Stream.io Security
Effective Date: June, 2025
Keeping our customer data safe and secure is our top priority. We take threats very seriously and work hard to protect our customers and their data.
Stream uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Stream employees undergo background checks prior to employment and are trained on security best practices during company onboarding and on an annual basis. All the teams within Stream collaborate and share responsibilities to continuously improve our security posture.
Trust Center
To request Stream's compliance documents and get additional information on Stream's security posture, please refer to Stream's Trust Center.
Vulnerability Disclosure
If you would like to report a vulnerability or have any security concerns, please contact security@getstream.io.
Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.
Stream does not currently have a bug bounty program and therefore monetary rewards for any submissions are not guaranteed.
If you would like to encrypt sensitive information that you send us, our PGP key can be found on keyservers with the fingerprint:
0516 4FF6 B859 FD5C E63B  1F9D B6D4 4887 A7CF 6024
Compliance
At Stream, we are committed to ensuring we comply with the relevant industry standards and best practices.
Stream complies with the following Security standards:
- ISO 27001:2022
- SOC2 Type II
- ISO 20243. The register is available at: O-TTPS Certification Register
Stream complies with the following regulations pertaining to health data:
- HIPAA
Stream complies with the following privacy regulations:
- GDPR
- CCPA
- DPF. The registration can be checked by searching for "Stream" in the DPF list page
More information, including requesting available compliance reports, can be found on the Trust Center page.
Infrastructure and Network Security
Physical Access Control
Stream is hosted on Amazon Web Services (AWS), a platform that maintains a rigid security program and has a world-class facility infrastructure. It deploys a comprehensive security architecture:
- Network security
- State-of-the-art data centers
- Access control
- Network Monitoring and Protection
AWS data centers are housed in nondescript facilities and have the following characteristics to keep your data as safe as possible:
- Controlled physical access
- Fire detection and suppression
- Power
- Climate and temperature
- Management
Stream employees do not have physical access to AWS data centers, servers, network equipment, or storage.
Penetration Testing
Black box and/or grey box penetration testing is conducted by an independent third-party agency on an annual basis. Furthermore, the Stream security team performs internal penetration tests, as necessary.
Vulnerability Management
Stream regularly scans all its relevant assets for known vulnerabilities and remediates accordingly, prioritising issues with higher severity.
Third-Party Audit
Stream runs its services on Amazon Web Services. Stream verifies, at least on a yearly basis, the posture of its critical third parties.
Amazon Web Services undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16, SOC 2, and ISO 27001.
Data segregation
All customer's data will always be segregated from other customers’ data through application logic and authorization controls.
Additionally, we offer two options: multi tenant and single tenant. Customers that need a higher level of security and segregation can request a dedicated shard. A dedicated shard is a set of infrastructural resources.
Business Continuity and Disaster Recovery
High Availability
The Stream architecture was designed with fault tolerance and redundancy from the beginning. We deploy redundant servers at every level of the service, from load balancers to databases, and routinely test for failures of each part of the system.
Enterprise plans include a Service Level Agreement.
Business Continuity
All data sent to Stream is stored in multiple availability zones for immediate failover access. Should one availability zone fail, the service will immediately switch to the next available zone.
Stream performs daily backups and stores them in a separate location. Please note that Stream will not transfer your backups to a different geographical location to avoid issues with data transfers or regulations. Backups are tested routinely for continuity and disaster recovery by our operations team.
Disaster Recovery
In the highly unlikely event of an entire AWS region failure, we can quickly scale up and divert traffic to a separate region.
Doing so will require explicit customer's approval, to avoid running into issues with data transfers and different regulations that may apply.
Data Security and Privacy
Data Encryption
Stream encrypts data at rest, using AWS KMS CMK (Customer Managed Keys). The latter ensures that Amazon Web Services does not have access to the keys, which are managed exclusively by Stream.
Off-site backups are encrypted at rest. Server configurations and secrets are stored in a distributed and secure storage. All access to secrets is logged.
Data in transit to and from Stream servers is encrypted with HTTPS Transport Layer Security (TLS) using modern cipher suites.
Stream does not natively support End--to-End Encryption. At the moment, it's possible to use external solutions as described in one of our blog posts: Stream E2EE Chat.
Data Removal
Our API provides endpoints that allow our Customers to manage their data, including its deletion.
Alternatively, it is possible to request deletion of the data, and eventually the account, by sending an email to privacy@getstream.io
Application Security
Two-Factor Authentication
Users can enable 2FA to improve the security of their accounts. Plan administrators have the ability to see a list of users, including whether 2FA is enabled on their accounts.
User Management
For each organization, users with administrative privileges will be able to provision other users and change their privileges (role-based access control). Additionally, custom roles can be created.
Single Sign-On
We offer SSO via Google and GitHub.
SAML 2.0
Stream offers assertion markup language (SAML)-based SSO as a standard feature to customers on its Enterprise plan. SAML 2.0 enhances user-based security and streamlines signup and login from trusted portals to enhance user experience, access management, and auditability. Supported providers include Okta, AppDirect, OneLogin, Google, Microsoft and Auth0. More information is available in consultation.
Email Security
We may send password reset tokens and information about account usage via email. We never send secrets such as passwords or API keys over email. We avoid spoofing/spam using industry best practices, such as Sender Policy Framework (SPF) DNS records, DKIM and DMARC.
Secure Application Development (Application Development Lifecycle)
Stream practices continuous delivery in our software development. All code changes require one or more reviewers and must pass a series of automated tests before they can be merged and deployed. This process ensures the best code quality and response time to bugs or other code issues. Furthermore, Stream performs dependency scanning as well as automated tests that run as part of our development pipelines.
Audit Logs
Organization administrators can see an activity log of actions taken within their organization and its applications. Actions logged include user invitations, creation, and modification, as well as various application changes such as modifying feed groups or truncating data.
Corporate Security
Security Policies
Stream has a set of internal best practices that all employees must follow. These include:
- Using Two-Factor authentication on all services
- Using strong passphrases and unlock codes for all devices and private keys
- Using full disk encryption on all devices
- Never leaving devices unattended, and setting aggressive auto-lock timeout policies
- Proper physical security best practices in and around office spaces
In addition to many others. For additional questions, feel free to reach out at security@getstream.io.
Stream's security requirements are defined in Stream's Security policies, defined according to ISO 27001:2022 and SOC2 Type II.
Background Checks
Stream conducts background checks for all new hires, according to local applicable regulations, eventually including verification on the following:
- Identity verification
- Sex offender registry check
- Global watchlist check
- National criminal records check
- County criminal records check
Incident Management
Stream notifies customers of any data breaches as soon as possible via email and phone call, followed by multiple periodic updates throughout each day addressing progress and impact. We will send communication within 72 hours after becoming aware of the breach.
Stream Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations. Stream maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page.
For all relevant incidents, we will provide our customers with as much information as possible to enable them to communicate on their end where necessary.
Stream performs Root Cause Analysis for the relevant incidents, after which improvements are identified and implemented, in order to ensure the problem won't occur again.
Additional Information
Please refer to our Trust Center to see the answer to the most frequent security and privacy-related questions.
As a Customer, you might want to have more detailed information than the one described in this page. Depending on your subscription tier, we will be able to provide compliance reports, penetration tests and a pre-filled questionnaire as well as Customer provided questionnaires. Please reach out to your Stream representative to evaluate the options.
