talk to our team

3Play Media Standard Security Terms & Conditions

Version 0.77.0 as of August 15, 2025

The following describes 3Play Media’s security program:

  1. Infosec Program. Maintain a formal information security (infosec) program with defined governance, staffing, scopes, policies, controls, and procedures. Implement appropriate administrative, physical, logical, structural, organizational, and technical safeguards and controls designed to achieve security, confidentiality, availability, processing integrity, privacy, and assurance. 
  2. Empowered to Act. 3Play Media’s infosec program is overseen by its Security Committee, a group including technical and product leadership. The Security Committee and its members are empowered to move quickly and use all resources at 3Play Media’s disposal that it determines are required to address information security threats, including responding quickly to security events and incidents.
  3. Industry-Relevant Frameworks and Certifications. Meet and maintain industry certifications including: System and Organization Controls for Service Organizations (SOC 21) and TPN (Trusted Partner Network2) for appropriate scopes of 3Play Media offerings [Note that these are substantial industry-standard frameworks with numerous protections and guarantees subsumed without undue reiteration here]. Comply with applicable regulatory standards such as GDPR, CPRA, and HIPAA. Study and learn from standards such as ISO 27001, ISO 27005, NIST AI Risk Management Framework, and NIST SP 800-53 even when we do not fully conform or formally audit. Follow effective strategies such as defense-in-depth, the Least Privilege Principle, fail-secure, and Infrastructure as Code (IaC). 
  4. Suppliers. Include 3Play Media suppliers in risk management and threat modeling. Annually review associated risk and security postures. Disclose the major suppliers used and the purpose of their engagement, in accordance with SOC 2 reporting requirements. Establish and enforce contractual obligations that require that suppliers maintain a security posture and program at a sufficient level for 3Play Media to maintain its own security requirements and commitments. 
  5. Evaluation and Audit. Regularly evaluate and refine our infosec program, including risk assessment, policies, procedures, and protections, including with formal audits, certifications, and annual penetration tests by qualified external parties. Evaluation and audit shall be conducted to the standards of SOC 2, TPN, or a scope-centered equivalent. 
  6. Transparency. Subject to 3Play Media’s operational security practices (including non-disclosure agreements) and upon written request, no more than once per year: Make available information about the design, implementation, and status of 3Play Media’s infosec program to customers. Share audit results or summaries thereof. At no time will information be externally shared, nor will external testing be permitted, that might reduce the security, confidentiality, availability, processing integrity, and privacy the infosec program aims to protect.
  7. Workers. Make employees and Accessibility Service Professionals (ASPs, as defined in the Master Services Agreement, means the individuals who perform captioning, transcription, editing, description and other related service on behalf of 3Play Media) subject to strict confidentiality obligations including binding Non Disclosure Agreements (NDAs) and acceptance of relevant 3Play Media security and privacy policies and requirements. Ensure employees and ASPs have passed a suitable background check / security clearance including criminal history, consistent with local laws and regulations, prior to their access to 3Play Media resources or customer content. The level of verification performed shall be proportional to risk correlated to their roles within the 3Play Media organization. Employees and ASPs are trained in good security practices including the proper handling of sensitive information (including PII, PHI, and confidential data) and common risks thereto (such as phishing or social engineering). Some workers will receive additional role-specific training; technical staff for example will be trained on secure development approaches. Training and familiarity to be given upon employment and refreshed annually for all those with significant access or access to high-sensitivity data (e.g. HIPAA). Worker violations of security and confidentiality agreements are subject to disciplinary procedures, including termination and legal redress, depending upon the nature and severity of violations. Upon termination of employment or contract, 3Play Media promptly removes workers’ access to all information systems and resources. Employees’ and ASPs’ non-disclosure and confidentiality obligations survive and continue beyond termination.
  8. Secure Access for Accessibility Service Professionals. ASPs shall have highly limited access to customer data. ASPs may only view data for which they have been enabled, and which is currently being worked upon. ASPs’ access is transient and time-limited; once a job is completed, ASPs no longer have access to either customer media or accessibility artifacts on which they worked. In many cases, ASPs never have access to original full-resolution, full-quality customer data, only down-sampled proxies. Access is solely through 3Play Media-provided tools. The 3Play Platform’s proprietary editing tools provide only transient streaming access; downloads are not possible. For on-premises tools, other technical controls are used to provide similar time-limited access and limitation to only approved jobs. All network access to customer data is provided via encrypted mechanisms (e.g. HTTPS).  This paragraph does not apply to services performed outside of the 3Play Platform.
  9. Appropriate Use. Not utilize, process, or disclose customer content except as permitted or required for its agreed-upon and intended uses. An exception is possible when required by law or legal process.
  10. Data Storage. All data is stored within the United States at an Amazon Web Services (AWS) data center. 
  11. Retention and Secure Deletion of Customer Content. Customers may request custom deletion schedules for their content. HIPAA data is deleted 6 months after the last relevant service is delivered. Storage devices being decommissioned or repurposed will be permanently sanitized by a recognized procedure such as those outlined in NIST SP 800-88.
  12. Encryption. Encrypt data at rest and in transit with strong ciphers, protocols, and mechanisms. Data at rest includes workstations, servers, appliances, and cloud storage services (including file systems, block storage, object storage, and any storage underpinning database systems). Encryption of data in transit required across untrusted or uncontrolled network segments such as wireless networks and the public internet. Encryption mechanisms and requirements evolve steadily; as of 2026 we require WPA2 or WPA3 for corporate wireless networks, TLS 1.2+ (TLS 1.3 preferred) with AEAD ciphers, SSH, SFTP, FTPS, or OpenVPN for general network transmission, and AES-256 for storage. 3Play Media discourages all cleartext storage and transmission, but admits several exceptions, including data already classified as public, and for legacy communication mechanisms on which customers insist or for which there are no suitable encrypted alternatives.  
  13. Logging. Maintain system, application, and audit logs suitable for the after-the-fact analysis and understanding of security, availability, and other events. Retain those logs, when feasible, in a collated, readily-searchable state to facilitate analysis and problem resolution. 
  14. Security-Aware Development and Change Management. Develop software in a security-aware environment with technical staff trained on industry-recognized secure coding practices (such as those developed by OWASP and the Software Engineering Institute). Utilize active code review tools such as static application security testing  (SAST) in both development environments and the software delivery pipeline to alert developers to possible problems and vulnerabilities. Utilize peer review, pre-release testing, automated testing, and other techniques to ensure best possible software quality. Utilize agile release / change management procedures approved by 3Play Media’s engineering and product leadership.
  15. Vulnerability Scanning and Remediation. Continually scan for problems and vulnerabilities, including using anti-virus/malware, firewalls, intrusion detection and prevention systems (IDPS), and SAST. Track vulnerability information made available by security researchers, vulnerability clearinghouses, and other information sources concerning emerging and evolving risks associated with open source components, operating systems, networks, cloud services, and other technical components. Ensure that information resources concerning vulnerabilities (e.g. malware signatures) are frequently (and whenever possible, automatically) updated. Remediate vulnerabilities discovered using risk-based prioritization and following principles set forth in ISO 27005.
  16. Incident Response. Maintain a formal incident response plan for responding to events and incidents, whether technical, security, or external in nature, which may impact or degrade the performance, security, confidentiality, availability, processing integrity, or privacy attributes of 3Play Media’s service to customers. 3Play Media technical staff and related personnel likely to respond to such incidents understand the plan and are familiar with appropriate techniques for the identification, acquisition, collection, collation, and preservation of pertinent information. Significant incidents are analyzed post mortem to document the incident, determine root and contributing causes, and plan and prioritize actions to prevent recurrence of the same or similar issues in the future.
  17. Security or Data Breach. Notify customers of confirmed data and security breaches involving their data without undue delay, but always within 72 hours after discovery (the GDPR standard). Customers may pre-register preferred security incident contact information with 3Play Media by emailing legal@3playmedia.com, and such contact information will be used to notify them in the event of a relevant security event. Following an identified security breach, 3Play Media shall provide affected customers information about the breach scope, impact, and root cause as it becomes available, and shall use commercially reasonable efforts to remedy any breach and prevent any further breaches, in accordance with its security practices, taking into account the impact and severity of the breach.
  18. 3Play Media Security Contact. Customer- and partner-initiated security conversations may be initiated through standard 3Play Media support mechanisms. Security-related contacts are promptly escalated to our development team and Security Committee.
  19. Infosec-Related Insurance. Maintain appropriate General Commercial Liability, Professional Liability (“Errors and Omissions”), and Cyber Security/Privacy Liability insurance coverage.
  20. Scalability and Availability. Use appropriate sharding, auto-scaling, backup, snapshots, replication, redundancy, business continuity and disaster recovery preparations, and other strategies to achieve a robust, scalable, highly-available service. Use monitoring, alerting, and related observability techniques to assist in performance and availability management as well as problem identification, reduction, and resolution, in order to provide the best possible security and service levels. Have a business continuity and disaster recovery program, plans, and preparations.
  21. Business Continuity and Disaster Recovery. Plan for business continuity (BC) and disaster recovery (DR) to mitigate the risk of unusual severe disruptions. Such plans shall be in accordance with the requirements of SOC 2 including being reviewed, updated, and tested (to the degree possible) at least annually. Customers shall be notified if the disaster recovery plan is executed in such a way that impacts customer services or data.
  22. Data Classification and Risk Management. Use a data classification system and related risk management matrix, so that the appropriate protections may be uniformly applied. Scale protections as appropriate for different levels of confidentiality and sensitivity.
  23. Artificial Intelligence. Manage the use of AI, as informed by best practice guidelines such as NIST’s AI Risk Management Framework (RMF).  Establish policies to prevent the use of customer data for training publicly accessible models and to ensure that customer data is expeditiously deleted from third party AI models after it is no longer required.  
  24. Regular Improvement. Use risk management, threat awareness, and other approaches to stay abreast of 3Play Media’s risk posture and the constantly-changing threat landscape, maturing customer and partner expectations, and evolving protection options. 
  1. https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report ↩︎
  2. https://www.ttpn.org/ ↩︎