Security Policy
How Screen Chirp protects your media streams, credentials, and platform integrity across every layer of the stack.
At Screen Chirp, security is not an afterthought — it is built into every layer of our application. This document outlines the protocols, encryption standards, infrastructure practices, and compliance certifications we maintain to ensure your meetings remain confidential and your data remains protected.
Our Security Practices
We apply defence-in-depth principles across the platform. All administrative interactions require authenticated sessions protected by CSRF tokens. We enforce strict rate-limiting on login endpoints, API routes, and meeting join flows to prevent brute-force and credential-stuffing attacks.
Session cookies are set with HttpOnly, Secure, and SameSite=Lax attributes. Our application undergoes regular dependency audits and code reviews before each release.
Encryption
Media Streams
All video, voice, and screen-sharing streams are encrypted in transit using Secure Real-time Transport Protocol (SRTP) with DTLS-SRTP key negotiation. Media never traverses unencrypted network paths.
Data at Rest
All data stored in our databases is encrypted at rest using AES-256-CBC. Sensitive credentials — such as customer-uploaded Twilio Auth Tokens and API Secrets — are additionally encrypted at the application layer before insertion. Encryption keys are managed separately from the data they protect.
Transport Security
All web traffic is served exclusively over TLS 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS) with a one-year max-age and include subdomains in scope.
Data Centers
Our infrastructure runs on leading cloud providers operating SOC 2 Type II and ISO 27001 certified data centers. Our primary infrastructure is distributed across multiple geographic regions with automatic failover to ensure high availability.
Database servers are deployed in private network segments with no direct public internet exposure. All inter-service communication occurs over encrypted private network channels.
Enterprise customers may request EU data residency. Contact our sales team for details.
Incident Response
We maintain a formal incident response plan that is reviewed and updated at least annually. In the event of a confirmed security incident:
- Our on-call security team is notified within 15 minutes via automated alerting.
- Affected systems are isolated to contain the incident scope.
- A root cause analysis is conducted and documented within 48 hours of resolution.
- Affected customers are notified within 72 hours as required by GDPR Article 33.
Post-incident reports are made available to enterprise customers upon request.
Responsible Disclosure
We operate a responsible disclosure programme and welcome security researchers who report vulnerabilities in good faith. If you discover a potential security issue in our platform:
- Report it to us by emailing security@screenchirp.com with a clear description and reproduction steps.
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate.
- Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
We commit to acknowledging all valid reports within 48 hours, providing a remediation timeline within 10 business days, and notifying you when the issue has been resolved. Researchers who act in good faith will not face legal action.
Contact Security Team
For security-related enquiries, vulnerability reports, or requests for compliance documentation (SOC 2 reports, penetration test results, DPAs), please contact our security team directly:
Security disclosures: security@screenchirp.com
Compliance requests: Submit a compliance request
Response time: All security enquiries are acknowledged within 48 hours.