Security at Viddz

Videos are often candid, internal, or competitive by nature. We design Viddz so that your recordings, your account, and your viewers' data are protected by default — and so you can verify our posture, not just take our word for it.

This page summarizes the controls in place today and how to report anything that looks off.

• All traffic to and from Viddz is served over HTTPS with TLS 1.2 or higher.
• Video files are encrypted at rest by our storage providers (Google Cloud Storage) using industry-standard AES-256.
• Streaming playback uses short-lived, signed URLs issued by Mux, so raw media files are never directly addressable.

• Accounts are authenticated through Firebase Auth, which supports email + password and Google single sign-on.
• Passwords are never stored on our servers in plaintext — they're handled and hashed by Firebase Auth.
• Session tokens are issued as short-lived JWTs and refreshed automatically.

Data access is enforced at the database layer, not just the application layer. Our Firestore and Storage security rules are the source of truth for what a given user can read or write.

• Video documents can only be read by their owner or through the public share endpoint.
• Direct reads from raw video storage are blocked at the rule level — playback is only possible via signed streaming URLs.
• Uploads are size- and mime-type-restricted at rule level.
• Internal access to production data is limited to a small number of engineers on a need-to-know basis.

Viddz runs on managed, audited cloud infrastructure — not self-managed servers.

• Google Cloud Platform (via Firebase) for authentication, database, storage, and serverless compute.
• Mux for video encoding and streaming. Mux is SOC 2 Type II certified.
• Automatic patching, redundancy, and backups are inherited from these providers.

Share links use unguessable public IDs, not sequential numbers. You can delete any video at any time, or set an expiration date so it removes itself.

We do not sell your personal information or video content. Read the full Privacy Policy for details.

Third-party credentials (Mux API keys, webhook secrets) are stored using Firebase Secret Manager and are only accessible to server- side Cloud Functions at runtime. They never appear in client code or version control.

Errors and anomalies from the application and Cloud Functions are logged and monitored. If we detect a security incident that affects your account or data, we will notify you without undue delay with the information we have at the time.

Viddz is in active development. Our current posture:

• GDPR: we support data access and deletion requests from EEA users — email us to make a request.
• SOC 2: we inherit the SOC 2 posture of our underlying providers (Google Cloud, Mux). We are not yet independently SOC 2 certified.

If you believe you've found a security issue in Viddz, please email us. We appreciate good-faith disclosure, will acknowledge reports promptly, and will not pursue legal action against researchers who follow responsible-disclosure practices.

Please do not publicly disclose issues before we've had a chance to address them.