Security & Compliance
Security
Comprehensive overview of DS Templates security architecture, infrastructure, compliance, and sub-processor information.
Network Requirements
All communication between the CMS and APIs is secured and optimised for bandwidth efficiency.
Protocols & Ports
- All communication takes place over HTTPS (TLS 1.2 or higher) on port
443. - We recommend also whitelisting port
80, as some external content may be loaded via HTTP.
Communication
- The CMS uses multiple REST API endpoints for content management and integrations.
- Content is delivered via a CDN with delta updates to reduce bandwidth usage and ensure fast refresh.
Whitelisted Domains
Ensure the following domains are whitelisted in your firewall and proxy configuration.
Core CMS & Content Hosting
| Domain | Purpose |
|---|---|
app.digitalsignage-templates.com | CMS frontend |
cms.dst-connect.io | Alternative CMS frontend |
templates.ds-templates.com | CMS frontend |
dstemplates-prod.s3.eu-central-1.amazonaws.com | Media files |
services.digitalsignage-templates.com | Integrations |
prod.staticfiles.digitalsignage-templates.com | CDN |
fonts.gstatic.com / fonts.googleapis.com | Google Fonts |
use.typekit.net | Adobe Fonts |
Whitelabel
Resellers may use their own dedicated (whitelabel) domain. If enabled, significant traffic will pass through that domain and it must be whitelisted.
Common External Content Domains
| Service | Domains |
|---|---|
| Buienradar | gadgets.buienradar.nl, tiles.buienradar.nl, image.buienradar.nl, image-cdn.buienradar.nl |
| Power BI | wabi-west-europe-d-primary-api.analysis.windows.net, content.powerapps.com, app.powerbi.com, dc.services.visualstudio.com, pbivisuals.powerbi.com |
| News & Media | cdn.prod.www.spiegel.de, www.amberalert.nl, api.omroepbrabant.nl, media.nu.nl, pbs.twimg.com, www.rtlnieuws.nl, cdn.jwplayer.com, videos-fms.jwpsrv.com, static.nieuwsblad.be |
| Images & Data | lh3.googleusercontent.com (Rijksmuseum), cdn.pixabay.com (Pixabay), kit.fontawesome.com (Font Awesome) |
Important
When using iframe templates or RSS feeds, whitelist the external source domains as well.
Security & Access
DS Templates implements multiple layers of security to protect your data and ensure compliance.
Authentication & Authorization
- Federated login via SAML / Microsoft Entra ID
- Role-Based Access Control (RBAC) with custom permissions
- IP whitelisting for administrative interfaces
- Multi-Factor Authentication (MFA) — optional, can be enforced per organisation by administrators
Session Management
- Automatic session expiry after a configurable period of inactivity
- Sessions are invalidated on password change or account deactivation
- Secure, HTTP-only session cookies with
SameSiteattribute
API Security
- Rate limiting on all API endpoints to prevent abuse
- API key authentication with rotation policies (frequency varies per key type)
- All API traffic over HTTPS exclusively
Encryption & Data Protection
- All communication over HTTPS (TLS 1.2+)
- Sensitive data stored with AES-256 encryption
- Passwords hashed using bcrypt with salt
Data Residency
- Default hosting in EU (Frankfurt, Germany)
- Customers can request EU-only data residency to guarantee all data remains within the European Union
- US hosting available for customers that prefer or require it
Compliance
- Fully GDPR and ISO 27001 aligned
- DS Templates acts solely as a data processor
- Upon contract termination, all data is securely and irreversibly deleted within 30 days
- Data Processing Agreement (DPA) available on request — contact security@digitalsignage-templates.com
- Cyber liability insurance in place covering data breaches and security incidents
- 99% uptime SLA for the cloud platform
Penetration Testing
DS Templates undergoes annual penetration tests conducted by independent, certified third-party security firms. These tests cover the full attack surface including web application security, API endpoints, authentication flows, and infrastructure.
- Frequency: annually (minimum), with additional tests after major platform changes
- Scope: OWASP Top 10, API security, authentication & authorization, infrastructure
- Remediation: all critical and high findings are resolved before the next release cycle
- Reports: penetration test reports are available upon request under NDA
Request reports
Customers and prospective customers can request the latest penetration test report, including remediation status, by contacting security@digitalsignage-templates.com. Reports are shared under a mutual NDA.
Incident Response
DS Templates maintains a documented incident response procedure aligned with ISO 27001 guidelines:
- Detection & triage — automated monitoring and alerting for security events
- Notification — affected customers are notified within 72 hours of confirmed data breach, in accordance with GDPR Article 33
- Containment & remediation — immediate measures to contain the incident, followed by root cause analysis
- Post-incident review — lessons learned documented and preventive measures implemented
Vulnerability Management
- Dependencies are monitored for known vulnerabilities (CVEs) and patched regularly
- Infrastructure patches are applied within 30 days for critical vulnerabilities, 90 days for non-critical
- Code reviews are performed on all changes before deployment to production
- Responsible disclosure: security researchers can report vulnerabilities to security@digitalsignage-templates.com
Backup & Disaster Recovery
- Daily automated backups of all databases and file storage
- Backups are encrypted (AES-256) and stored in a geographically separate location within the EU
- Recovery Point Objective (RPO): 24 hours
- Recovery Time Objective (RTO): 4 hours
- Disaster recovery procedures are tested periodically
Business Continuity
DS Templates maintains a Business Continuity Plan (BCP) to ensure service availability during disruptions:
- Documented procedures for infrastructure failure, data centre outage, and key personnel unavailability
- Geo-redundant infrastructure with automatic failover
- BCP is reviewed and updated annually
- BCP documentation available on request — contact security@digitalsignage-templates.com
Audit Trail & Logging
- All user actions (login, content changes, API calls) are logged with timestamp, user ID, and IP address
- Logs are retained for a minimum of 12 months
- Access to logs is restricted to authorised personnel only
Employee Security
- All employees sign confidentiality agreements
- Access to production systems follows the principle of least privilege
- Multi-factor authentication (MFA) required for all internal systems
- Regular security awareness training for all team members
Server Locations
Production infrastructure is hosted across certified data centres with full redundancy.
| Location | Certifications | Features |
|---|---|---|
| AWS Frankfurt (Germany) | ISO 27001 certified | Multi-AZ, geo-redundant; AES-256 encryption; daily backups |
| Hetzner, Frankfurt (Germany) | ISO 27001 certified | Redundant infrastructure; daily backups; encrypted storage |
Sub-processors — Personal Data Processing
The following sub-processors process personal data as part of the DS Templates Data Processing Agreement (DPA). These are mandatory inclusions.
| # | Sub-processor | Location | Purpose | Personal Data |
|---|---|---|---|---|
| 1 | Amazon Web Services (AWS) | EU/US (depending on customer region) | Cloud infrastructure: storage (S3), email delivery (SES), message queue (SQS) | Media uploads (incl. employee photos), email addresses & names of users, invoice documents (PDF) |
| 2 | Auth0 (Okta) | EU/US (depending on customer region) | Authentication & identity management (OAuth 2.0) | Email address, first name, last name, SSO identity, login credentials |
| 3 | TeamLeader Focus | Belgium | CRM — partner management, ticketing, invoicing. Used exclusively for resellers, distributors, and system integrators — end-user data is never stored in TeamLeader. | Contact names, email addresses, phone numbers, company names, addresses, VAT numbers (partners only) |
| 4 | Datadog | EU/US (depending on customer region) | Application monitoring & metrics | Currently metrics only (logging disabled, auth headers redacted). If configuration changes: potentially IP addresses and user identifiers |
| 5 | Userback | Australia | Bug reporting & user feedback | Name, email address, user ID, country/location, browser & OS info, screen resolution, page URLs, feedback content (incl. screenshots) |
| 6 | MongoDB (Atlas) | EU/US (depending on customer region) | Document database | All application data including user data |
| 7 | Redis | EU/US (depending on customer region) | Caching & session management | Session data, cached user data |
Optional services
Datadog and Userback can be disabled upon request. The remaining sub-processors in this category (AWS, Auth0, TeamLeader, MongoDB, Redis) are part of the core platform infrastructure and cannot be disabled.
Sub-processors — End-User Data (Optional Modules)
These sub-processors process personal data of the customer's end-users. They apply only when the customer activates the corresponding module.
| # | Sub-processor | Location | Purpose | Personal Data |
|---|---|---|---|---|
| 8 | Microsoft Azure / Microsoft 365 | US / EU | Authentication (Azure AD), calendar (Outlook Calendar), email (Outlook Mail), meeting rooms, document management (SharePoint), communication (Teams), analytics (Power BI) | Organiser names & email addresses, participant names, email content (sender, subject), document content, employee work location |
| 9 | Google Cloud / Google Workspace | US | Authentication (OAuth), calendar (Calendar), analytics, AI generation (Vertex AI), file storage (Drive), video (YouTube) | Email address, name, calendar participants, work location, presence/absence, analytics (location, device, session data) |
| 10 | WebUntis | Austria | School timetable information | Teacher names, student names & IDs, group assignments |
| 11 | Xedule | Netherlands | Education scheduling | Teacher names, schedule linking |
| 12 | Zermelo | Netherlands | School information system | Schedule data (placeholder implementation) |
| 13 | Humly | Sweden | Meeting room management | Meeting organiser name |
| 14 | Bundeling | Netherlands | Internal communication platform | Author names, profile data, news content |
| 15 | US | Social media content | Organisation data, post author metadata | |
| 16 | AFAS Software | Netherlands | ERP / business software (via Sedum integration) | Company & employee data |
| 17 | Wave (PPDS) | Netherlands | Display management (GraphQL) | Device & user data |
| 18 | RealWorks | Netherlands | Real estate listings | Realtor data, property information |
| 19 | Max-Immo | Belgium | Real estate listings | Realtor data, property information |
| 20 | SolarEdge | Israel | Solar panel monitoring | Installation data, location |
| 21 | Embion | Netherlands | Solar panel monitoring | Installation data, location |
| 22 | Ticketmatic | Belgium | Event ticketing | Event data |
| 23 | OneLogin (SAML) | US | SAML authentication | SSO identity, email address |
| 24 | Google reCAPTCHA | US | Bot protection | IP address, browser behaviour |
| 25 | FeedbackCompany | Netherlands | Customer reviews | Review widget (no direct PII identified) |
Activation required
All sub-processors in this category are only active when the customer explicitly enables the corresponding integration or module. They can be disabled at any time through the CMS settings.
Sub-processors — Public Data Only
These services process only public or non-personal data and are likely not required as sub-processors under GDPR.
| # | Service | Purpose | Reason for Exclusion |
|---|---|---|---|
| 26 | NS (Nederlandse Spoorwegen) | Train schedules | Public transport information only |
| 27 | iRail | Train schedules (Belgium) | Public transport information only |
| 28 | Deutsche Bahn | Train schedules (Germany) | Public transport information only |
| 29 | TomTom | Traffic information | Traffic data only, no personal data |
| 30 | MoopMoop / Infoplaza | Weather, traffic, public transport | Public data only |
| 31 | BuienRadar | Weather data | Weather data only |
| 32 | NU.nl | News (RSS) | Public news feeds only |
| 33 | Pixabay | Stock photos | Public images only |
| 34 | Rijksmuseum | Art collection | Public museum data only |
| 35 | ZenQuotes | Quotes | Public quotes only |
| 36 | OpenF1 / Ergast | Formula 1 data | Public sports data only |
| 37 | SafeSearch Public Alerts | Emergency alerts | Public alerts only |