Tapemetric

Security

How we protect your data.

Effective April 1, 2026

Streaming analytics involves a lot of data — what your viewers watched, where they were, what they paid. We treat that data the way we’d want our own to be treated.

Encryption

  • TLS 1.2+ on every endpoint, public and internal.
  • AES-256 at rest for MySQL data files and S3 archives.
  • API keys stored as SHA-256 hashes — plaintext is shown once at creation only.
  • JWT bearer tokens signed with HS256, secret rotated quarterly.
  • Bcrypt for password hashing, work factor 12.

Infrastructure

  • AWS hosting in ap-south-1 (Mumbai) by default; eu-west-1 and us-east-1 on Enterprise plans.
  • Private VPCs with no public database endpoints. RDS access only via IAM-authenticated bastion.
  • Network egress restricted to known CDN, DNS, and email vendors via security groups.
  • Server hardening: no SSH password auth, no root login, automatic security patching nightly.

Access control

  • Production access is gated behind SSO + hardware MFA.
  • All production access is logged; logs are immutable for 13 months.
  • Customer data is queryable only via the authenticated API, never read directly by support staff.
  • SCIM and SAML SSO available on Enterprise plans.

Compliance

  • SOC 2 Type II — audit in progress, attestation expected Q3 2026.
  • India DPDP Act compliant by default — see the Privacy policy.
  • GDPR DPA available for European customers on request.
  • Annual third-party penetration test; reports available under NDA.

Vulnerability disclosure

If you discover a vulnerability in our product or infrastructure, please email security@tapemetric.com. We’ll acknowledge within 24 hours and send a triage update within 72 hours. Researchers acting in good faith are exempt from terms-of-service restrictions during their work.

We don’t currently run a paid bug bounty, but every confirmed report receives a written thank-you, public credit if you want it, and a small token of appreciation.

Sub-processors

The full sub-processor list:

  • Amazon Web Services (hosting and storage)
  • MaxMind (offline GeoIP database — no outbound calls)
  • Stripe and Razorpay (billing only — never receive event data)
  • Sentry (error monitoring; payloads scrubbed of PII before transmission)
  • Postmark (transactional email)

Customers are notified at least 30 days before any new sub-processor is added.

Incident response

We maintain a 24/7 on-call rotation for security incidents. In the event of a confirmed breach affecting customer data, we will notify affected customers within 72 hours of discovery, with an initial assessment, the data classes involved, and the remediation timeline.