Application Security

From the point of capture to the point of playback, Panopto makes it easy to record, manage and stream your video content securely. As the leading video platform provider to the world’s largest organizations and most respected universities, we’ve invested heavily in product security, from the way users sign in to how we store and deliver video across the network.

Our video platform provides multi-layer security at the perimeter, within the repository, and during streaming. This ensures that only authorized users can watch videos and that your data is safe at rest and in transit.

Panopto secures the video repository perimeter with support for multiple credential types, including OAuth, SAML 2.0, Active Directory, and a number of LMS ID providers. Our single-sign on (SSO) implementation supports rolling two-way synchronization of credentials, ensuring that user information is always up to date.

Within Panopto, users navigate and access videos, folders, and playlists through role-based permissions. These permissions can be configured for groups or individual users, providing granular control over video recording, live streaming, uploading, publishing, playback, and scheduling. Additional settings provide administrators with the ability to enforce strong passwords, password expiration, two-factor authentication via SSO, session timeout, and more.

Flexible video streaming options with Panopto

Infrastructure Security

Panopto is hosted as a high-availability, redundant cluster across multiple AWS availability zones, eliminating single points of failure and providing additional platform reliability. Every web server, encoding server, and database server are mirrored across availability zones. In the event of an entire availability zone outage, the system seamlessly transitions to another zone, providing business continuity and protecting the integrity of your data.

AWS also provides significant protection against traditional network security vulnerabilities. For example, the threat of distributed denial of service (DDoS) attacks is mitigated through proprietary DDoS protection services and multi-homed AWS networks which provide internet access diversity. Man In the Middle (MITM) attacks are prevented through SSL-protected API endpoints. And IP Spoofing is prevented through the AWS firewall infrastructure, which doesn’t permit instances to send traffic with a source IP or MAC address other than its own.

In addition, AWS maintains state-of-the-art, multi-perimeter physical security at their data centers. This includes prohibiting external access and not sharing the precise location of their data centers. And environmental safeguards include fire detection and suppression, fully redundant power systems, climate control, and realtime management of electrical and mechanical systems.

Operational Security

Panopto’s internal systems and processes are managed through an operational security policy that covers access control, risk assessment, incident response, physical security, and more.

For example, our engineering team uses a secure software development lifecycle (SDLC) to ensure that security assurance activities such as code review, and architecture analysis are inherent to the development effort.

We also perform monthly vulnerability scans and audits of our cloud security practices and access rights. Each quarter, we partner with an independent security firm to perform penetration testing in order to identify exploitable issues and minimize cyberattack surface area.

In case of security incidents, we maintain a response plan and have a team of personnel trained to identify, investigate, and respond to security issues. Our response includes detailed forensics and notification to our customers.

GDPR Compliance

The EU General Data Protection Regulation (GDPR) brings consistency to data protection across Europe, built on the privacy principles of transparency, fairness, and accountability.

As a data processor, Panopto is committed to complying with the GDPR law.

This includes the use of encryption and anonymization to protect personal information, contracts with partners who play a role in our data processing, third-party audits of our data sources for PII, and adherence to the rights to access, information, rectification, erasure, data portability, objection, and restriction of processing.

For additional information on Panopto’s compliance with the GDPR, see our Privacy Policies.

See our privacy policies for more information

Security Checklist

Included with Panopto

Application Security

API authentication and encryption
Authentication policies
Data validation
Encryption at rest
Encryption in transit
Forensic analysis via audit logging
Hosted platform security
Infrastructure as code (IaC)
Logical content separation
Man-in-the-middle (MITM) prevention
On-premises deployment option
Perimeter security and single-sign on (SSO)
Role-based authorization
Secure credential storage
Session timeouts
Video download prevention

Infrastructure and Operational Security

Annual security awareness training
Efficient security patching
Employee information security policy
Known issue communication
Monitoring and alarming
Personal data retention
Recurring security practice audits
Recurring vulnerability scans and penetration tests
Restricted access to personal data
Secure software development lifecycle (SDLC)
Security incident management process
Security policy reviews
Separation of operational, development, and staging environments
Server uptime status
System and network access policies