Media Manager Security

Our partner, Brandfolder, has completed its SOC 2 Type 2 audit for its security and confidentiality controls. This means Brandfolder has established processes and practices against these controls that have been validated by an independent third party.

Media Manager enables the right individuals to access the right resources at the right time. It provides a seamless and secure way for your organization to manage your digital assets. Other users can't see your brand assets in your Libraries unless you deliberately give them access or make your Library Public.

The underlying storage architecture behind Media Manager is powered by best in breed cloud service providers. Media Manager supports both Google Cloud Storage (GCS) and Amazon Web Services (AWS) S3 for cloud storage.  By default, the cloud storage is set as S3 (AWS).

Media Manager redundantly stores all data on multiple devices across three Availability Zones. All PUT and COPY operations for objects are synchronously stored across all Availability Zones before confirming that the data has been successfully stored, thus ensuring fault-tolerance. Once stored, we are regularly verified of the integrity of stored data using checksums. If corruption is detected, it is repaired using redundant data. By using GCS and S3, Media Manager is able to effectively provide 99.999999999% durability and 99.99% availability of objects over a given year.

Media Manager's PostgreSQL database deployment is always up-to-date through automatic updates using the latest patches. Automated backups of all transaction logs and the database enable point-in-time recovery for all of our customers. The database instance is set to run as a multi-region, Multi-Availability Zone deployment with a disaster recovery replica. This means that it will automatically provision and manage a “standby” replica in a different Availability Zone (independent infrastructure in a physically separate location). Database updates are made concurrently on the primary and standby resources to prevent replication lag. In the event of planned database maintenance, database instance failure, or an Availability Zone failure, we will automatically failover to the up-to-date standby so that database operations can resume quickly without administrative intervention. Brandfolder maintains snapshots and streaming logs for instantaneous recovery in the event of global compute disaster.

Assets are encrypted at rest using server-side AES 256 encryption algorithm. We salt and hash user passwords using 10 rounds of Bcrypt. Data traveling between a customer device and Media Manager is secured with SHA-256 with RSA signed certificates and encrypted using HTTPS/TLS to protect against eavesdropping, tampering, and message forgery. Brandfolder only accepts traffic from 2 whitelisted ports, and has built-in intrusion detection instrumented with monitoring and alerts.  This ensures the integrity of all transmitted information in and out of the Brandfolder technology stack. 

 

Getty Images IT reviews and regularly updates IT vulnerabilities, controls, and risk impacts. The assessment evaluates security vulnerabilities affecting confidentiality, integrity, and availability. Appropriate security safeguards are recommended, permitting management to make knowledge-based decisions about security-related initiatives.

 

By leveraging Amazon Web Services (AWS) and Google Cloud (GCP), Media Manager offers best in breed online and physical security measures, 99.999999999% durability and 99.99% availability of objects over a given year. Media Manager ensures streaming replication backups so that no changes or updates are lost in the event of a disaster.

 

Cloud storage providers provide state of the art data center security, including around the clock staffing, video surveillance and intrusion detection systems. Authorized access is granted on a need to know basis. All administrative interfaces are accessed through key-card and/or 2FA user authentication.