Security & compliance, by default
We treat security as a product feature, not an afterthought. Every layer — from edge to storage — is built with the assumption that you'll be audited tomorrow.
Certifications & attestations
Independently audited by Big4 firms. Reports and audit letters available to Enterprise customers under NDA.
SOC 2 Type II
Audited 2025 by Deloitte. Renewed annually.
ISO 27001:2022
Information security management system certified.
GDPR compliant
EU data residency, DPA included with every contract.
HIPAA available
BAA on Enterprise tier. PHI-aware audit logging.
PCI DSS aware
We don't store payment data, but our infra is designed to operate within PCI-scoped environments.
CCPA / CPRA
California consumer privacy rights honored with DSAR tooling.
Data handling
Encryption in transit
TLS 1.2+ enforced on all endpoints. Strong cipher suites only (ECDHE + AEAD). HSTS preload enabled.
Encryption at rest
AES-256-GCM with per-tenant key derivation. Keys managed in HSM-backed KMS with quarterly rotation.
Data residency
EU, US, and APAC regions available. Customer data never leaves selected jurisdiction. Cross-region replication is opt-in only.
Audit logs
Every admin action and API call logged with tamper-evident chain hashing. Export to S3 / GCS / Azure Blob.
Access control
Role-based access (RBAC) plus optional attribute-based (ABAC). SSO via SAML 2.0, OIDC, OAuth2. MFA enforceable per tenant.
Vulnerability disclosure
Bug bounty via HackerOne. Responsible disclosure policy published. Security incidents disclosed within 24 hours.
Sub-processors
We use a minimal set of trusted vendors. Current list (last updated April 2026):
Reporting vulnerabilities
Found a security issue? We appreciate responsible disclosure.
Send details to security@mediagateway.example or report via our HackerOne program. We acknowledge within 24 hours and aim to resolve critical issues within 72 hours.
PGP public key: 5C4B 8F2E 9A1D 7C3B · Bounty rewards: $500 – $15,000 depending on severity