We know that your most-prized asset is the content that you create. Our security standards reflect this throughout both the ftrack product and the company that makes it. We ensure all processes protect the critical confidentiality of your content and meet the high bar for security that we set for ourselves.
We are currently working towards the SOC2 Type 1 and then we will have a SOC2 type 2 between 6-12 months after the Type 1. Type 1 should be ready in mid-2023. Until this report is publicly available, you can get more information about our security processes via the following resources:
Learn more below ↓
Industry trusted, Academy Award-winning solutions
Our security promise
Protecting the data that you entrust to us is of critical importance. We are 100% committed to eradicating threats to your data and to remaining vigilant in an ever-evolving landscape. We set only the highest standards for ourselves when it comes to the protection of your data. Rest assured that we will always take security very seriously as we strive to merit the trust that you have placed in us.
Request the ftrack security white paper
Co-founder & Executive Producer, Blue Zoo
“Rather than having to hunt artists down to query them about what status an asset is in, all of that information is securely held in one central location with no ambiguity.”
Security on the cloud
We’ve built on top of this foundation with a number of features designed to keep your content safe. Firewalls and AES-256 data encryption at rest are just the start. Product features like single sign-on and 2FA further reinforce your account from threat.
Rest assured that, even when working in the cloud, your content remains safe.
ftrack product security
From design to release, there is no step of the ftrack product lifecycle that doesn’t undergo rigorous security checks.
The conversation starts as soon as we conceive any new feature. We identify risks early on, integrate tools to detect vulnerabilities, and perform penetration testing to ensure every step we take keeps your content secure.
When we release new builds, multiple authorization and permission tests (both white- and black-box testing) run automatically. If we make changes to the application source code, they’re logged and reviewed by two developers at minimum to ensure absolute security.
The only people using your ftrack instance will be those with permission.
ftrack supports authentication using LDAP/AD/Google/SAML accounts or native ftrack accounts. API access requires the user to provide a personal API key, and all requests to access files on the server are signed using an HMAC-SHA256 algorithm supplied by AWS. Once authenticated, a user’s role dictates what they can and cannot do within the product.
We make sure these processes remain robustly secure via vulnerability checks and simulated penetration attacks on our outward-facing services. These tests include third-party audits by independent security evaluators Bishop Fox.
Security features in ftrack
We build ftrack around security. While we introduce many new features designed to enhance and optimize workflows, we simultaneously develop and release features to keep these workflows safe and bolster the security of your studio’s content.
We continually review and update our security feature-set, so expect more to come from ftrack in the months ahead.
Some of our security processes
Here’s a quick look at some of the processes we have in place at ftrack HQ to keep your work locked up and safe.
- Audits: Security assessments carried out on a regular basis by independent third-party security experts, Bishop Fox.
- Compliance: Compliant with the MPA and CDSA’s Trusted Partner Network; the media and entertainment industry’s leading security authority.
- Incident management: Tracking, monitoring, and analysis of all incidents to ensure non-repetition.
- Vulnerability scanning: Simulated attacks and network, cloud, and application penetration tests by independent security evaluators.
- Change control: Application source code changes reviewed by two developers at minimum.
- System backup: All data regularly backed up on Amazon S3 to ensure maximum redundancy. Backups are encrypted at rest using AES-256.
The Academy Award- and Emmy-winning cineSync was created by industry veterans to cater to the needs of contemporary creative studios. It combines security with the quality and flexibility required of production today.
cineSync does not store media, and no media file ever passes through our servers. The only information transferred during a session are sync commands – and they’re 256-bit encrypted. It’s why the world’s largest studios trust us with their content.
Internal security at ftrack HQ
Security at ftrack extends beyond our product. It’s a part of everything we do. Here are some of the ways we stay secure at the ftrack office.
- 2FA on all company accounts
- Firewall, antivirus software, and disk encryption for all employees
- Regular security briefs
- Annual security awareness training
- Encrypted digital keys
- Strict confidentiality agreements