Security at TV Labs

TV Labs was built with security and privacy in mind from day one.

Below you can learn more about our security credentials, our internal security practices, and how to disclose security issues to our team. If you're looking to learn more about how we think about data privacy at TV Labs, you can read our privacy policy.

Our security posture

TV Labs is engaged for SOC 2 Type 1 & Type 2 compliance. If you'd like copies of our SOC 2 engagement letter, please let us know at security@tvlabs.ai.

Here's a little more about our security practices at TV Labs:

• We implement best practices around least privilege, with limited access to production data for our employees.
• Access to all systems is enforced by 2FA for our employees.
• All of our code changes are signed off by at least one other person, and tested in a staging environment before being deployed.
• We retain server logs for a maximum of 1 year, after which time they are permanently deleted.
• All data is encrypted at rest, and we use TLS 1.2 for all cross-service communication.

More information and responsible disclosure

We're always improving the security of our product. If you'd like to learn more about our data protection processes, you can email us at security@tvlabs.ai.

If you are a security researcher and would like to disclose an issue, contact security@tvlabs.ai. We are strong advocates for responsible disclosure by independent security researchers. We believe the best way to protect current and future customers is to encourage researchers to come forward with issues and reply promptly.

Our promise to you is:

• We will read and respond to all reported vulnerabilities.
• We will not take any harmful action (including legal action) against researchers who act ethically and in good faith.
• We will highlight the contributions of security researchers who make significant reports.

In return we ask:

• That you do not attempt to access, modify, or delete data belonging to TV Labs customers.
• That you report issues promptly once discovered.
• That you do not attempt denial of service against the TV Labs service.

Firewall Configuration

The TV Labs platform is served as a web application, available globally in your favorite Web browser.

If you're using TV Labs behind a corporate network or VPN, you may need your IT / Network administrator to allow traffic to the following supporting services

TV Labs Connect

TV Labs Connect is a feature of the TV Labs CLI that allows connecting to remote devices in the TV Labs network, making them available on your local machine.

To use TV Labs Connect, you must be able to reach tunnel.tvlabs.ai on port 2222.

• Destination: tunnel.tvlabs.ai
• Destination Port: 2222
• Protocol: TCP
• Direction:: Outbound (with corresponding inbound responses allowed)

Example Configurations

Linux (iptables)

# Allow outbound traffic to tunnel.tvlabs.ai on port 2222
iptables -A OUTPUT -p tcp -d tunnel.tvlabs.ai --dport 2222 -j ACCEPT

# Allow established connections to receive responses
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Teleport

TV Labs Teleport is a VPN-based solution that allows testing devices to be virtually relocated to specific regions. If you're a content provider (like Acme Corp with the "Acme" app) using TV Labs to test your geo-restricted content, you'll need to configure your content delivery infrastructure to accept requests from our Teleport nodes.

Specifically, you must add the IP addresses of all TV Labs Teleport nodes to the allow-list of your load balancers, CDNs, API gateways, or any other firewall systems that serve your content. This ensures that when a TV Labs device connects through our Teleport service to test your geo-restricted content, your systems will properly accept the connection.

Required Firewall Rules

To use Teleport, you need to allow-list the IP addresses of all Teleport nodes in your firewall configuration:

• IP Addresses: All IP addresses listed at https://tvlabs.ai/api/teleport/ipv4 (IPv4) and https://tvlabs.ai/api/teleport/ipv6 (IPv6)
• Ports: 443 (HTTPS)
• Protocol: TCP
• Direction: Inbound (allowing traffic from Teleport nodes to your network)

Example Configurations

Linux (iptables)

For environments that require automated updating of allowlists, you can use our API endpoints to retrieve the current list of Teleport node IP addresses:

#!/bin/bash
# Script to update iptables with Teleport node IP addresses

# Get current IPv4 addresses
TELEPORT_IPS=$(curl -s -H "Accept: text/plain" https://tvlabs.ai/api/teleport/ipv4)

# Clear existing Teleport rules
iptables -F TELEPORT_CHAIN 2>/dev/null || iptables -N TELEPORT_CHAIN

# Add new rules
for IP in $TELEPORT_IPS; do
  iptables -A TELEPORT_CHAIN -s $IP -p tcp --dport 443 -j ACCEPT
done

# Link the chain to INPUT if not already done
iptables -C INPUT -j TELEPORT_CHAIN 2>/dev/null || iptables -A INPUT -j TELEPORT_CHAIN