01
Encoder → Origin
Encrypted RTMPS ingest
Your feed travels with TLS 1.2+ from the encoder. Rotatable credentials, optional IP allowlist and a stream key you can regenerate with one click.
Multi-Layer Enterprise Security Streaming armored
Streaming armored
end to end.
Six independent defense layers — AES-256 encryption, CDN with Always-On DDoS, Domain Guard™, JWT + IP Binding and compliance inherited from AWS and Oracle Cloud — all included in every plan, at no extra cost.
SOC 2 Type II ISO 27001 / 27017 / 27018 PCI DSS GDPR · LGPD
AES-256 End-to-End Encryption TLS 1.3 · RTMPS · HLS over HTTPS
99.99% Uptime SLA Multi-AZ · Multi-Region · Automatic failover
<10s DDoS Mitigation Detection and absorption across 119+ PoPs
24/7 Active SOC Human monitoring + automatic alerts
Defense in Depth 6 protection layers.
6 protection layers.
Independent.
Every broadcast passes through six security layers operated by different systems. An attacker would have to breach all of them in parallel to access your content — and each one emits logs and alerts in real time.
Encoder
CDN
Viewer
02
Origin → CDN
HTTPS distribution + encrypted HLS
Delivery exclusively over HTTPS with managed certificates. HLS with protected segments. Zero cleartext traffic between CDN and viewer.
03
CDN Edge
CDN with Always-On DDoS
119+ PoPs with automatic L3/L4/L7 mitigation. WAF with OWASP rules, adaptive rate limiting and absorption of 250+ Tbps of hostile traffic.
04
Player Layer
Player with Domain Guard™
Authorized domains with irreversible hashes. If someone copies your embed to an unauthorized site, the player simply doesn't work.
05
Control Plane
Panel with JWT + IP Binding
Sessions with versioned JWTs, bound to IP in production. TOTP MFA on Enterprise+ and aggressive rate limiting on login (5/15min).
06
Programmatic
REST API with audited keys
API Keys with usage counters, full logging and rate limiting (1,000 req/15min). Exhaustive validation and sanitization against injections.
Content Protection
Concrete tools, not marketing.
Each feature operates autonomously. You enable the ones you need, audit from the panel and export logs whenever you want.
Per-Channel
Unique credentials per channel
RTMP URL, stream key, username and password generated per channel. Instant regeneration at any sign of suspicion.
SmartEdge™
SmartEdge™ with geo-routing
Per-country routing via CF-IPCountry. You decide which regions get access and from where.
Anti-Piracy
Anti-hotlinking + SSRF guard
Domain whitelist for assets, blocking of reserved IPs and strict URL scheme validation.
ML-Based
Bot and user-agent detection
Heuristics and ML detect malicious crawlers without penalizing legitimate bots. Forensic logs with IP, UA and timestamp.
One-Click
Sessions with remote logout
Invalidate all the JWTs on your account with one click. Ideal when you suspect unauthorized access or change devices.
Audit Trail
Immutable audit logs
Complete record of logins, resets, SSO, rate limits and API keys. 12-month retention, exportable on demand.
01 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
02 Content-Security-Policy: default-src 'self' # OWASP CSP L2
03 X-Frame-Options: DENY
04 X-Content-Type-Options: nosniff
05 Referrer-Policy: strict-origin-when-cross-origin
06 Authorization: Bearer eyJhbGc.iI6
07 ✓ JWT verified · IP match · v3 · expires in 11h 42m
Bcrypt
JWT v3
Helmet
CORS strict
Your Panel, a Fortress Enterprise practices
Enterprise practices
applied by default.
No checkboxes to enable, no hidden configuration. Every account is born with the same controls we apply to Enterprise+.
Bcrypt for passwords Irreversible hashing even with DB access.
JWT with expiration + versioning A password change invalidates all sessions.
Zero-leak reset Single-use tokens (24h). The email doesn't reveal whether the account exists.
Helmet + CSP + HSTS preload Full OWASP headers. X-Frame-Options: deny.
Strict CORS Origin whitelist. Only your authorized panel consumes the API.
Per-route rate limiting Login 5/15min · Register 5/h · Reset 3/h · API 1000/15min.
Contractual Commitment
SLA with numbers, not euphemisms.
99.99% Guaranteed Uptime Multi-AZ + multi-region. Automatic credits if we fail.
<10s DDoS Mitigation Automatic L3/L4/L7 across the 119+ PoPs.
6 Independent Layers Real defense in depth: each layer with its own logs and alerts.
$0 Extra Cost All security included in every plan. No upsells.
Security FAQ
What IT and compliance teams ask.
Concrete answers for IT, legal and procurement teams. Can't find your case? Talk to an expert
We run on Amazon Web Services (AWS) and Oracle Cloud Infrastructure (OCI), both with SOC 2 Type II, ISO 27001, ISO 27017 (cloud), ISO 27018 (privacy), PCI DSS Level 1 certifications and GDPR (EU) and LGPD (Brazil) compliance. Our application layer doesn't hold formal certifications of its own yet, but we follow OWASP ASVS level 2 controls and apply hardening on every deployment.
In transit: RTMPS (TLS 1.2+) on ingest, HTTPS with HSTS on HLS/LL-HLS distribution, and WebRTC with DTLS/SRTP on plans with WebRTC. At rest: AES-256 on recording buckets and the VOD library; keys rotated quarterly and managed via the cloud provider's KMS.
Authentication with signed JWTs, optional per-session IP binding, MFA (TOTP) available and mandatory on Enterprise+ plans, aggressive rate limiting on login endpoints and automatic token rotation. Immutable audit logs of every administrative action with 12-month retention.
Always-On DDoS across the 119+ CDN PoPs at no extra cost. Automatic mitigation at L3/L4 (volumetric) and L7 (HTTP flood) with adaptive thresholds. WAF with OWASP Top 10 rules, dynamic malicious IP lists and machine learning of scraping patterns.
Yes. RPO (Recovery Point Objective): <15 minutes for configuration and metadata; <1 hour for recent recordings. RTO (Recovery Time Objective): <30 minutes for critical service. Daily cross-region backups, synchronous panel replication and biannual DR drills. The BCP document is available under NDA to Enterprise+ customers.
Minimal PII collection (only what is needed for billing and operation). Right to be forgotten, portability and rectification implemented via support (response <72 h). DPA available upon request. We process data in the customer’s regions when possible (EU/Brazil). Full policy at /en/privacy-policy.
Yes. Quarterly internal pentesting with OWASP WSTG/MASTG methodology. Annual external audit contracted to a specialized firm (changes yearly to avoid bias). Private bug bounty available by invitation. The executive report from the latest pentest is available to Enterprise+ customers under NDA.
Your broadcast operation starts today
Ready to operate with broadcast quality?
TV channels, production companies, churches, radio stations and institutions around the world already run on XtreamCast. 3-day free trial. 7-day money-back guarantee. Your channel ready in minutes. 24/7 human support.