Security & Compliance
Security
Comprehensive overview of DS Templates security architecture, infrastructure, compliance, and sub-processor information.
Player Software
To display DS Templates content on external media players, the DS Templates Player Software must be installed.
Available Versions
| Player | Description |
|---|---|
| Android Player | Native DS Templates application for Android devices |
| Windows Player | Native Windows application |
| HTML Launcher | Browser-based deployment via secure URL |
Setup
During installation, enter the screen key (available on the Screens page in the CMS) to link the player to the correct CMS environment.
Network Requirements
All communication between players, CMS, and APIs is secured and optimised for bandwidth efficiency.
Protocols & Ports
- All communication takes place over HTTPS (TLS 1.2 or higher) on port
443. - We recommend also whitelisting port
80, as some external content may be loaded via HTTP.
Communication
- Both the player software and the CMS use multiple REST API endpoints.
- Content is delivered via a CDN with delta updates to reduce bandwidth usage and ensure fast refresh.
Device Pull Model & Scaling
- Players operate statelessly and periodically check for updates.
- Only modified content ("deltas") is downloaded, enabling efficient caching and reliable offline playback.
Whitelisted Domains
Ensure the following domains are whitelisted in your firewall and proxy configuration.
Core CMS & Content Hosting
| Domain | Purpose |
|---|---|
app.digitalsignage-templates.com | CMS frontend |
cms.dst-connect.io | Alternative CMS frontend |
templates.ds-templates.com | CMS frontend |
dstemplates-prod.s3.eu-central-1.amazonaws.com | Media files |
services.digitalsignage-templates.com | Integrations |
prod.staticfiles.digitalsignage-templates.com | CDN |
fonts.gstatic.com / fonts.googleapis.com | Google Fonts |
use.typekit.net | Adobe Fonts |
Whitelabel
Resellers may use their own dedicated (whitelabel) domain. If enabled, significant traffic will pass through that domain and it must be whitelisted.
Common External Content Domains
| Service | Domains |
|---|---|
| Buienradar | gadgets.buienradar.nl, tiles.buienradar.nl, image.buienradar.nl, image-cdn.buienradar.nl |
| Power BI | wabi-west-europe-d-primary-api.analysis.windows.net, content.powerapps.com, app.powerbi.com, dc.services.visualstudio.com, pbivisuals.powerbi.com |
| News & Media | cdn.prod.www.spiegel.de, www.amberalert.nl, api.omroepbrabant.nl, media.nu.nl, pbs.twimg.com, www.rtlnieuws.nl, cdn.jwplayer.com, videos-fms.jwpsrv.com, static.nieuwsblad.be |
| Images & Data | lh3.googleusercontent.com (Rijksmuseum), cdn.pixabay.com (Pixabay), kit.fontawesome.com (Font Awesome) |
Important
When using iframe templates or RSS feeds, whitelist the external source domains as well.
Security & Access
DS Templates implements multiple layers of security to protect your data and ensure compliance.
Authentication & Authorization
- Federated login via SAML / Microsoft Entra ID
- Role-Based Access Control (RBAC) with custom permissions
- IP whitelisting for administrative interfaces
Encryption & Data Protection
- All communication over HTTPS (TLS 1.2+)
- Sensitive data stored with AES-256 encryption
- Passwords hashed using bcrypt with salt
Compliance
- Fully GDPR and ISO 27001 aligned
- DS Templates acts solely as a data processor
- Upon contract termination, all data is securely and irreversibly deleted
Server Locations
Production infrastructure is hosted across certified data centres with full redundancy.
| Location | Certifications | Features |
|---|---|---|
| AWS Frankfurt (Germany) | ISO 27001 certified | Multi-AZ, geo-redundant; AES-256 encryption; daily backups |
| Hetzner, Frankfurt (Germany) | ISO 27001 certified | Redundant infrastructure; daily backups; encrypted storage |
On-Premise Installations
While DS Templates is primarily cloud-hosted, on-premise deployment is available for customers requiring local hosting due to security, compliance, or offline needs.
Supported Operating Systems
- Debian / Ubuntu Server
- Red Hat Enterprise Linux (RHEL)
- CentOS Stream
- Other enterprise Linux distributions (subject to compatibility testing)
Note
Windows Server is not officially supported for on-premise hosting.
Containerized Deployment (Docker)
- On-premise requires a Docker-based installation.
- Delivered as one or more Docker containers for consistency and easy maintenance.
- Supported with Docker Compose or orchestration (e.g., Kubernetes) following provided guidelines.
Minimum Server Requirements
| Component | Recommended Specification |
|---|---|
| CPU | 4 vCPU / 2.4 GHz or higher |
| Memory | 8 GB RAM minimum |
| Storage | 100 GB SSD (expandable) |
| Network | 1 Gbit/s LAN + internet access for updates & integrations |
| OS | 64-bit Linux (Debian / RHEL family) |
| Virtualisation | Supported (VMware, Hyper-V, Proxmox) |
Example Hardware
A DELL EMC PowerEdge T150 provides a reliable foundation for on-premise hosting:
- Intel Xeon E-2300 series processor
- 8–16 GB ECC DDR4 RAM
- Enterprise-grade SSD storage
- Optional redundant PSU for higher availability
Network & Security Requirements
- Enable HTTPS (TLS 1.2+) for all CMS and API endpoints
- Open ports:
443(required),80(optional for external content) - Whitelist required core and integration domains (see Whitelisted Domains)
- Use internal DNS or static IP for stability
Responsibilities
- Provision and maintain server hardware or VM
- Apply OS patches and security updates
- Manage firewall and network configuration
- Perform backups per internal policy (procedures available on request)
- Ensure resources for high-availability/scaling if required
Support & Maintenance
- Installation guidelines, Docker configuration, and initial deployment assistance provided
- Pull ongoing application updates via Docker image updates (per change management)
- Optional remote support via secure VPN or jump-host
Sub-processors — Personal Data Processing
The following sub-processors process personal data as part of the DS Templates Data Processing Agreement (DPA). These are mandatory inclusions.
| # | Sub-processor | Location | Purpose | Personal Data |
|---|---|---|---|---|
| 1 | Amazon Web Services (AWS) | US (EU region possible) | Cloud infrastructure: storage (S3), email delivery (SES), message queue (SQS) | Media uploads (incl. employee photos), email addresses & names of users, invoice documents (PDF) |
| 2 | Auth0 (Okta) | US | Authentication & identity management (OAuth 2.0) | Email address, first name, last name, SSO identity, login credentials |
| 3 | TeamLeader Focus | Belgium | CRM — partner management, ticketing, invoicing. Used exclusively for resellers, distributors, and system integrators — end-user data is never stored in TeamLeader. | Contact names, email addresses, phone numbers, company names, addresses, VAT numbers (partners only) |
| 4 | Datadog | US | Application monitoring & metrics | Currently metrics only (logging disabled, auth headers redacted). If configuration changes: potentially IP addresses and user identifiers |
| 5 | Userback | Australia | Bug reporting & user feedback | Name, email address, user ID, country/location, browser & OS info, screen resolution, page URLs, feedback content (incl. screenshots) |
| 6 | MongoDB (Atlas) | Depends on hosting | Document database | All application data including user data |
| 7 | Redis | Depends on hosting | Caching & session management | Session data, cached user data |
Optional services
Datadog and Userback can be disabled upon request. The remaining sub-processors in this category (AWS, Auth0, TeamLeader, MongoDB, Redis) are part of the core platform infrastructure and cannot be disabled.
Sub-processors — End-User Data (Optional Modules)
These sub-processors process personal data of the customer's end-users. They apply only when the customer activates the corresponding module.
| # | Sub-processor | Location | Purpose | Personal Data |
|---|---|---|---|---|
| 8 | Microsoft Azure / Microsoft 365 | US / EU | Authentication (Azure AD), calendar (Outlook Calendar), email (Outlook Mail), meeting rooms, document management (SharePoint), communication (Teams), analytics (Power BI) | Organiser names & email addresses, participant names, email content (sender, subject), document content, employee work location |
| 9 | Google Cloud / Google Workspace | US | Authentication (OAuth), calendar (Calendar), analytics, AI generation (Vertex AI), file storage (Drive), video (YouTube) | Email address, name, calendar participants, work location, presence/absence, analytics (location, device, session data) |
| 10 | WebUntis | Austria | School timetable information | Teacher names, student names & IDs, group assignments |
| 11 | Xedule | Netherlands | Education scheduling | Teacher names, schedule linking |
| 12 | Zermelo | Netherlands | School information system | Schedule data (placeholder implementation) |
| 13 | Humly | Sweden | Meeting room management | Meeting organiser name |
| 14 | Bundeling | Netherlands | Internal communication platform | Author names, profile data, news content |
| 15 | US | Social media content | Organisation data, post author metadata | |
| 16 | AFAS Software | Netherlands | ERP / business software (via Sedum integration) | Company & employee data |
| 17 | Wave (PPDS) | Netherlands | Display management (GraphQL) | Device & user data |
| 18 | RealWorks | Netherlands | Real estate listings | Realtor data, property information |
| 19 | Max-Immo | Belgium | Real estate listings | Realtor data, property information |
| 20 | SolarEdge | Israel | Solar panel monitoring | Installation data, location |
| 21 | Embion | Netherlands | Solar panel monitoring | Installation data, location |
| 22 | Ticketmatic | Belgium | Event ticketing | Event data |
| 23 | OneLogin (SAML) | US | SAML authentication | SSO identity, email address |
| 24 | Google reCAPTCHA | US | Bot protection | IP address, browser behaviour |
| 25 | FeedbackCompany | Netherlands | Customer reviews | Review widget (no direct PII identified) |
Activation required
All sub-processors in this category are only active when the customer explicitly enables the corresponding integration or module. They can be disabled at any time through the CMS settings.
Sub-processors — Public Data Only
These services process only public or non-personal data and are likely not required as sub-processors under GDPR.
| # | Service | Purpose | Reason for Exclusion |
|---|---|---|---|
| 26 | NS (Nederlandse Spoorwegen) | Train schedules | Public transport information only |
| 27 | iRail | Train schedules (Belgium) | Public transport information only |
| 28 | Deutsche Bahn | Train schedules (Germany) | Public transport information only |
| 29 | TomTom | Traffic information | Traffic data only, no personal data |
| 30 | MoopMoop / Infoplaza | Weather, traffic, public transport | Public data only |
| 31 | BuienRadar | Weather data | Weather data only |
| 32 | NU.nl | News (RSS) | Public news feeds only |
| 33 | Pixabay | Stock photos | Public images only |
| 34 | Rijksmuseum | Art collection | Public museum data only |
| 35 | ZenQuotes | Quotes | Public quotes only |
| 36 | OpenF1 / Ergast | Formula 1 data | Public sports data only |
| 37 | SafeSearch Public Alerts | Emergency alerts | Public alerts only |