hostmyvideo
Start free

Security

Video is sensitive. It can carry product roadmaps, training material, customer interviews, and sometimes personally identifiable information. This page describes the controls we have in place to protect it — and the work we still have ahead.

1. Encryption

All traffic between viewers, your dashboard, and our edges is encrypted with TLS 1.2 or higher; modern clients negotiate TLS 1.3. HSTS is enabled across hostmyvideo.io and customer-managed embed origins.

Video files at rest are encrypted with AES-256 inside Bunny.net's storage layer. Application data at rest in Neon Postgres is encrypted with AES-256 using cloud-provider managed keys. Backups inherit the same encryption.

2. Authentication

Authentication is handled by Clerk. Passwords are never stored by us — Clerk hashes them with bcrypt and enforces breach-list checks at signup. Multi-factor authentication (TOTP and WebAuthn) is supported on every plan and we strongly recommend enabling it. Single Sign-On (SAML and OIDC) is on the roadmap for Business and Enterprise customers.

3. Access controls

Every video, embed, and analytics record is scoped to the workspace it belongs to. Users can only access resources tied to a workspace they are a member of, and role-based permissions limit who can upload, edit, invite teammates, or manage billing.

Business and Enterprise workspaces get an immutable audit log capturing logins, role changes, billing events, API key issuance, custom-domain changes, and visibility changes — exportable as CSV or JSON.

4. Subprocessors

The full list of subprocessors with their regions is published in our Privacy Policy and the Data Processing Addendum. Material changes are announced at least 30 days in advance for Business and Enterprise customers.

5. Backups

Application data in Neon is protected by point-in-time recovery with a rolling seven-day window. Object storage in Bunny is geo-redundant by default. We test recovery regularly, and our internal target is RPO ≤ 5 minutes and RTO ≤ 4 hours for the application tier.

6. Responsible disclosure

If you believe you have found a security issue, email support@querywing.com. We aim to acknowledge within one business day and to triage within five. We will not pursue legal action against good-faith researchers who follow this process, avoid privacy violations, and give us reasonable time to remediate before public disclosure.

For sensitive reports, encrypt with our PGP key. The fingerprint is 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 (placeholder pending rotation; the live key will be published at /.well-known/security.txt on launch).

7. Compliance roadmap

  • SOC 2 Type I in progress — observation period scheduled for completion in Q3 2026.
  • GDPR — operational; DPA available, EU SCCs (2021/914 Module 2) incorporated by reference.
  • CCPA / CPRA — operational; rights workflow live.
  • PCI DSS — out of scope for HostMyVideo. All card data is processed by Stripe (PCI-DSS Level 1) and never traverses our systems.
  • HIPAA — not currently supported. Do not upload Protected Health Information.

Last updated: 2026-05-07

HostMyVideoA QueryWing productPremium video hostingFounded 2026Worldwide
Security | HostMyVideo