How we protect your show.
Stream keys, OAuth tokens, broadcast traffic, and customer recordings — what we encrypt, who can reach what, and where we are on compliance.
What we do today
Concrete protections shipped in the current product. No future-tense claims — if it's on the roadmap it's in the compliance grid below.
Transport encryption everywhere
All browser ↔ TRaX traffic runs over TLS 1.3. All internal service-to-service traffic inside the cluster runs mutual TLS (mTLS). Encoder ingest accepts SRT (encrypted), RTMPS, and SRT-over-WHIP — never plain RTMP from the open internet.
Stream keys + OAuth tokens at rest
Destination credentials are encrypted at rest with AES-GCM. Platform OAuth refresh tokens live encrypted in our database and never leave server memory in plaintext. Pasted stream keys are masked in the UI and never logged.
Owned in-country CDN
We operate our own delivery network across the country — your stream rides edge nodes we control end to end. No reseller layer, no third-party origin shield, no opaque routing.
Per-studio access control
Every request to TRaX is scoped to the studio it belongs to. Sharing a studio with a collaborator grants explicit VIEW / EDIT / ADMIN role — never broader cross-studio access. VIEW collaborators never see stream keys.
Identity through Zitadel
TRaX uses Zitadel as the identity provider for human accounts. OIDC redirect flow with PKCE. No password storage in our app database. MFA is supported and enforced by org policy when configured.
Infrastructure hardening
Production runs in Kubernetes with admission policies, NetworkPolicy isolation per workload, and image signing. Secrets ship via Vault, not env files. Backups are encrypted and tested.
Where we stand
Honest status on certifications and regulatory regimes. If something says "in progress" or "not yet," it's not shipped — ask us before you assume.
SOC 2 Type II
In progressAudit window opens 2026-Q3. Reach out if you need the current control summary or expected timeline.
GDPR
YesEU data subjects can request export and erasure via [email protected]. We honor requests within 30 days. Data processing agreement available on request.
CCPA
YesCalifornia residents have the right to know, delete, and opt out of any sale of personal information. We do not sell personal information.
HIPAA
Not yetTRaX is not currently a HIPAA business associate. Do not transmit PHI through the studio. If you have a medical-streaming use case, contact us first.
Data residency
US todayCustomer data + recordings are stored in US regions. EU residency is on the roadmap — contact us if it gates your purchase decision.
PCI DSS
OutsourcedPayment processing runs through Stripe. We never see or store card numbers — Stripe handles the PCI scope.
Who handles your data
Third parties that process customer data on TRaX's behalf. We notify customers at least 30 days before adding or replacing one. Infrastructure providers are disclosed in the signed DPA on request.
| Subprocessor | Role | Region | Data processed |
|---|---|---|---|
| Stripe | Payment processing | US + EU | Card data, billing address, customer email. We never see card numbers — Stripe handles PCI scope. |
| Resend | Transactional email | US | Customer email address, message content (invoices, invites, alerts, lifecycle email). |
| Cloudflare | DNS + TLS + tunneling | Global edge | Request metadata (IP, user-agent, URL). No request bodies cached. Media traffic bypasses Cloudflare and rides our owned CDN. |
Subscribe to subprocessor-change notifications by emailing [email protected].
If you're evaluating us for a buy
We've answered most procurement security questions before. Reach out to [email protected] for the current control summary, a draft DPA, or a vendor-security questionnaire. We'll usually turn it around within 3 business days.
- Vendor security questionnaire response
- Draft Data Processing Agreement (DPA)
- Incident-response playbook summary
- Penetration-test attestation (most recent)
Found something? Tell us.
Send vulnerability reports to [email protected]. We respond within one business day. We don't currently run a paid bug bounty — but we will credit researchers in release notes (with permission) and follow good-faith disclosure.