Deployment and hosting
Can I install my own instance of CaptionHub behind my firewall?+−
Yes. For our Enterprise customers, CaptionHub can be deployed in a variety of ways. Please contact us for more details.
Where is CaptionHub hosted?+−
For a cloud install, CaptionHub typically hosts our applications and your data with Amazon Web Services (AWS), an industry leader providing a highly scalable, secure cloud computing platform.
Does my data exist alongside other users?+−
It depends on your install. For our multi-tenant customers, it does. CaptionHub is extremely well tested to ensure that users don't see each other's data, but if you require absolute separation, then we'd recommend you opt for our Single Tenant or On Premise installation options.
Where is personal data stored?+−
Personal data is stored in the EU (Ireland).
Certifications and compliance
What certifications does CaptionHub hold?+−
CaptionHub has full ISO27001:2013 certification and has achieved SOC II Type 2. Our system of continual improvement is compliant with international security standards including ISO27001, the Cloud Security Alliance's CAIQ and SOC II.
How does CaptionHub handle international data transfers?+−
We ensure compliance with GDPR and other cross-border regulations when transferring data via EU Standard Contractual Clauses (SCCs) plus the UK Addendum, and the UK's International Data Transfer Agreement (IDTA) where appropriate.
Who oversees security governance?+−
A Security Working Group chaired by our CEO oversees information risk and security management. Our Information Security Policy is reviewed annually by the Security Working Group, and also upon significant changes.
Encryption
Is data encrypted in transit?+−
Yes. Traffic to and from the browser is encrypted via SSL/TLS (TLS 1.2 with SHA256 certificate).
Is data encrypted at rest?+−
Yes, using 256bit encryption via Amazon's SSE-S3. Cryptographic controls are governed by central policies covering key generation, renewal, and storage throughout their lifecycle.
How are secrets managed?+−
Application secrets are stored in AWS secrets manager and encrypted using 256-bit AES keys. Customer secrets are stored in the CaptionHub database and encrypted using 256-bit AES keys.
Authentication and access control
How does CaptionHub handle authentication?+−
We use Auth0 to manage authentication, which enables multi-factor authentication, password strength management, and so on. For SSO, we use WorkOS. Custom integration with your own authentication schemes is available for our on-premise customers.
What happens if my credentials are leaked in a third-party breach?+−
Via Auth0, CaptionHub protects and notifies users if and when their credentials are leaked by a data breach of a third party. CaptionHub prevents access until the user has reset their password.
What access does a new user have by default?+−
None. By default, a new user for CaptionHub has no access – permission needs to be explicit, and given for each and every project.
Can you produce an audit trail which logs who has accessed what?+−
By default a user can't see anything in CaptionHub, they have to be manually given access to a project before they can view it. We track user login times and IP address, and we log various forms of activity: handover, download, assignment, etc.
Who can see my information?+−
Access to data is limited to CaptionHub account administrators and developers. From time to time, CaptionHub also employs third party developers, who are strictly contractually bound regarding any confidential information.
Do CaptionHub employees have access to customer data?+−
We operate under the least access principle – employees only receive the minimum access required for their role. Few CaptionHub employees have access to customer data; front line support staff do not, unless explicitly given access by our customers.
What additional security measures are available to Enterprise customers?+−
Enterprise customers benefit from additional security measures, including IP whitelisting, 2 factor authentication, SSO / custom authentication, and watermarking encoded media.
How is content protected from unauthorised downloads and screen captures?+−
Expiring URLs mean that it's difficult to download linked media, even if access is granted, and the logged in user's email address is superimposed over video, making screen captures traceable.
Testing and threat detection
How often is CaptionHub tested for vulnerabilities?+−
We run an application vulnerability scan every week using Detectify with the latest attack vectors, carry out application and network vulnerability threat assessments on an ongoing basis, conduct penetration testing and code review at least annually (or after a major architectural change), and review and test our security control framework annually.
How are containers and infrastructure monitored for threats?+−
We scan all containers for vulnerabilities as part of the build process using Trivy. Our containers are built to be immutable, and no additional software is installed on deployment. Running services are scanned regularly for vulnerabilities using Detectify, and our AWS infrastructure is monitored for threats using Guard Duty.
What malware protection is in place?+−
We scan our network and systems for vulnerabilities nightly using RKHunter, ClamAV and AIDE. Virus signatures are updated daily, and applications are regularly kept up to date.
Is there a Web Application Firewall?+−
Yes. All requests go through a Web Application Firewall to filter traffic from known malicious IPs or with patterns that look like common attacks.
Development practices
How is code secured before deployment?+−
Rules for software and system development are established and applied, covering system design, development environments, secure testing, and development principles. All code is QA'd before deployment, and a security analysis is an explicit part of that process.
Are development and production environments separated?+−
Yes. Development, testing, and operational environments are separated into Staging, Live and Development environments within AWS to reduce risks of unauthorised access or changes.
Can developers access running containers?+−
No SSH or password access to running containers is possible. If necessary for a developer to connect to a container, this is done using AWS Session Manager (SSM). Developer AWS keys are stored locally using aws-vault, and for production access require two-factor authentication.
Personnel
Are employees screened before joining?+−
Yes. CaptionHub enforces pre-employment screening for all staff including reference checks for the last 3 years, criminal background checks, CV verification, and a 3 month probation period.
Do employees receive security training?+−
All employees receive regular security awareness training, which new employees are also required to complete.
Are contractors bound by confidentiality agreements?+−
Contractors and third-parties must sign NDAs before employment. Information security policies and procedures must be read, understood and signed-off before any access is given to any information system.
How is remote working secured?+−
Remote employees use VPN technology with encrypted protocols (IPsec/SSL) and two-factor authentication. We maintain clear desk and clear screen policies with appropriate training.
What happens when an employee leaves?+−
When an employee's contract ends, access to all systems is revoked immediately and methodically to ensure no residual access remains, and information assets are removed from personal devices during termination.
Continuity and backups
How is CaptionHub backed up?+−
We take hourly backups of our database to Amazon S3. We don't back up video data, but we do back up caption data/work so that it can be restored in due course. Video data is also stored on S3, which has a durability rating of 99.999999999%.
Is there a single point of failure?+−
No. CaptionHub is configured in a High Availability pattern, with no single point of failure. We use infrastructure-as-code to seamlessly scale out services, as required.
Is there a business continuity plan?+−
Yes. We have developed and enforced a business continuity policy and plan based on information security requirements, with ongoing testing (e.g., power failure, DDoS) and review to capture necessary changes.
Incidents and third parties
What about incident response and data breaches?+−
CaptionHub maintains comprehensive incident response procedures with 24/7 monitoring via AWS CloudWatch and Slack alerts. We have formal breach notification procedures and post-incident analysis processes to reduce the likelihood or impact of future incidents.
How do you handle supplier and third-party security?+−
We enforce comprehensive supplier management policies including due diligence, risk assessment, and regular security reviews. All supplier contracts include security and data protection clauses, and we regularly assess suppliers for compliance.
Is my data shared with third parties?+−
Depending on how CaptionHub is configured and used, you may choose to share your data with third parties. Auto-transcription and machine translation are examples where CaptionHub uses third parties to deliver aspects of our service. Your data is only shared following an explicit action from you, and we have strict contracts with all third party providers, with extensive non-disclosure clauses.
How is data disposed of securely?+−
We implement formal procedures for secure disposal including approved third-parties for physical equipment, secure erasure by Information Asset Owners for logical data, and shredding for hard copies.
Timbra (live captioning)
How are captions for public live video secured?+−
Captions are served via a publicly visible URL containing a unique, hard to guess identifier for the stream. This identifier can be rotated on request.
Can Timbra be locked down to authorised access only?+−
Yes. Timbra projects can be configured to only allow authorised access. In this mode, all public endpoints are disabled, and access to caption output is only possible via the API using valid API credentials.
Can Timbra be evaluated privately?+−
Yes. Timbra can be evaluated in private mode, where no data is publicly available.
What low-latency input methods are supported?+−
Customers can choose RTMP, which is unencrypted, but secured with an unguessable stream key, or SRT, which has built-in AES encryption. Optionally RTMPS (secured RTMP) can be used.
How long is caption data retained?+−
All transcription and caption data is kept within the CaptionHub system. Captions are no longer available for archived and deleted projects. For transcription, customers can opt to use a private install of our transcription engine.