Security at WeVideo
WeVideo’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors. We design our policies based on these principles:
- Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
- Security controls should be implemented and layered according to the principle of defense-in-depth.
- Security controls should be applied consistently across all areas of the enterprise.
- The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Security and compliance
WeVideo follows best practices as part of the NIST Cybersecurity Framework, is in progress for a SOC 2 Type II attestation, and maintains compliance with:
- New York Education Law Section 2-D (NY Ed Law 2-d)
- PCI DSS
- Data at rest: All datastores with customer data live in Amazon Web Service’s state of the art secure servers, and are encrypted at rest.
- Data in transit: WeVideo uses TLS 1.2 everywhere data is transmitted over networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
- Secret management: Encryption keys are managed via AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Amazon and WeVideo. Application secrets are encrypted and stored securely via AWS Secrets Manager and access to these values is strictly limited.
- Penetration testing: WeVideo engages in penetration testing performed by a third party on an annual basis at minimum. Regular infrastructure security reviews are conducted with a third party on a biannual basis at minimum.
- Vulnerability scanning: WeVideo employs both internal team efforts on vulnerability scanning as well as weekly scans provided by third party services.
- Secure development practice: All code is peer reviewed and tested prior to release via both automated and manual processes.
- Staged releases: Updates are released to production environments only after qualification in development and staging environments.
- Endpoint protection: We use MDM software to enforce secure configuration of endpoints such as disk encryption, endpoint protection, screen lock configuration, and software updates.
- Secure remote access: WeVideo’s internal infrastructure resources can only be accessed through a company VPN with multi factor authentication.
- Security education: WeVideo provides comprehensive security training to all employees upon onboarding and refresh training on an annual basis at minimum.
- Identity and access management: WeVideo uses Google Workplace to secure our identity and access management. We enforce a strong password policy and multi-factor authentication wherever possible. WeVideo employees are granted access to applications based on their role, using a ticketing system, and are deprovisioned upon termination of their employment.
WeVideo uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:
- Access to customer and corporate data
- Integration with production environments
- Potential damage to the WeVideo brand
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.