Security & Compliance
Security
Comprehensive overview of DST Connect security architecture, infrastructure, compliance, and sub-processor information.
Player Software
The DST Connect app runs on 50+ hardware platforms via a unified JS SDK. The app is deployed as a native application per operating system.
Supported Platforms
| Operating System | Device Types |
|---|---|
| Android | Android SoC displays (Philips, Sony, Sharp/NEC, Panasonic, Hisense, BenQ, Vestel), dedicated Android players, tablets |
| Samsung Tizen | Samsung commercial displays (SSSP) |
| LG webOS | LG commercial displays |
| BrightSign OS | BrightSign media players |
| Windows | Windows 10/11 PCs, OPS modules |
| Linux | Ubuntu, Fedora, Raspberry Pi |
| ChromeOS | Google Chrome devices |
Setup
After installing the DST Connect app, the device displays a 6-character verification code. Enter this code in the DST Connect dashboard to claim the screen. For large deployments, bulk provisioning is available. See the How It Works guide for details.
Network Requirements
All communication between players, CMS, and APIs is secured and optimised for bandwidth efficiency.
Protocols & Ports
- All communication takes place over HTTPS (TLS 1.2 or higher) on port
443. - We recommend also whitelisting port
80, as some external content may be loaded via HTTP.
Communication
- Both the player software and the CMS use multiple REST API endpoints.
- Content is delivered via a CDN with delta updates to reduce bandwidth usage and ensure fast refresh.
Device Pull Model & Scaling
- Players operate statelessly and periodically check for updates.
- Only modified content ("deltas") is downloaded, enabling efficient caching and reliable offline playback.
Whitelisted Domains
Ensure the following domains are whitelisted in your firewall and proxy configuration.
Core CMS & Content Hosting
| Domain | Purpose |
|---|---|
cms.dst-connect.io | CMS frontend |
templates.ds-templates.com | CMS frontend |
dstemplates-prod.s3.eu-central-1.amazonaws.com | Media files |
services.digitalsignage-templates.com | Integrations |
prod.staticfiles.digitalsignage-templates.com | CDN |
fonts.gstatic.com / fonts.googleapis.com | Google Fonts |
use.typekit.net | Adobe Fonts |
Whitelabel
Resellers may use their own dedicated (whitelabel) domain. If enabled, significant traffic will pass through that domain and it must be whitelisted.
Common External Content Domains
| Service | Domains |
|---|---|
| Buienradar | gadgets.buienradar.nl, tiles.buienradar.nl, image.buienradar.nl, image-cdn.buienradar.nl |
| Power BI | wabi-west-europe-d-primary-api.analysis.windows.net, content.powerapps.com, app.powerbi.com, dc.services.visualstudio.com, pbivisuals.powerbi.com |
| News & Media | cdn.prod.www.spiegel.de, www.amberalert.nl, api.omroepbrabant.nl, media.nu.nl, pbs.twimg.com, www.rtlnieuws.nl, cdn.jwplayer.com, videos-fms.jwpsrv.com, static.nieuwsblad.be |
| Images & Data | lh3.googleusercontent.com (Rijksmuseum), cdn.pixabay.com (Pixabay), kit.fontawesome.com (Font Awesome) |
Important
When using iframe templates or RSS feeds, whitelist the external source domains as well.
Security & Access
DST Connect implements multiple layers of security to protect your data and ensure compliance.
Authentication & Authorization
- Federated login via SAML / Microsoft Entra ID
- Role-Based Access Control (RBAC) with custom permissions
- IP whitelisting for administrative interfaces
- Multi-Factor Authentication (MFA) — optional, can be enforced per organisation by administrators
Session Management
- Automatic session expiry after a configurable period of inactivity
- Sessions are invalidated on password change or account deactivation
- Secure, HTTP-only session cookies with
SameSiteattribute
API Security
- Rate limiting on all API endpoints to prevent abuse
- API key authentication with rotation policies (frequency varies per key type)
- All API traffic over HTTPS exclusively
Encryption & Data Protection
- All communication over HTTPS (TLS 1.2+)
- Sensitive data stored with AES-256 encryption
- Passwords hashed using bcrypt with salt
Data Residency
- Default hosting in EU (Frankfurt, Germany)
- Customers can request EU-only data residency to guarantee all data remains within the European Union
- US hosting available for customers that prefer or require it
Compliance
- Fully GDPR and ISO 27001 aligned
- DST Connect acts solely as a data processor
- Upon contract termination, all data is securely and irreversibly deleted within 30 days
- Data Processing Agreement (DPA) available on request — contact security@dst-connect.io
- Cyber liability insurance in place covering data breaches and security incidents
- 99% uptime SLA for the cloud platform
Penetration Testing
DST Connect undergoes annual penetration tests conducted by independent, certified third-party security firms. These tests cover the full attack surface including web application security, API endpoints, authentication flows, and infrastructure.
- Frequency: annually (minimum), with additional tests after major platform changes
- Scope: OWASP Top 10, API security, authentication & authorization, infrastructure
- Remediation: all critical and high findings are resolved before the next release cycle
- Reports: penetration test reports are available upon request under NDA
Request reports
Customers and prospective customers can request the latest penetration test report, including remediation status, by contacting security@dst-connect.io. Reports are shared under a mutual NDA.
Incident Response
DST Connect maintains a documented incident response procedure aligned with ISO 27001 guidelines:
- Detection & triage — automated monitoring and alerting for security events
- Notification — affected customers are notified within 72 hours of confirmed data breach, in accordance with GDPR Article 33
- Containment & remediation — immediate measures to contain the incident, followed by root cause analysis
- Post-incident review — lessons learned documented and preventive measures implemented
Vulnerability Management
- Dependencies are monitored for known vulnerabilities (CVEs) and patched regularly
- Infrastructure patches are applied within 30 days for critical vulnerabilities, 90 days for non-critical
- Code reviews are performed on all changes before deployment to production
- Responsible disclosure: security researchers can report vulnerabilities to security@dst-connect.io
Backup & Disaster Recovery
- Daily automated backups of all databases and file storage
- Backups are encrypted (AES-256) and stored in a geographically separate location within the EU
- Recovery Point Objective (RPO): 24 hours
- Recovery Time Objective (RTO): 4 hours
- Disaster recovery procedures are tested periodically
Business Continuity
DST Connect maintains a Business Continuity Plan (BCP) to ensure service availability during disruptions:
- Documented procedures for infrastructure failure, data centre outage, and key personnel unavailability
- Geo-redundant infrastructure with automatic failover
- Devices continue playback independently during cloud outages (offline resilience)
- BCP is reviewed and updated annually
- BCP documentation available on request — contact security@dst-connect.io
Audit Trail & Logging
- All user actions (login, content changes, device management commands) are logged with timestamp, user ID, and IP address
- Logs are retained for a minimum of 12 months
- Access to logs is restricted to authorised personnel only
Employee Security
- All employees sign confidentiality agreements
- Access to production systems follows the principle of least privilege
- Multi-factor authentication (MFA) required for all internal systems
- Regular security awareness training for all team members
Server Locations
Production infrastructure is hosted across certified data centres with full redundancy.
| Location | Certifications | Features |
|---|---|---|
| AWS Frankfurt (Germany) | ISO 27001 certified | Multi-AZ, geo-redundant; AES-256 encryption; daily backups |
| Hetzner, Frankfurt (Germany) | ISO 27001 certified | Redundant infrastructure; daily backups; encrypted storage |
On-Premise Installations
While DST Connect is primarily cloud-hosted, on-premise deployment is available for customers requiring local hosting due to security, compliance, or offline needs.
Supported Operating Systems
- Debian / Ubuntu Server
- Red Hat Enterprise Linux (RHEL)
- CentOS Stream
- Other enterprise Linux distributions (subject to compatibility testing)
Note
Windows Server is not officially supported for on-premise hosting.
Containerized Deployment (Docker)
- On-premise requires a Docker-based installation.
- Delivered as one or more Docker containers for consistency and easy maintenance.
- Supported with Docker Compose or orchestration (e.g., Kubernetes) following provided guidelines.
Minimum Server Requirements
| Component | Recommended Specification |
|---|---|
| CPU | 4 vCPU / 2.4 GHz or higher |
| Memory | 8 GB RAM minimum |
| Storage | 100 GB SSD (expandable) |
| Network | 1 Gbit/s LAN + internet access for updates & integrations |
| OS | 64-bit Linux (Debian / RHEL family) |
| Virtualisation | Supported (VMware, Hyper-V, Proxmox) |
Example Hardware
A DELL EMC PowerEdge T150 provides a reliable foundation for on-premise hosting:
- Intel Xeon E-2300 series processor
- 8–16 GB ECC DDR4 RAM
- Enterprise-grade SSD storage
- Optional redundant PSU for higher availability
Network & Security Requirements
- Enable HTTPS (TLS 1.2+) for all CMS and API endpoints
- Open ports:
443(required),80(optional for external content) - Whitelist required core and integration domains (see Whitelisted Domains)
- Use internal DNS or static IP for stability
Responsibilities
- Provision and maintain server hardware or VM
- Apply OS patches and security updates
- Manage firewall and network configuration
- Perform backups per internal policy (procedures available on request)
- Ensure resources for high-availability/scaling if required
Support & Maintenance
- Installation guidelines, Docker configuration, and initial deployment assistance provided
- Pull ongoing application updates via Docker image updates (per change management)
- Optional remote support via secure VPN or jump-host
Sub-processors — Personal Data Processing
The following sub-processors process personal data as part of the DST Connect Data Processing Agreement (DPA). These are mandatory inclusions.
| # | Sub-processor | Location | Purpose | Personal Data |
|---|---|---|---|---|
| 1 | DS Templates B.V. | Netherlands (EU) | Content management platform — template library, visual editor, content hosting, and delivery infrastructure | User accounts (email, name), media uploads (incl. employee photos), template content, integration data |
| 2 | Amazon Web Services (AWS) | EU/US (depending on customer region) | Cloud infrastructure: storage (S3), email delivery (SES), message queue (SQS) | Media uploads (incl. employee photos), email addresses & names of users, invoice documents (PDF) |
| 3 | Auth0 (Okta) | EU/US (depending on customer region) | Authentication & identity management (OAuth 2.0) | Email address, first name, last name, SSO identity, login credentials |
| 4 | TeamLeader Focus | Belgium | CRM — partner management, ticketing, invoicing. Used exclusively for resellers, distributors, and system integrators — end-user data is never stored in TeamLeader. | Contact names, email addresses, phone numbers, company names, addresses, VAT numbers (partners only) |
| 5 | Datadog | EU/US (depending on customer region) | Application monitoring & metrics | Currently metrics only (logging disabled, auth headers redacted). If configuration changes: potentially IP addresses and user identifiers |
| 6 | Userback | Australia | Bug reporting & user feedback | Name, email address, user ID, country/location, browser & OS info, screen resolution, page URLs, feedback content (incl. screenshots) |
| 7 | MongoDB (Atlas) | EU/US (depending on customer region) | Document database | All application data including user data |
| 8 | Redis | EU/US (depending on customer region) | Caching & session management | Session data, cached user data |
Optional services
Datadog and Userback can be disabled upon request. The remaining sub-processors in this category (DS Templates, AWS, Auth0, TeamLeader, MongoDB, Redis) are part of the core platform infrastructure and cannot be disabled.
Sub-processors — End-User Data (Optional Modules)
These sub-processors process personal data of the customer's end-users. They apply only when the customer activates the corresponding module.
| # | Sub-processor | Location | Purpose | Personal Data |
|---|---|---|---|---|
| 8 | Microsoft Azure / Microsoft 365 | US / EU | Authentication (Azure AD), calendar (Outlook Calendar), email (Outlook Mail), meeting rooms, document management (SharePoint), communication (Teams), analytics (Power BI) | Organiser names & email addresses, participant names, email content (sender, subject), document content, employee work location |
| 9 | Google Cloud / Google Workspace | US | Authentication (OAuth), calendar (Calendar), analytics, AI generation (Vertex AI), file storage (Drive), video (YouTube) | Email address, name, calendar participants, work location, presence/absence, analytics (location, device, session data) |
| 10 | WebUntis | Austria | School timetable information | Teacher names, student names & IDs, group assignments |
| 11 | Xedule | Netherlands | Education scheduling | Teacher names, schedule linking |
| 12 | Zermelo | Netherlands | School information system | Schedule data (placeholder implementation) |
| 13 | Humly | Sweden | Meeting room management | Meeting organiser name |
| 14 | Bundeling | Netherlands | Internal communication platform | Author names, profile data, news content |
| 15 | US | Social media content | Organisation data, post author metadata | |
| 16 | AFAS Software | Netherlands | ERP / business software (via Sedum integration) | Company & employee data |
| 17 | Wave (PPDS) | Netherlands | Display management (GraphQL) | Device & user data |
| 18 | RealWorks | Netherlands | Real estate listings | Realtor data, property information |
| 19 | Max-Immo | Belgium | Real estate listings | Realtor data, property information |
| 20 | SolarEdge | Israel | Solar panel monitoring | Installation data, location |
| 21 | Embion | Netherlands | Solar panel monitoring | Installation data, location |
| 22 | Ticketmatic | Belgium | Event ticketing | Event data |
| 23 | OneLogin (SAML) | US | SAML authentication | SSO identity, email address |
| 24 | Google reCAPTCHA | US | Bot protection | IP address, browser behaviour |
| 25 | FeedbackCompany | Netherlands | Customer reviews | Review widget (no direct PII identified) |
Activation required
All sub-processors in this category are only active when the customer explicitly enables the corresponding integration or module. They can be disabled at any time through the CMS settings.
Sub-processors — Public Data Only
These services process only public or non-personal data and are likely not required as sub-processors under GDPR.
| # | Service | Purpose | Reason for Exclusion |
|---|---|---|---|
| 26 | NS (Nederlandse Spoorwegen) | Train schedules | Public transport information only |
| 27 | iRail | Train schedules (Belgium) | Public transport information only |
| 28 | Deutsche Bahn | Train schedules (Germany) | Public transport information only |
| 29 | TomTom | Traffic information | Traffic data only, no personal data |
| 30 | MoopMoop / Infoplaza | Weather, traffic, public transport | Public data only |
| 31 | BuienRadar | Weather data | Weather data only |
| 32 | NU.nl | News (RSS) | Public news feeds only |
| 33 | Pixabay | Stock photos | Public images only |
| 34 | Rijksmuseum | Art collection | Public museum data only |
| 35 | ZenQuotes | Quotes | Public quotes only |
| 36 | OpenF1 / Ergast | Formula 1 data | Public sports data only |
| 37 | SafeSearch Public Alerts | Emergency alerts | Public alerts only |