Platform Infrastructure and Security
The Spreaker platform runs on Amazon Web Services in the eu-west-1 and us-east-1 regions. We run our platform across multiple Availability Zones to ensure redundancy and resiliency to failures, and we work with a combination of managed and self-provisioned instances and services.
We manage our infrastructure following the IaC (Infrastructure as Code) principles. Instances are periodically rotated and replaced with new instances to ensure consistency with the defined state and to include the latest available security patches.
Spreaker forces HTTPS for all services using TLS (SSL), including our public website, dashboard, rss feeds and media enclosures. We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. Our SSL certificates are issued, renewed and managed by Amazon Web Services.
We run our software on docker containers that are automatically scanned for vulnerabilities against the Common Vulnerabilities and Exposures (CVEs) database. We periodically engage with 3rd party vendors to perform penetration testing on the Spreaker platform, and we run a public bug bounty program to ensure security issues are promptly addressed.
Data and Access Policies
Sensitive information is encrypted at rest. Data belonging to different Spreaker users is not segregated but strict access policies following the Least Privilege Principle are applied and continuously reviewed for both server-to-server and employees.
When a Spreaker account is deleted, an irreversible data erasure procedure takes place automatically after 30 days to ensure that PII are deleted and non recoverable. Listening statistics data is anonymised during ingestion so it cannot be correlated with individuals.
Web servers access logs containing IP addresses are kept for 6 months for troubleshooting and security analysis, then automatically deleted. Security logs (eg: login attempts, password change requests) are kept indefinitely.
Payments are securely processed through Stripe or Paypal. Spreaker does not have access to customer credit card information, neither at rest or in transit.
When a podcast hosted on Spreaker is distributed through its own RSS feed to third party platforms, our servers collect the IP Address of the device performing the download of the audio file. IP Addresses are used for advertising geographic targeting, to show geographic aggregated statistics in the Spreaker CMS, deduplication, fraud detection, and are stored in anonymised form (one-way hashing) in our servers hosted on AWS in United States and Europe.