Wistia Trust Center
The Wistia Trust Center is our dedicated security website. We are always working to improve our security offerings, and the Trust Center details all things Wistia security, including application security, data privacy, artificial intelligence, and more.
This is also where you can request and download documents such as our Data Processing Addendum (DPA), security certifications, and policies.
To stay up to date with Wistia security, you can subscribe for updates to the Trust Center. Once subscribed, you'll receive notifications about subprocessors, compliance changes, and any other key information.
Privacy and security
Wistia supports the privacy rights of its customers and their users, and we know that keeping your data safe, available, and backed up is critical when trusting a service provider. We are currently compliant with multiple frameworks, regulations, and policies including:
SOC 2 Type 2
SOC 2 Type 1
CCPA
GDPR
EU-US DPF
Swiss-U.S. DPF
UK Extension to the EU-U.S. DPF
We’ve designed our security policies and procedures so that you can focus on your business, while we ensure that your data and content are as secure as possible.
Privacy mode for the Wistia media player
We have created a special mode for our media player that only collects fully anonymized viewing data by disabling session tracking and anonymizing IP addresses of your viewers.
You can turn on Privacy mode by default for all your media on your account's settings page, and we provide you with a way to programmatically disable Privacy mode once a visitor has given you their express consent to track them.
For instance, if you have a cookie consent banner on your site, when your visitor clicks the opt-in button, you would make a call to our player to enable session tracking.
You can find all the details regarding this in the Player Privacy Mode documentation.
Note
Privacy Mode isn’t a necessity for your medias to be GDPR compliant, but is a helpful tool in minimizing the data you collect from individual visitors and users.
Note
Privacy mode does not currently apply to Live events in the same way it does for video and channel views. If Privacy mode is enabled, we still collect identifiable event data when using native registration.
Consent for Turnstile and email gates
Under the GDPR, when consent is required, it must be requested in an intelligible and easily accessible form, using clear and plain language.
With this in mind, it’s important that if you’re using our Turnstile feature to collect personal data about your viewers, you update the language to be clear about how you’ll be using their email address and provide a link to your terms and conditions.
We recommend allowing viewers to skip your Turnstile and using the below text on it as well. Make sure to update the link with the URL of your terms.
By entering your email address, you agree to receive our marketing emails. Please see <a href="https://your.company.com/terms" target="_blank">our terms and conditions</a> for further information about how your data is used and stored, including how to opt out.
This is how it will appear:
For more information on consent under GDPR, refer to:
Media footage as personal data and personal information
Media footage containing people or information about them classifies as personal data and personal information. If you get a request to remove an individual or information from a media, you can either delete that media or edit that individual out of the media.
Our Replace Video feature makes it easy to replace that media permanently and immediately in all locations.
If you delete a media in your Wistia account, it will be permanently removed from all of our systems within 30 days.
Privacy declaration
We recommend including this statement about Wistia in your privacy declaration or policy:
This website uses Wistia (https://wistia.com) to power its medias. Wistia tracks how you interact with the medias on this site: how much of a media you play, at what points in a media you pause or rewind, etc. In some medias, we pause the media and request that you provide your email address or name. You are under no obligation to provide this information, but we reserve the right to limit certain medias to identified users. Wistia aggregates the data collected through the medias here, including names and email addresses, and provides it to us. Other than providing this data to us, Wistia does not sell or provide the data it collects from our medias to third parties. We use this data to [insert the business purpose for the data we provide you from your medias (i.e., how you use the data)].
The last sentence may be deleted if you address the business purpose for this category of data elsewhere in your privacy declaration or policy.
Uptime and delivery
Secure, lightning-fast, and reliable global playback across devices is our top priority at Wistia. We bring 11+ years of experience implementing the best in media delivery.
Wistia maintains an internal standard of 99.9% uptime. A log of historical uptime is included as part of our real-time status page, https://status.wistia.com
We leverage frequently tested, proven infrastructure to deliver content via multiple Tier 1 CDNs (over 230,000 servers located in 130+ countries). To deliver the best quality content worldwide, Wistia serves media via adaptive streaming, also known as HTTP Live Streaming (HLS). HLS playback dynamically controls for the device and connection speeds of your viewers to serve content without interruption.
Wistia services and infrastructure are designed to scale horizontally in all situations. We employ redundant providers to minimize downtime in the event of a catastrophic event. Our applications are containerized, our high-scale SQL databases are sharded, and we reserve capacity with our hosting provider to ensure we can meet customer demand.
Account protections
Wistia accounts are not crawled by search engines, and can be made completely private and password-protected.
Our domain restrictions feature ensures your media can only be played on specific domains.
Activation links that require a new user to set up a password are only good for one use — they cannot be passed along.
All sensitive communication between our service and customers is done via HTTPS.
User passwords are stored hashed with unique salts for each user. All actions within the Wistia app and API are scoped by account.
Credit card transactions go straight to our merchant over HTTPS and do not pass through Wistia’s servers.
Breach notification
In the event of a data breach involving personal data or personal information (and ones that do not), we will contact you by email. We will also post any incidents to https://status.wistia.com. You can subscribe to updates there as well.
Questions
For questions or inquiries related to data privacy and security, please refer to the Wistia Trust Center.