Stream.io Security & Privacy FAQ
Effective Date: August 8, 2024
Security and Privacy Frequently Asked Questions
Security & Compliance
Q: Does Stream comply with ISO 27001:2013?
Yes, Stream is audited on a yearly basis and with a yearly time window. The audits are performed by A-lign.
Q: Does Stream comply with SOC2 Type II?
Yes, Stream is audited on a yearly basis and with a yearly time window. The audits are performed by A-lign.
Q: Does Stream comply with HIPAA?
Yes, Stream complies with the Security Rule, Privacy Rule and Data Breach Notification Rule as specified by the Act. Furthermore Stream has implemented adequate technical controls to ensure compliance with the mandatory rules.
Q: Can we process Health Information given that default Stream's terms and conditions forbid this?
Please note that Stream's default terms and conditions do not allow Customers to process PHI by default. Should you need to process PHI, please reach out to your Stream representative and we will provide further instructions on the next steps.
Q: As a Customer can we execute security testing (penetration tests, vulnerability scans) ourselves?
In order to perfrom security testing against Stream system and applications, it is necessary to get written authorization by Stream and agree on the Rules of Engagement. Performing security testing without authorization might trigger controls (i.e. rate limiting, WAF) aimed at preventing too much traffic or malicious traffic.
Q: Which options do we have for End to End Encryption (E2EE)?
Stream does not natively support E2EE, however it is still possible to implement it using an external library. See https://getstream.io/blog/hipaa-chat/ and https://github.com/GetStream/stream-e2ee-chat/ for more information.
Should you have further questions or need more details on Stream's Security posture, please reach out to your Stream representative for further instructions.
Q: Should we need more information, what additional documents can Stream share?
Depending on your subscription plan, we might be able to share different documents:
- Compliance reports
- Security and Privacy Questionnaires
- High-level external Penetration Test reports
- Answer additional questions you may have
Privacy
Q: Is Stream compliant with the Data Privacy Framework (DPF)?
Stream is DPF compliant. The registration can be checked by searching for "Stream" in the DPF list page
Q: Is Stream GDPR compliant?
Stream is GDPR compliant. We review the standards and ensure that our documents, policies and procedures are aligned with the regulation. Stream offers servers for processing and storage in Dublin.
Q: Does Stream have a Data Protection Officer (DPO)?
The DPO has been appointed and registered. Enquiries for the DPO's attention can be sent to privacy@getstream.io.
Q: Does Stream use production data for testing?
No, Stream never uses any production data for testing. The production and testing environment are separated and they don't share any component or data.
Q: What categories of (Customer's) Data does Stream process?
For contractual purposes, Stream will process:
- Business email address
- Business contact information
- Business address
- Payment history
At API level:
- Any data that customer submits when registering accounts at getstream.io
- Any data that customer chooses to process via the API
- Device user agent and IP address of clients
Through the API it will always be possible to access and manage your data (inlcuding deletion). Please refer to the documentation for more information.
Q: For which purposes does Stream process data processed via the API?
Stream only processes data for the only purpose of providing and eventually improving the service. This is clearly stated in our terms and conditions.
Data Processing and Retention
Q: Which locations are available to process and store the data?
When you set-up each application via the dashboard available after logging into getstream.io. Each customer can choose the location where their data will be processed and stored.
Currently we support the following locations:
- Chat: North Virginia, Singapore, Dublin, Sydney
- Feeds: North Virginia, Dublin, Singapore, Tokyo
Other locations may be available in consultation. Once the preferred location is selected, all data will be processed and stored in the selected location. Backups are stored separately, but in the same geographical location. The only instance in which data would be moved to a different location is for disaster recovery purposes and it will require written approval by both Customer and Stream’s management.
Q: For how long does Stream retain data for?
The data is linked to the account. Stream has no insights into whether a Customer intends to come back at a later time or preserve their data anyway. For this reason, Stream will not delete Customer's data without specific instructions. In order to delete the data, Customers can make use of the dedicated API endpoints. In order to close the account with getstream.io, Customers can send an email to privacy@getstream.io. Requests will be executed in line with the timelines specified by applicable regulations.
Q: As a Stream customer, how much control do I have over the data I process via the API?
The data that you process via the API belongs to you and therefore you have full control over it.
Q: Does Stream process Data on premise?
No, Stream does not perform any processing on premise.
Q: Which subprocessors does Stream use for the API?
See https://go.getstream.io/subprocessors for the full list of subprocessors.
Q: As a customer can I autonomously access and manage the data?
Yes, the API can always be used to autonomously manage your data. Should you wish to delete your account, please send an email to privacy@getstream.io