Security

Supporting Cast strives to maintain a healthy balance between the security needs and the convenience of our users. That includes all our threat models; whether users are administrators, members of a public podcast, or employees consuming a company's internal podcast.

This is an overview of the security practices and measures we have in place. Please keep in mind that this is not exhaustive, and we can provide more details upon request.

Application Security

  • Access to podcast feeds and episodes is monitored and can be automatically revoked in response to widespread sharing
  • Changes are logged for auditing purposes
  • MFA is required of all Supporting Cast staff, and may be required of all administrators within a podcast network
  • Passwords are not used, relying instead upon time-limited "magic" links or Single Sign-On technologies like SAML and SCIM
  • Role-based access controls are provided to restrict access to only the capabilities that an administrator needs
  • Web Application Firewall (WAF) provides an extra layer of defense

Company Security

  • Background checks are required of all employees when they are hired
  • Incident response plans include preparation, triage, containment, eradication, recovery, and follow-up; and are reviewed and practiced yearly
  • Policies document security procedures and requirements, and are reviewed annually
  • Security training is completed annually by all employees and contract staff, with additional requirements for development staff

Infrastructure

  • Backups of critical data are made continuously and as periodic snapshots, and are tested at least twice a year during disaster recovery drills
  • Data is encrypted in transit and at rest, both in the cloud and on employee devices
  • Disaster recovery is tested twice a year, to maintain confidence that the process works and its documentation kept up-to-date
  • Threats are detected using end-point protection and off-line scanning services; including for malware and intrusions

Security Profile

  • Hosting and content delivery leverage reputable and annually-reviewed vendors; such as AWS, CloudFlare, Fastly, and Google Cloud
  • Recovery Point Objective of 24 hours
  • Recovery Time Objective of 12 hours
  • Third-party subprocessors are involved: AWS, Fastly, Google Cloud, Stripe, etc.; the full list is available upon request