Skip to content
Security & Architecture

Your data. Your bucket. Your control.

DailyStream is built on the principle of client data sovereignty. Recording data flows directly from your employees' workstations to your own AWS S3 bucket. Our infrastructure handles authentication, session orchestration, and metadata only. Your recordings never enter our environment.

Structural guarantees

What DailyStream cannot do

These aren't policies that depend on our good behavior. They're constraints built into the architecture itself.

  • Cannot delete recordings from your bucket

    Our access to your S3 bucket is intentionally scoped so we cannot remove your recordings. Only you can delete them, on whatever retention schedule you choose.

  • Cannot list the contents of your bucket

    We can only access objects by exact key. We cannot enumerate the bucket, browse it, or discover recording names you have not explicitly handed us.

  • Does not retain recordings on our own infrastructure

    Recording data flows directly from the StreamSight agent to your S3 bucket. It never persists on DailyStream-owned servers. The one exception is for customers who opt in to AI screenshot review: in that case, individual screenshots are processed on our self-hosted LLM servers and deleted immediately after processing. AI review is opt-in only.

  • Cannot extend, reuse, or repurpose access

    Every signed URL is single-use, short-lived, and cryptographically bound to one specific S3 object and one HTTP method. You can revoke our access at any time by rotating credentials.

Network architecture

Three isolated zones

DailyStream is deployed across three network zones in AWS, each with strict boundaries and a specific purpose.

DailyStream VPC Private

Houses the Lambda API, the system database, and the cache layer. No direct external access. Only reachable through the DMZ via API Gateway.

DailyStream DMZ Public

API Gateway, CloudFront, and a logs-only S3 bucket. Acts as the security perimeter for every inbound request: TLS termination, rate limiting, DDoS protection.

Client Cloud Yours

Your AWS S3 bucket, in your AWS account, under your encryption keys. All recording data lives here exclusively. We never replicate it anywhere else.

Encryption everywhere

In transit and at rest

No plaintext HTTP at any layer of the system. Recordings encrypted under your keys, in your bucket.

In transit

  • HTTPS / TLS 1.2+ on every connection: agent to API, manager to viewer, web app to backend
  • TLS 1.3 minimum on the cache layer; older protocols rejected at the application level
  • AWS-managed certificates with automatic renewal at the API Gateway and CloudFront edges
  • Encrypted Lambda ↔ SQL Server connection via AWS RDS Proxy

At rest

  • Recording S3 encryption controlled entirely by your bucket policy: SSE-S3 or SSE-KMS
  • User passwords hashed with PBKDF2-SHA512 and a per-company salt
  • Session tokens stored in an encrypted cache layer (AWS ElastiCache)
  • Environment secrets stored in AWS Lambda environment variables, encrypted by AWS KMS
Function
Algorithm
Key size
Password hashing
PBKDF2-SHA512
512-bit output
Token signing
HMAC-SHA256
256-bit minimum
Random generation
crypto/rand (CSPRNG)
256-bit
Cache transport
TLS 1.3
256-bit

All cryptographic operations use Go's standard library (crypto/*) and golang.org/x/crypto, which undergo regular security audit.

Identity, access, and isolation

Authentication and access control

Defense in depth: mandatory 2FA, role-based access, and database-level authorization that the application layer cannot bypass.

Mandatory 2FA

Every user, every login. No opt-out, no per-tenant disable.

JWT sessions

Signed with HMAC-SHA256, validated server-side on every request, constant-time signature comparison. Cookies are HttpOnly, Secure, and SameSite=Lax.

Database-level authorization

When a manager requests a recording, a stored procedure validates that the requesting user is authorized to view the target employee's data. This check cannot be bypassed at the application layer.

Multi-tenant isolation

Every database query is scoped by company ID, embedded in the authenticated JWT and validated server-side. There is no application path that allows cross-company data access.

Software supply chain

Built clean, shipped clean

StreamSight ships as a compiled Go binary with no runtime interpreter or dependency installation on employee workstations. Every commit is scanned before it's allowed to ship.

Compiled, hermetic builds

  • StreamSight is a single compiled Go binary. No Python, no Node, no runtime to keep patched on the workstation
  • All third-party dependencies are pinned to specific versions and vendored into the source tree with go.sum checksum verification
  • Builds don't require network access. Vendored code is validated against checksums to prevent tampering or upstream takedowns
  • Lambda functions are deployed as immutable artifacts via GitHub Actions

Automated security scanning

The following tools run on every build, and a failing scan blocks the deploy:

  • gosec: security-focused static analysis (OWASP patterns)
  • govulncheck: known-vulnerability scanning against the Go vulnerability database
  • staticcheck: advanced static analysis
  • errcheck: unchecked-error detection
  • go vet · revive · go test -race for race-condition detection
At a glance

Summary of security controls

Domain
Control
Authentication
Mandatory 2FA, PBKDF2-SHA512 password hashing
Authorization
Role-based access control, database-enforced viewer permissions
Encryption in transit
TLS on all connections, TLS 1.3 minimum on cache layer
Encryption at rest
Client-controlled S3 encryption, PBKDF2 password hashes
Data sovereignty
Recordings stored in client-owned S3 bucket; only metadata and diagnostic logs on DailyStream infrastructure
SQL injection
100% parameterized stored procedures, zero string concatenation
Session management
JWT sessions, server-side validation, secure cookies
Network zones
Three-zone architecture: Private VPC, public DMZ, client-controlled cloud
Multi-tenant isolation
Company ID embedded in the authenticated JWT, validated server-side, and enforced as a required parameter on every database query and stored procedure
DDoS protection
AWS Shield at API Gateway and CloudFront layers
Signed URLs
Short-lived, single-use, object-specific
Code security
Automated SAST, vulnerability scanning, race detection on every commit
Local data
Auto-cleanup after upload, startup wipe of residual files

Need the full architecture document for a procurement review?

We share the complete DailyStream Security Architecture document with enterprise prospects under NDA. Schedule a call and we'll send it over.