Security Model

SaaS Control Plane: Castovia is a managed SaaS. No source code is delivered. No self-hosting option. Infrastructure is managed by Castovia.

Tenant Isolation: Each provider operates in a logically isolated tenant. Providers cannot access other providers\u2019 data, subscribers, streams, or configuration.

RBAC (Role-Based Access Control): Four roles: super_admin, admin (provider), supplier, viewer. Each role has strictly scoped permissions.

Plan Enforcement: 7-tier plan model with API-level soft + hard enforcement. Hard enforcement active on critical commercial routes.

Password Security: Passwords hashed with bcrypt. No plaintext storage for admin/supplier accounts.

Agent Token Model: Provider nodes authenticate with scoped agent tokens \u2014 never with human passwords. Tokens are per-node and can be rotated independently.

Rate Limiting: Login, signup, contact forms, and API endpoints are rate-limited per IP to prevent brute-force attacks.

Session Management: JWT-based sessions with 24-hour expiration.

Suspicious Activity Detection: Automated detection and logging of suspicious login patterns.

No sourceUrl Exposure: Internal stream source URLs are never exposed to end-user devices or client-side code.

No storagePath Exposure: Internal storage paths remain server-side only.

Signed Playback URLs: Playback URLs are time-limited and cryptographically signed. Expired URLs are rejected.

Signed Playback Metadata: End-user devices receive only safe metadata. No internal infrastructure details.

Audit Logs: Administrative actions are logged for accountability.

CDN API Keys: Stored encrypted in the database. Never returned in API responses. Redacted in UI.

DRM Secrets: Stored encrypted. Never exposed to client devices. No raw license secrets in application logs.

No Origin Secret Exposure: CDN origin secrets are never exposed to end-user devices.

Stripe Secret Key: Server-side only. Never exposed in client-side code or API responses.

Webhook Signature Verification: All Stripe webhook events are verified with HMAC signature before processing.

Idempotent Processing: Webhook events are deduplicated to prevent double-processing.

Publishable Key: Only the publishable key (read-only) is used in client-side checkout flows.

No Content Provision: Castovia does not provide, host, or distribute TV/video content. Providers are fully responsible for legal content rights.

Abuse Reporting: Public abuse reporting mechanism. Reports are reviewed and actioned.

Account Suspension: Castovia reserves the right to suspend accounts distributing content illegally.

Log Preservation: Relevant logs may be preserved where legally required for compliance.

Acceptable Use Policy: All providers must agree. Violations may result in immediate suspension.