We know that keeping your data safe, available, and backed up is critical when trusting a service provider. We don’t expect anything less from our vendors, and neither should you. We’ve designed our security policies and procedures so that you can focus on what you do best — running your business.
Below are a few of the steps we take to ensure your data and videos are as secure as possible:
Secure, lightning-fast, and reliable global playback across devices is our top priority at Wistia. We bring 11+ years of experience implementing the best in video delivery.
- Wistia maintains an internal standard of 99.9% uptime. A log of historical uptime is included as part of our real-time status page, https://status.wistia.com
- We leverage frequently tested, proven infrastructure to deliver content via multiple Tier 1 CDNs (over 230,000 servers located in 130+ countries). To deliver the best quality content worldwide, Wistia serves video via adaptive streaming, also known as HTTP Live Streaming (HLS). HLS playback dynamically controls for the device and connection speeds of your viewers to serve content without interruption.
- Wistia services and infrastructure are designed to scale horizontally in all situations.We employ redundant providers to minimize downtime in the event of a catastrophic event. Our applications are containerized, our high-scale SQL databases are sharded, and we reserve capacity with our hosting provider to ensure we can meet customer demand.
All of our major hosting vendors have up-to-date SSAE 16 certification. Wistia is hosted on Amazon Web Services (AWS), which provides extensive security controls and privacy features documented at https://aws.amazon.com/security.
Our team takes additional measures to maintain secure infrastructure, including:
- Monitoring for updates to third-party security and vulnerability databases
- SSH key-based authentication (no passwords) for all production and staging servers
- Entirely automated server provisioning for less error-prone deployments and fast disaster recovery
Wistia databases are backed up using industry-standard tools for each respective data store. Backup and recovery procedures are automated, with human interruption required in places where we want affirmation or failsafes.
User-uploaded videos are spread across three data centers and will continue to be available should any two of those data centers fail unexpectedly. Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects. For example, if you store 10,000 objects with S3, you can on average expect to incur a loss of a single object once every 10,000,000 years.
Wistia is GDPR-compliant and supports the privacy rights of our customers and their users. In addition to our commitment to GDPR, we’re also certified under both the EU-US and Swiss-US Privacy Shield Framework. For further details on GDPR compliance, including our Data Processing Addendum and Privacy Mode for our video player, please visit https://wistia.com/support/account/gdpr.
We have implemented a formal policy and procedure for security events, which we can make available under NDA upon request. To learn from any incidents and improve the response process, Wistia conducts and records an internal post-mortem, some of which we post at status.wistia.com.
Wistia has a service-oriented architecture. We employ redundancy and automatic failover for critical services, when doing so does not come at the expense of the underlying service. For example, all videos are held on multiple servers and cached in multiple layers, and many of our databases will automatically switch replicas if the primary goes offline.
- Wistia accounts are not crawled by search engines, and can be made completely private and password-protected.
- Our domain restriction (https://wistia.com/doc/account-setup#domain_restrictions) feature ensures your video can only be played on specific domains.
- Activation links that require a new user to set up a password are only good for one use — they cannot be passed along.
- All sensitive communication between our service and customers is done via HTTPS.
- User passwords are stored hashed with unique salts for each user. All actions within the Wistia app and API are scoped by account.
- Credit card transactions go straight to our merchant over HTTPS and do not pass through Wistia’s servers. Both Wistia and our credit card processor are PCI compliant.
Wistia maintains a real-time status page at https://status.wistia.com, where you can subscribe to notifications via email, SMS text, or RSS.
In addition to what is publicly disclosed, every Wistia service is monitored by several external services with points-of-presence around the world. Automated alerts are in place to notify us when anything unexpected or undesirable occurs, and we have an infrastructure team that is on-call 24/7/365 to address any issues.