Security at WeVideo

Security is our top concern. Our products and infrastructure are designed to protect users and their data.

Fingers typing on keyboard. Overlay of various white icons in circle formation with checkmark in center to represent security measures in place.

Policies and procedures

Magenta padlock with white checkmark in center. Gradient background of vertical numbers.

Governance

WeVideo’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors. We design our policies based on these principles:

Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
Security controls should be implemented and layered according to the principle of defense-in-depth.
Security controls should be applied consistently across all areas of the enterprise.
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.

Magenta padlock with white checkmark in center. Padlock placed in center of teal security shield.

Security and compliance

WeVideo follows best practices as part of the NIST Cybersecurity Framework, maintains SOC 2 Type II attestation, and compliance with:

FERPA
COPPA
New York Education Law Section 2-D (NY Ed Law 2-d)
GDPR
CCPA
PCI DSS

21972-312_SOC_NonCPA

Magenta padlock with white checkmark in center. Dark navy cloud around it.

Data protection

Data at rest: All datastores with customer data live in Amazon Web Service’s state of the art secure servers, and are encrypted at rest.
Data in transit: WeVideo uses TLS 1.2 everywhere data is transmitted over networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
Secret management: Encryption keys are managed via AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Amazon and WeVideo. Application secrets are encrypted and stored securely via AWS Secrets Manager and access to these values is strictly limited.

Fingers typing on laptop keyboard with overlay of white security padlock icons.

Product security

Penetration testing: WeVideo engages in penetration testing performed by a third party on an annual basis at minimum. Regular infrastructure security reviews are conducted with a third party on a biannual basis at minimum.
Vulnerability scanning: WeVideo employs both internal team efforts on vulnerability scanning as well as weekly scans provided by third party services.
Secure development practice: All code is peer reviewed and tested prior to release via both automated and manual processes.
Staged releases: Updates are released to production environments only after qualification in development and staging environments.

Smiling woman in sweatshirt and glasses working in front of her laptop in office space.

Enterprise security

Endpoint protection: We use MDM software to enforce secure configuration of endpoints such as disk encryption, endpoint protection, screen lock configuration, and software updates.
Secure remote access: WeVideo’s internal infrastructure resources can only be accessed through a company VPN with multi factor authentication.
Security education: WeVideo provides comprehensive security training to all employees upon onboarding and refresh training on an annual basis at minimum.
Identity and access management: WeVideo uses Google Workplace to secure our identity and access management. We enforce a strong password policy and multi-factor authentication wherever possible. WeVideo employees are granted access to applications based on their role, using a ticketing system, and are deprovisioned upon termination of their employment.

Group of employees completing security tasks on computers.

Vendor security

WeVideo uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:

Access to customer and corporate data
Integration with production environments
Potential damage to the WeVideo brand

Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.