Trust, security, compliance.
Where we are today. Where we're going. The architecture decisions and sub-processors that make the security review tractable. Procurement-ready, written for engineers who'll skim it before sending it to procurement.
MpegFlow is pre-GA. SOC 2 Type II audit window opens 2026 Q4; until then we operate to SOC 2 controls and design partners run under bilateral NDA + DPA. GDPR data-residency is available today. The strict-broker security architecture is shipping in beta — see the full reference. If your procurement gates on Type II report or ISO 27001 today, we're honest about where we are; there's a path forward via the design partner program.
| Framework | Status | Target / detail |
|---|---|---|
| SOC 2 Type II | Audit window open 2026 Q4 (audit window opens) | Audit window opens — observation period under way. We are operating to SOC 2 controls today; the formal Type II report will issue after the standard 6-month observation period. |
| GDPR (EU subject data) | Available today Available now | EU-region deployment available; sub-processor list disclosed below; DPA template available on request. Article 28 commitment matched. We are EU-data-residency-capable today. |
| HIPAA-eligible deployment | Available today Available now (self-hosted) | For workflows handling PHI in healthcare-adjacent video (medical training, telehealth recordings), our self-hosted pattern with dedicated cluster + BAA-signed sub-processors is HIPAA-eligible. Talk to us during onboarding for the specific deployment shape. |
| ISO 27001 | On the roadmap 2027 (target window) | Not currently on the immediate roadmap. We will pursue ISO 27001 once SOC 2 is established. If you have a hard requirement before our timeline, talk to us; we can discuss compensating controls during the engagement. |
| TPN / MPA security best practices | In progress 2027 Q1 | For pre-release studio content, we operate against TPN best-practice control families. Formal TPN gold-shield assessment scheduled following SOC 2 audit completion. |
| PCI DSS | Available today N/A — out of scope | We do not process payment card data — billing is handled by our payment processor (publicly listed below) which is PCI DSS Level 1. MpegFlow itself is out of PCI scope. |
Strict-broker — workers run with no credentials
Every encode worker has zero credentials. No DB password, no S3 IAM role, no service-mesh identity. The coordinator generates per-asset, per-job presigned URLs with one-hour TTLs. A successful exploit of a worker process cannot read other tenants' data because the worker has no path to it. Full strict-broker reference.
Per-job audit trail as primary data
Every job records: encoder version, container hash, full FFmpeg command, input asset hashes, output asset hashes, stage-by-stage timestamps, retry history. Append-only PostgreSQL table. Backed up nightly. Retained per contractual requirements (typically 7+ years for broadcast).
HMAC-SHA256 signed webhooks
Outbound webhooks carry an `X-MpegFlow-Signature` header signed with your webhook secret. Timestamp included to prevent replay. Failed deliveries retry with exponential backoff (1m → 5m → 30m). After 10 consecutive failures the webhook is disabled (circuit breaker) — your application stays healthy when your handler is broken.
Encryption everywhere
TLS 1.3 between every component pair. Object storage encrypted at rest with customer-managed KMS keys (CMK) supported. Encoder workers' local NVMe encrypted at rest. PostgreSQL encrypted at rest. No plaintext anywhere.
Cross-tenant data access on worker compromise
If an attacker exploits a libavformat vulnerability and achieves code execution within a worker, they cannot reach other customers' jobs or assets. Worker has no credentials to do so.
Replay attacks on webhooks
Timestamp-bound signatures with a 5-minute window. Old captured deliveries cannot be replayed against your endpoint.
Silent state corruption
Append-only audit log catches anything that doesn't match expected lifecycle. State changes are recorded with full provenance.
Lateral movement from worker pods
Kubernetes NetworkPolicy denies pod-to-pod traffic between tenants. IMDS blocked at the pod-network level. No service-mesh identity on workers.
Third parties that process customer data on our behalf. We disclose changes to this list with at least 30 days' notice for active customers; the list below is current as of 2026-05-05.
| Sub-processor | Purpose | Data · Region · Certifications |
|---|---|---|
| DigitalOcean | Compute and managed PostgreSQL hosting (production backend) | Data: Job records, audit logs, customer metadata Region: NYC3, AMS3 (selectable per customer) Certs: SOC 2 Type II, SOC 3, ISO 27001, PCI DSS, HIPAA-eligible |
| Vercel | Frontend hosting (mpegflow.com landing site) | Data: Public marketing content + analytics page-views (no customer data) Region: Global edge Certs: SOC 2 Type II, ISO 27001 |
| Resend | Transactional email (magic links, account notifications, contact form forwarding) | Data: Email addresses, message bodies for transactional sends Region: US (us-east-1) Certs: SOC 2 Type II |
| Namecheap Private Email | Inbound mail (hello@, security@, etc.) | Data: Inbound email content Region: US Certs: Operates under standard cloud security controls; no formal certifications. |
| Cloudflare | DNS and DDoS protection for mpegflow.com | Data: DNS lookups; no customer data Region: Global Certs: SOC 2 Type II, ISO 27001, PCI DSS, FedRAMP authorized |
| Data type | Where it lives | Retention |
|---|---|---|
| Customer video inputs | Customer-controlled S3 / object storage; we hold presigned URLs only at job-execution time. | Controlled by you — we never copy your inputs to long-term MpegFlow storage. |
| Encoded outputs | Customer-controlled S3 / object storage (you choose the bucket). | Controlled by you. |
| Job metadata + parameters | MpegFlow PostgreSQL (DigitalOcean managed, encrypted at rest). | Active for the lifetime of your account; deleted within 30 days of account termination. |
| Audit logs | MpegFlow PostgreSQL (append-only). | Configurable per contract; default 7 years for broadcast / regulated workloads, 90 days for standard SaaS. |
| Account credentials | Hashed (Argon2id) in MpegFlow PostgreSQL. Magic-link tokens stored as SHA-256 hashes. | Active credentials retained while account active; deleted within 30 days of account termination. |
| Webhook delivery records | MpegFlow PostgreSQL. | 30 days for delivered records; 90 days for failed deliveries (for debugging). |
| Email transactional logs | Resend (sub-processor). | Per Resend's retention policy (typically 90 days). |
security@mpegflow.com
Send vulnerability reports here. We acknowledge within 24 hours on weekdays, 72 hours on weekends. Encrypted submission preferred — PGP key publicly available; ask via the same address. We commit to:
- Acknowledge receipt within 24 hours (weekdays)
- Initial triage within 5 business days
- Status updates every 14 days while investigating
- Public disclosure coordinated with reporter, typically 90 days
- Bounty for qualifying issues (we're small; bounties are case-by-case)
What's in scope
In-scope: api.mpegflow.com, www.mpegflow.com, official open-source repositories under our org.
Out of scope: third-party services we use (report directly to them), DoS / DDoS testing, social engineering of our staff, physical security testing.
We recognize and credit researchers in our public security acknowledgments page (when shipped).
| Severity | Definition | Customer notification |
|---|---|---|
| P0 — Critical | Confirmed data breach affecting customer data, or service unavailable globally. | Within 24 hours via direct email to all affected customers, plus public status page update within 2 hours. |
| P1 — High | Significant degradation, partial regional outage, or vulnerability requiring customer action. | Within 24 hours via email; status page within 4 hours. |
| P2 — Medium | Single-customer issue or non-critical infrastructure incident. | Direct email to affected parties within 5 business days. |
| P3 — Low | Issues without operational or security impact (e.g. typos in audit log labels). | Logged in changelog; no proactive notification. |
Post-mortems for P0 and P1 incidents are published within 14 days of resolution, on our (forthcoming) status page. Until then, we email post-mortems directly to affected customers.
Data Processing Agreement (DPA)
Available on request. GDPR Article 28 commitment, sub-processor change notification, security incident notification, EU SCCs included for US data transfer.
Master Service Agreement (MSA) template
Standard template available; we accept customer-provided templates for enterprise contracts. Redline turnaround: ~5 business days for standard MSAs.
Mutual Non-Disclosure Agreement (MNDA)
One-page MNDA for design-partner conversations. Or use yours.
Standard request
Email hello@mpegflow.com with the document name and your company. We send the template within 1 business day.
Design partner conversations
The design partner program includes MNDA + one-page DPA bundled. We'll send both at the start of the engagement.
Custom contracts
For enterprise customers requiring custom MSAs, named TAM, or specific data residency: discussion starts at design-partner conversation.
Ask us directly.
Procurement reviewing MpegFlow as a vendor — we respond to security questionnaires within 5 business days. Email security@mpegflow.com or use the contact form (topic: Security).