Product & Functionality
The Services – what is vzaar?
vzaar is an Online Video Platform (OVP) Software-as-a-Service (SaaS) solution for ingesting, processing and providing distribution and playback services for video from the Customer. Without limitation, the Services include the following:
- A cloud-based dashboard and application for authorised users to ingest, configure, embed and deliver video content.
- A rest based API for authorised users to ingest, configure, embed and deliver video content.
Our Approach To Data Security
Handling your video content and associated data is our primary business, and we take personal data protection, privacy and security very seriously. The documents here explain how we handle data collected when a client uses vzaar software.
We have always been committed to invest in a continuous and growing security program since we first established vzaar, and strive to go beyond the expectations of our customers wherever possible.
Here are a few practical examples of security controls within our web application:
- Wherever possible HTTPS is favoured
- User access to the vzaar Dashboard is secured with strong, complex passwords
- We invest in scheduled, penetration tests
We also make use of external security experts from time to time to appraise our work and our data protection procedures.
For clarity, here are some terms we use in our security documents, and what they mean:
You, Your Business
The vzaar web application and RESTful API
Video and audio files
Content Ownership, Acceptable Use & Access To Collected Data
Unambiguously, the video content we ingest is your video content and reserved solely for your own use.
We facilitate the ingestion, processing, storage and delivery of video and audio on our customers behalf, and our intentions will always be framed by this.
Video Analytics, Data and Personally Identifiable Information related to the the Controller content and collected via our software is stored for the sole use of the Controller. We may use aggregate Video Analytics and Data to understand and improve our systems.
Some members of the vzaar technical staff from time to time will have restricted access to the content and analytics data we store on your behalf in order that we can carry out absolutely necessary service tasks such as support, monitoring and improving the quality and performance of our own services, however under no circumstances are we or any third-party able to access your data for any other purpose, such as marketing or communication purposes.
- To provide a core feature or functionality which you request through the dashboard that depends on a third-party service.
- If we, or substantially all of our assets, are acquired or are in the process of being acquired by a third-party, in which case Personally Identifiable Information held by us, about our customers, will be one of the transferred assets.
- If we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceedings.
Compliance & Accreditations
Working with UK & European organisations
We fully comply and operate within the jurisdiction of UK and EU data law.
In light of the UK’s potential withdrawal from the European Union in the coming years, we will continue to appraise the situation and adopt the most customer-favourable position on data security that we can achieve. At a minimum we will meet the EU’s requirements as part of GDPR.
Working with US, UAE & other international organisations
As a company registered in the UK and storing data within the EEA, we are regulated by European laws which are widely considered more strict than many outside of the region.
Much of our compliance covers the core requirements of data law abroad, however we believe that European laws and the protection of rights of the individual and ownership of data currently provide the best protection of data anywhere worldwide.
If you are unsure about how this impacts your use of vzaar, we suggest you seek additional legal advice. We generally find compliance teams find parity even where we do not comply to a specific foreign law.
Data Processing Addendum (DPA)
We have developed a Data Processing Addendum/Agreement (DPA) that we will enter into with anyone that uses our service and requires one. This service is free of charge. The DPA forms part of a contract of service with vzaar (who are the Data Processor) and you as our customer (as the Data Controller). The DPA reflects the parties’ agreement with regard to the processing of personal data performed using the vzaar service. You may find this document useful in meeting your own GDPR (General Data Protection Regulation) commitments.
You may view and sign the vzaar DPA here: https://vzaar.com/legal/privacy/dpa
Registration with the UK Information Commissioner (ICO)
We are members of the United Kingdom’s Information Commissioner’s Office (ICO) Data Protection Register in the United Kingdom. Our registration number is ZA373528.
The Relationship Between You & Us
WHAT THE ICO SAYS
IN PLAIN ENGLISH
The Controller collects and processes Personal Data in connection with its business activities.
You use vzaar to ingest, process, deliver content and analyze playback for your business.
The Processor processes Personal Data on behalf of other businesses and organisations.
We manage that data for you.
Article 17(2) of the Data Protection Directive 95/46/EC provides that, where processing of Personal Data is carried out by a processor on behalf of a Controller, the Controller must choose a Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures;
It is your responsibility to ensure our standards are good enough to meet your legal obligations and organisation’s own standards.
We are always willing to try to help you meet whatever data obligations are required in order to use our software.
Article 17(3) and 17(4) of the Data Protection Directive require that where processing is carried out by a Processor on behalf of a Controller such processing shall be governed by a contract or legal act binding the Processor to the Controller, stipulating, in particular, that the Processor shall act only on instructions from the Controller and shall comply with the technical and organisational security measures required under the appropriate national law to protection Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing;
We will manage content and data in accordance with agreements we will make with you. These are outlined in our policies and terms and conditions when you sign up or start using our products.
It is our responsibility to put measures in place to secure content and data you store with us.
The Processor takes all measures to protect Personal Data processed by the Processor on behalf of the Controller against a Security Incident and against all other unlawful forms of processing, as required under applicable national law. Such Technical and Organisational Security Measures shall include, as a minimum standard of protection, the following types of security measures: organisational controls, information security management systems; physical security; physical access controls; entry controls, virtual access controls, transmission controls, assignment of responsibility controls, availability and separation of responsibility controls, security and privacy enhancing technologies; awareness, training and security checks in relation to the Processor’s Personnel; incident response management/business continuity; and audit controls/due diligence.
We are required to put in place measures to protect the data we store on your behalf at organisational, server and application levels
Data Life & Disposal
Data Life, Retention & Protection
Data associated with your vzaar account (including personal information, video content and collected playback analytics data) is retained for as long as you have a vzaar account and for a longer period as may be required by law.
If you cancel your account, or it terminates for any reason (including non payment), your account will be retained as expired for a period of 60 days before disabled and marked as closed. Trial accounts are expired after 30 days. You may close your your account from within the web application at any time.
After an account is closed content will enter the deletion process.
When video content is deleted from within the account, it goes into a “deleted category” from which it can be recovered by the Customer for a period of 30 days. After this it will become inaccessible to the Customer and be go into the deletion process.
We only retain your data to allow us to recover it should you accidentally delete it. We cannot guarantee that we will be able to restore any data you have deleted. We do not use soft-deleted data for any purpose other than to permit you an opportunity to restore it.
Sometimes we may retain deleted data to comply with our legal obligations, resolve disputes, or enforce our agreements. In these cases, we ensure that access to such data is blocked except for the purposes for which we have been required to retain the information.
It is the client’s responsibility to export, archive and delete data they collect, as well as to handle personal data stored inside vzaar in a manner that complies with any local laws or restrictions.
We will notify the Account Owner or Key Contact via email when an account is being prepared for deletion. We send a series of emails which confirm the deletion timeline (we provide a 60 day grace period after the account is expired to stop the process), including a confirmation email once the erasure has occurred. Erasure is permanent, and it is not possible to re-activate a username associated with an erased account.
After the grace period of 90 days, we will begin deleting your video content & backup content stored on vzaar. The mechanism to delete this content first archives the video content to a cold storage location where it can only be retrieved by administrator action, at a cost which is determined by the scope of the content being retrieved.
These files remain in cold storage for 90 days before being permanently deleted with no option for recovery.
When we encode your content, we delete the original source files from vzaar after 35 days, unless you have chosen either the ‘Do Not Encode’ (DNE) option for your video, or the ‘keep source files’ option for your account.
If you select the DNE option, we keep your content as we do all other encoded video content.
If you select the ‘keep source files’ option, we keep all source files until the video is deleted (note that source files are not placed into cold storage like encoded content).
We maintain regular secure backups. It may take up to 35 days from the point you start record deletion to erase all traces of the content stored in our backup systems. We describe this as ‘residual data’, and this data is not accessible via the vzaar dashboard.
To provide delivery services vzaar utilizes a Content Delivery Network (CDN) that caches content at Points of Presence (PoPs) globally. Content may remain cached at these PoPs for as long as playback is required dependant on algorithms designed to determine how often it’s required in those PoPs.
Delete content becomes stale at these PoPs and is flushed from the network as new content takes its place.
On request individual content that is cached may flushed sooned.
Servers & Physical Location
Data centre location
We use Amazon Web Services to provide compute and storage functions. Our primary Region is the US East (N. Virginia).
Full details of Amazon AWS Compliance (external link)
How Content Data Enters Our Software
Personal data enters the vzaar System when an individual willingly creates an account on the vzaar platform.
Content enters the vzaar System when a customer willingly uploads content via the web interface or API, or enables their users to do so.
Some of our optional premium or custom product features require the use of third-party services outside of the EEA. Where we must work with third-party contractors or data services located in other jurisdictions, we prefer to work with companies that operate within government-backed schemes such as the EU-US Privacy Shield (previously Safe Harbor) scheme where possible.
This section is restricted and only available on request. Please contact email@example.com to request a system schematic.
Account owners can subscribe to updates by email if we make material changes to our policies on our legal hub here: https://vzaar.com/legal/privacy
Mobile, Desktop & Remote Access (Working Out of Office/From Home) Policy
We permit vzaar team members to work from home and away from our dedicated office spaces. We require all team members to take care with their vzaar issued devices when they are working outside of a dedicated vzaar office space, and we also apply a number of additional user verification controls to vzaar online services and administration features.
Access to vzaar online services are only available over a secure, encrypted connection.
Our staff have access to our software service on mobile, desktop and when working remotely because our service is offered as Software as a Service (SaaS). Access to vzaar online services are only available over a secure (HTTPS) internet connection.
Company Owned Device & Operating System Policy
Our staff are issued with modern devices for the conduct of their work, and we encourage them to run all updates in a timely manner, advise them on security. Critical OS updates are enforced by the manufacturer, or by us as necessary.
We deliver security training to all new team members and enforce disk encryption for all company issued devices.
Security Incident & Breach Reporting Policy
If a security or privacy issue is raised, a director of the business is immediately notified to co-ordinate the evaluation and necessary response, and the nature of the incident is logged alongside details, who is involved, actions taken and proposals for future action.
Should it be determined as necessarily significant during this evaluation, we will communicate the nature of the security incident or breach to affected parties including customers as soon as we are able within the context of the situation, and in a manner which we believe will not exacerbate the worsening of the issue.
We will also notify the relevant authorities as soon as feasibly possible.
Application Software Update & Vulnerability Management Policy
Application Updates are managed with a formalised version control flow, and go through a process of development team testing, wider internal testing (both automated and human), and pre-release testing with the live database
The final deployment of an Application update is automated and migrating to a new version requires no humanly noticeable downtime.
We update our servers with new patches regularly. We also monitor for zero-day critical vulnerabilities and implement fixes within 24 hours or sooner where a patch is available.
Social Media Policy
Official social media accounts are managed and operated by a small number of authorised senior staff members. Access is granted and revoked on a case by case basis.
Help & Support Policy
We do not currently record phone calls made to our support team, however we may opt to update this policy in the future.
Policy Review Schedule
We review all of our internal policies on an as-needed basis, and also on a scheduled annual basis.
Penetration Testing & Summaries
We carry out a scheduled three-layer penetration test conducted by trusted third-party security company every 1-2 years.
Our policy is that all reported issues are assessed within three business days, and remedied as fast as possible.
The scope of our penetration test consists of:
- a network level scan
- an un-authenticated application penetration test
- a fully-authenticated application test, including privilege escalation
An abbreviated summary of our most recent penetration test (scope, results and remedial) are available on request. For reasons of infrastructure security, we will not be able to supply the unabridged report.
General Data Protection Regulation (GDPR)
If you are collecting personal data from European citizens after May 2018, your activity will be subject to the European General Data Protection Regulation. This even applies to European citizen data shared or captured outside of European geographical boundaries.
You can find details of our Data Processing Addendum here: https://vzaar.com/legal/privacy/dpa