strmz.io Security Overview


Connect to your customers, staff & audience securely



Effective Date: January 1, 2022

Last Updated Date: January 20, 2023


Overview of strmz.io Platform Architecture
Network Requirements


For the majority of networks, there will be no issues using the strmz.io platform. However if you have an environment that is behind a restrictive network, use the following information to create the proper firewall whitelist configuration.



Client Network Traffic


From the client perspective, there are two main types of traffic:

  • HTTP/WebSocket requests, which use TCP
  • Media traffic is streamed over UDP


The following table lists the destination TCP and UDP ports to add to your firewall whitelist:



Signaling and Media Encryption


All signaling communications, including WebSocket connections from the client to the strmz.io platform, are encrypted using Transport Layer Security (TLS) 1.2+.



The strmz.io platform employs standard real-time media (audio, video, and screen-share) encryption technology from WebRTC. It uses AES-128 to encrypt media, and HMAC-SHA1 to verify data integrity. The media is transported over Secure Real-Time Protocol (SRTP) and the encryption keys are exchanged using the Datagram Transport Layer Security (DTLS) protocol.



The platform will temporarily decrypt the media when received from a web client, and then immediately re-encrypt before sending to other clients in the conference. This short decryption/re-encryption process is necessary for managing the conference media routing, and also for supporting features such as recording and streaming. Your media is never transported over the Internet unencrypted.



User Authentication


Event Creators and administrators are authenticated, when they login to the strmz.io portal (https://account.strmz.io), via their strmz.io credentials or via OAUTH to Azure AD or Google.


Role-based access to events


All event hosts, guest speakers and moderators must login securely to join the live stream of the event.


By default, all viewers must validate their email addresses by clicking on a custom link that strmz.io sent to their email addresses.


The Event Creator may choose to impose one of the following, more strict, authentication policies for identity verification of attendee viewers:

  • Mandate that audience log-in securely using their strmz.io credentials (email address and password) or via OAuth2.0 to their Google or Microsoft account
  • Mandate that only members of a specified set of email domains can join the audience of an event.

These options provide greater control over the distribution of the event access information and preserves the confidentiality of e.g. internal events or shareholder update events.



Security and Privacy of Payments


strmz.io is integrated with Stripe, to support payments processing for our customers. When a user is making a payment, all relevant payments pages are served by Stripe and all credit card information is stored and secured by Stripe. For information about Stripe’s security and privacy, refer to https://stripe.com/docs/security/stripe and  https://stripe.com/privacy



User Privacy


  • strmz.io stores our users’ email addresses, names, titles and company names in our database, which is hosted on Google Cloud Platform, in the US
  • strmz.io stores our customers' recordings on the Amazon Web Services cloud, in the US
  • strmz.io shares our users' email addresses with our payment partner (Stripe) and our WebRTC Meetings partner (Dolby.io) 
  • No PII is ever logged in the strmz.io service


For more details about User Privacy, refer to the strmz.io Privacy Policy.


For any further questions about security or to request a copy of our more detailed Security Guide, please contact us.



How to contact us


        Email: support@strmz.io