Security is a critical part of our business and we strive to achieve the following goals:
- Ensure that customer data is encrypted and inaccessible to other customers and the public.
- Ensure that customer data is accessible to 3Play Media staff only to the extent necessary to perform the required work.
- Prevent loss or corruption of customer data.
- Maintain a redundant infrastructure with 99.9% uptime.
- Provide timely notifications in the event of a downtime.
- Provide continuous training for our staff on proper operation of our systems and best practices for security and privacy.
Data Storage, Access, and Transmission
All data are encrypted both at rest and in backups. Online application data is stored in a database replica set at Amazon Web Services (AWS) U.S. data centers. All interactions with the database are logged and available for audit for 30 days.
Data Retention and Disposal
Captions and transcript data are stored for a contractual minimum of 6 years. Customers may request that we purge any and all video, audio, streaming, and/or caption/transcript data from our system at any time. We also support periodic purging of this data on a customer specified schedule. We maintain certain metadata for customer assets in our database for accounting and billing purposes. In addition, source audio and video files may be purged from the system 180 days after file completion.
Our entire database is backed up, encrypted, every hour. We maintain a complete set of recent database backups that are protected by Amazon’s token-based two-factor authentication protocol.
Audio, video, and caption/transcript data transmitted through the application use SSL/TLS, AES-256 or higher. For FTP data upload we support FTP over SSL/TLS.
The 3Play Media system supports multiple users, departments, and admin privileges. Access to data and permissions can be customized for each user. We support customer-specified password complexity requirements. All user passwords are stored encrypted and transmitted using SSL/TLS. We have a system to assist users to retrieve lost passwords.
3Play Media Staff Access
Data is accessible to 3Play Media staff only to the extent necessary to perform the required work. Our staff have access to the media while it is being worked on. Once a job is complete, access is removed. While working on the data, our staff do not copy the information onto their hard drive. The data is processed using a web-based interface and sent directly to the 3Play Media server where it is stored on each save.
Redundancy and Uptime Reliability
Our goal is to have 99.9% uptime, including planned downtimes. We maintain a web page to show the live system status and uptime history.
For maximum reliability, we have geographic redundancy for our servers, databases, and file storage. Our main production environment is hosted at AWS Region 1, in Virginia, USA. We also maintain an instantly replicating environment at AWS Region 2, in Ohio, USA. If the Region 1 environment were to become unavailable, we can switch to Region 2 with very little interruption.
Defense In Depth Strategy
The following components further improve robustness:
- Our application is configured with multiple load-balanced web server instances that can be converted to single-server mode if needed. The two application instances are in different AWS availability zones.
- Our application has a master/slave database instance architecture, with the slave replicating the master’s state instantly. The master and slave instances are in different AWS availability zones.
- All media assets are fully replicated in two independent AWS regions with instant/transparent failover and per-asset granularity.
Business Continuity Plan
Our business continuity plan can be invoked in the rare event of a serious outage in our primary data center. It is designed to restore basic functionality within 30 minutes and full functionality within 2 hours.
In the event of a downtime, our goal is to provide clear, timely notifications to our customers. We notify customers at least one week in advance of any planned downtime. We try to be as conservative as possible when estimating the period of downtime. If the downtime is postponed, canceled, or longer than expected, we notify customers immediately. Once the downtime has been completed, we send an “all clear” notification.
3Play Media is HIPAA compliant and undergoes annual penetration testing. All staff are vigilant to protect the privacy and security in all forms, including printed, spoken, and electronic form. All staff are vigilant to protect the privacy and security in all forms, including printed, spoken, and electronic form. We ensure that our business associates and contractors who handle PHI fully comply with HIPAA and have business associate agreements when required to do so. We also have a business continuity plan. To maintain HIPAA compliance, we adhere to the following administrative safeguards and best practices:
- Protection of PHI from accidental disclosure on the internet.
- Forbidding accidental PHI disclosures in physical locations, such as discussions in the office kitchen.
- Employees are trained to ask the Privacy Officer when unsure about a particular PHI disclosure.
- Strong password security policies.
- Encryption of data transmissions.
- Strong email security policies.
- Safe browsing practices.
- Secure network.
- Use of secure software and hardware.
- Security of our office building and physical premises.
- Employee device policies, including screen lock.
- Compliance with retention and disposal of PHI.
- Employees are only able to access transcripts on an as-needed basis.
- We work with customers to limit the PHI content they transmit to us.
Data Collection and Usage
Credit Card Processing
We provide secure credit card payments through a third party payment processor. We store an independent ID# associated with a payment account handled by the payment processor. This ID cannot be used to identify the payment account independently and is sent to the payment processor to initialize the payment. 3Play Media does not see or store the actual credit card information.
Cookies are used to identify a user with session data using an unidentifiable string that only makes sense to the 3Play Media server and is unintelligible to a human reading the cookie. Explicit personal information, such as an email address or name, do not exist on the cookie. One month is the maximum expiration date set for session cookies.
We do not collect information other than what is uploaded by users in audio/video form and transcribed to text.
Third Party Marketers
Confidentiality and Staff Training
Our staff are USA residents who have signed confidentiality agreements with 3Play Media. Our staff are educated and trained on how to run systems correctly and best practices on security and privacy.
Protocol for Security Breach
In the event of a security breach, we have procedures for mitigating the breach and contacting all affected parties immediately.
We encrypt stored email addresses and comply with CAN-SPAM laws.