Your content stays yours
VDO is built for people who work with unreleased content. Security isn't a premium add-on — it's how the platform works from the ground up.
How we protect your streams
Colour Rooms
P2PIn Colour Rooms, your video stream goes directly from your machine to your collaborator's. It never passes through our servers. We can't see it, we can't record it, we can't access it — because it never touches our infrastructure.
The connection uses TLS 1.3 with AES-128-GCM encryption. Decryption keys exist only on the two machines in the session. When direct P2P isn't possible due to network conditions, an encrypted relay carries the stream — still TLS 1.3, still AES-128-GCM.
Direct peer-to-peer, TLS 1.3 encrypted
End-to-end encrypted — no server-side decryption
Encrypted relay fallback when direct connection isn't possible
Editorial Rooms
ServerEditorial Rooms stream through our regional servers to reach multiple viewers simultaneously. The stream is encrypted with AES-128-GCM between your machine and the server, and again between the server and each viewer.
Our servers process the stream to deliver it to multiple viewers efficiently, but we don't store your video content. Once the session ends, the stream data is gone. There are no recordings unless you explicitly enable them.
AES-128-GCM encrypted in transit
No persistent storage of stream data
Regional servers with restricted access
What this means for you
Your content isn’t stored
Streams are transient. Once a session ends, the video data is gone. We don’t keep copies, don’t build a library of your work, and don’t have access to what you streamed.
Only the people you invite can watch
Every room can be password-protected. You control who has access through your team settings. Viewers need the link and, if you set one, the password.
Encryption is always on
Every stream on VDO is encrypted. This isn’t a setting you need to enable or a feature on a higher tier. It’s the default on every plan, every room, every session.
Controls you have
Security is only useful if you can control it. Every room gives you straightforward tools to manage who can see your content and how.
Password Protection
Set a password on any room
Team Permissions
Control who can create and manage rooms
Room Access
Invite-only or open link sharing
Session Control
End sessions and revoke access instantly
Encryption standards
We use standard, well-audited cryptographic protocols — not proprietary encryption.
AES-128-GCM
All streams are encrypted with AES-128-GCM. Session keys are negotiated per-connection and never reused.
AES-256-GCM
Sensitive stored data is encrypted with AES-256-GCM. Stream content itself is never stored.
HTTPS everywhere
All API traffic is encrypted in transit. Passwords are securely hashed. Sessions use signed, expiring tokens.
Account security
Passkeys, hardware security keys, workspace-wide MFA, and scoped access keys for appliances and integrations — every account has the same security tools, regardless of plan.
Passkeys and hardware security keys
Sign in with a passkey synced to your device (Touch ID, Face ID, Windows Hello) or a FIDO2 hardware key such as a YubiKey. Phishing-resistant by design — the credential is bound to vdostream.io and can’t be replayed against a lookalike site.
Authenticator apps or email codes
Prefer a classic authenticator? Use any TOTP app (1Password, Authy, Google Authenticator). If you lose your device, a one-time code can be sent to your verified email so you’re never locked out.
Required across your workspace
Workspace admins can require multi-factor authentication for every member. Accounts without MFA are blocked from signing in until they enrol. No more "one person without MFA" holes in your team.
Trusted devices
Confirm a device once and skip the MFA prompt on subsequent logins from that browser. Trust can be revoked from your account at any time, and expires automatically. Great on the machine at your desk, not so great on a shared kiosk — you choose.
Session management
See every active session on your account, which devices are signed in, and revoke any session individually or all at once. Tokens rotate automatically and expire on a short window.
Login history
A full log of every authentication attempt on your account, including IP address, device information, and whether it succeeded. You’ll know if someone tries to access your account.
Scoped, revocable access keys
Streamer keys for the Facility Streamer appliance, API keys for integrations, and webhook secrets are all issued per-integration, scoped to the minimum permissions required, and revocable instantly from your dashboard. If a box gets stolen, you rotate one key — not your password.
Role-based access control
Team accounts support granular roles — owner, admin, member, and viewer — so you can give people exactly the access they need and nothing more. Email-verified invitations keep impersonation out.
Our infrastructure
We run our own servers in professionally managed data centres with physical security, redundant power, and restricted access. We manage the full application stack ourselves — from networking and secrets management to the streaming servers.
We don't cut corners on the boring infrastructure stuff because that's where most breaches happen.
Encrypted secrets management
Credentials and keys are stored in an encrypted vault and delivered to services at runtime. No plaintext secrets on disk.
DDoS protection
All public traffic passes through a global CDN with built-in DDoS mitigation before reaching our servers.
TLS everywhere
All traffic is encrypted in transit — both external-facing and between internal services on our private network.
Network isolation
Streaming servers, application servers, and data stores run on isolated network segments with strict access controls.
No content at rest
Stream data is processed in memory and discarded when the session ends. We don’t store your video content.
Automated deployments
Every deployment is built from source, security-scanned, and health-checked before serving traffic.
Security is ongoing
Security isn't a one-time checklist. It's a set of practices we follow every day.
Continuous monitoring
Intrusion detection and security event monitoring run around the clock across all servers. Anomalous activity triggers alerts for immediate investigation.
Dependency scanning
Every build is scanned for known vulnerabilities in both application dependencies and system-level packages. Deployments are blocked if high-severity issues are found.
Security assessments
We conduct regular security assessments following industry-standard methodologies, including static analysis, dynamic testing, and manual review of critical paths.
Audit logging
Administrative actions, authentication events, and access changes are logged with full context. Audit trails are retained for investigation and compliance purposes.
Responsible disclosure
If you believe you've found a security vulnerability in VDO, we want to hear about it. We take every report seriously and will work with you to understand and address the issue.
We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.
How to report
Email [email protected] with a description of the vulnerability, steps to reproduce, and any supporting evidence.
We aim to acknowledge reports within 48 hours and will keep you updated on our progress toward a fix.
Please do not publicly disclose the vulnerability until we've had a reasonable opportunity to address it.