreen Cloud, license issuance, update / status APIs, public websites, internal tooling) and to the personnel who operate them. For self-hosted deployments, the security of the customer's infrastructure (workstations, servers, network, encryption, backups, monitoring) is the sole responsibility of the customer, in accordance with the Terms of Service. The principles described in this policy may be used as reference by self-hosted customers, but Obscreen does not implement or guarantee them on infrastructure that it does not operate.

2. Objectives

  • Protect personal and customer data against any unauthorized access, alteration, disclosure, or destruction.
  • Ensure compliance with applicable laws and regulations, in particular the GDPR.
  • Maintain the trust of our customers, partners, and employees by demonstrating our commitment to information security.
  • Prevent and effectively manage security incidents.
  • Preserve the integrity of the Obscreen software, its license verification mechanisms, and the supporting cloud infrastructure.

3. Scope

This policy applies to:

  • All employees, contractors, consultants, and partners of Obscreen.
  • All information held or processed by Obscreen, regardless of medium (electronic, paper, oral).
  • All information systems, networks, applications, and devices used to process Obscreen data, including the Obscreen Cloud platform, the Studio server, the supporting websites (obscreen.io, docs.obscreen.io, lic.obscreen.io, motd.obscreen.io, updates.obscreen.io, support.obscreen.io), and any internal tooling. (plus all .com derived domains)
  • Customer Content stored or transmitted through Obscreen Cloud services, within the limits defined by the Terms of Service.

4. Responsibilities

  • Management: Support and promote the security policy and allocate the resources required for its implementation.
  • Information Security Officer: Develop, implement, and monitor security policies and procedures.
  • Team Leads: Ensure that their teams comply with security policies.
  • Employees and Collaborators: Comply with all security guidelines and report any incident or vulnerability.
  • Customers (self-hosted deployments): Remain solely responsible for the security of the infrastructure on which they install Obscreen, in accordance with the Terms of Service.

5. Asset Management

5.a Asset Inventory

  • Maintain an up-to-date inventory of all information assets, including source code repositories, license servers, cloud workloads, customer databases, and media storage buckets.
  • Classify assets according to their sensitivity and business importance.

5.b Asset Ownership

  • Each asset must have an owner responsible for its protection.
  • Asset owners are responsible for defining the appropriate access levels.

6. Access Control

6.a General Principles

  • Principle of Least Privilege: Users may only access the information necessary to perform their role.
  • Strong Authentication: Use of complex passwords and multi-factor authentication (MFA) for sensitive access, including production infrastructure, source code, license issuance systems, and payment-related tooling.

6.b Credential Management

  • Credentials are individual and must not be shared.
  • Passwords must meet the following criteria:
    • Minimum 20 characters.
    • Include uppercase letters, lowercase letters, digits, and special characters.
  • The most sensitive passwords (production, license signing, payment, DNS, domain registrar) must be rotated at least once a year, and immediately when an employee or contractor with access leaves.
  • Customer license keys must be kept confidential by the customer and are valid for a single instance only, in accordance with the Obscreen Private License Agreement (OBPLv1).

6.c Production and Database Access

  • Write access to production databases and to the Obscreen Cloud control plane is restricted to authorized personnel through a secure VPN or bastion, with full activity logging.
  • Read-only or analytics tools used internally to operate the service are configured with the minimum privileges required.
  • Direct production access is prohibited for routine operations; changes must go through reviewed code, infrastructure-as-code, or auditable runbooks whenever possible.

7. Data Security

7.a Personal Data Protection

  • Comply with all GDPR obligations regarding the collection, processing, and storage of personal data.
  • Obtain explicit consent from customers when required for processing their data, in accordance with the Privacy Policy.
  • Honor data subject rights (access, rectification, erasure, portability, objection) within the deadlines required by applicable law.

7.b Encryption (Obscreen-Operated Services)

  • Data in Transit: TLS is used for all network communications between Players and the Cloud-hosted Studio operated by Obscreen, between the Obscreen Cloud control plane and its components, and on all our public endpoints.
  • Data at Rest: Databases, object storage (media files), backups, and workstations are encrypted at rest on the infrastructure operated by Obscreen.
  • For self-hosted deployments, the configuration of TLS and the encryption of data at rest are the responsibility of the customer; the recommendations above may be used as guidance.

7.c Backups (Obscreen-Operated Services)

  • Daily backups of critical data (account databases, license records, customer media metadata, billing data) hosted by Obscreen are performed.
  • Backups are stored securely, ideally in a separate region or provider, and restoration procedures are tested regularly.
  • For self-hosted deployments, backups of customer data are the sole responsibility of the customer.

7.d Customer Content

  • For self-hosted deployments, customer content remains under the sole control of the customer; Obscreen does not access, monitor, or back it up.
  • For Obscreen Cloud, customer content is processed in accordance with the Terms of Service, and access by Obscreen personnel is limited to legitimate operational, legal, or abuse-handling purposes.

8. Network Security (Obscreen-Operated Services)

The measures in this section apply to the network infrastructure operated by Obscreen. For self-hosted deployments, network security is the responsibility of the customer.

8.a Network Configuration

  • Firewalls and security groups segment the network and protect sensitive zones (production databases, license issuance, payment integrations).
  • Unused services and network ports are disabled.
  • Administrative interfaces are restricted to allowlisted networks or VPN access.

8.b Network Monitoring

  • Intrusion detection and prevention mechanisms appropriate to the environment are deployed.
  • Network and application traffic is monitored for suspicious activity, abuse, and unusual error patterns on customer-facing endpoints.

9. Physical and Endpoint Security

9.a Hosting Facilities

  • Production workloads are hosted with reputable infrastructure providers (such as Hetzner, Cloudflare, AWS, Google) which provide certified physical security at their data centers.
  • Selection of subprocessors takes into account their security and compliance posture, as listed on the Subprocessors page.

9.b Workstation and Equipment Protection

  • Employees and contractors must protect the laptops and devices used to access Obscreen systems with automatic screen locking and up-to-date operating systems. No customer or production data is stored locally on workstations.
  • Sensitive information must not be displayed on screens visible to unauthorized persons (in particular when working in public spaces).
  • Lost or stolen devices must be reported immediately so that access can be revoked.

10. Security Incident Management

10.a Detection and Notification

  • All employees must immediately report any incident or suspected incident, including suspicious emails, unauthorized access, malware, or accidental data disclosure.
  • A clear procedure for incident notification, both internally and to affected customers and authorities, must be maintained.
  • Personal data breaches that meet the GDPR threshold are notified to the competent supervisory authority within 72 hours.

10.b Incident Response

  • The security team must analyze and contain the incident as soon as possible.
  • All incidents and the actions taken must be documented.
  • Affected customers are informed in accordance with applicable legal obligations and contractual commitments.

10.c Post-Incident Learning

  • A post-incident review is performed to identify root causes.
  • Corrective measures are implemented to prevent recurrence and the policy is updated when appropriate.

11. Business Continuity

11.a Continuity Plan

  • Maintain a business continuity plan covering critical services (Obscreen Cloud, license verification, payment processing, support channels).
  • Test the plan regularly and update it based on organizational, contractual, or technical changes.

11.b Disaster Recovery

  • Maintain procedures for the rapid restoration of systems in case of a major incident or provider outage.
  • Prioritize critical resources (license issuance, customer-facing Studio, content delivery) for efficient recovery.
  • Document Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical service.

12. Legal and Regulatory Compliance

12.a Compliance with Laws and Regulations

  • Comply with all applicable laws, including the GDPR, French data protection law, and consumer protection regulations.
  • Monitor legal and regulatory changes that may affect Obscreen, its customers, or its subprocessors.

12.b Audits and Controls

  • Perform regular internal audits to verify compliance with this policy.
  • Cooperate with external audits by independent organizations, customers, or regulators where reasonably required.

13. Training and Awareness

13.a Training Programs

  • Run information security training sessions for all employees and contractors.
  • Provide specific onboarding sessions for new employees and temporary collaborators, covering credentials, secure development, GDPR, and incident reporting.

13.b Awareness

  • Regularly share communications on security best practices.
  • Use awareness campaigns (internal posts, emails, workshops, phishing simulations) to reinforce the importance of security.

14. Policy Audit and Review

14.a Periodic Review

  • This security policy must be reviewed at least once every three years.
  • Significant organizational, technical, or regulatory changes may require more frequent updates.

14.b Continuous Improvement

  • Encourage feedback from employees and contractors to improve policies and procedures.
  • Integrate lessons learned from incidents and audits into policy updates.

15. Acceptance and Adherence

  • All employees and collaborators must read and accept this policy.
  • Failure to comply with the policy may result in disciplinary measures, up to and including termination of the employment or service contract.
  • For customers, the Terms of Service, the Privacy Policy, and the Obscreen Private License Agreement (OBPLv1) define the security-related contractual obligations applicable to their use of Obscreen.

16. Contact

For any question regarding this Information Security Policy, or to report a security incident or vulnerability, please contact us at [email protected].