Security & Architecture Whitepaper — LogicStream Video Platform

Executive summary

LogicStream is a secure video and podcast platform purpose-built for Moodle and Totara learning environments, delivering adaptive streaming, anti-skip completion, and AI transcription through native LMS integration.

It runs as an AWS-native, multi-tenant SaaS architecture. Every layer — storage, encryption keys, content delivery, and the asynchronous processing pipeline — is designed for isolation and regional control.

Our security posture rests on five pillars: encryption everywhere at rest and in transit; isolation per organization; customer-controlled residency; full auditability; and a defined incident response process.

Compliance posture: GDPR-ready and UAE-PDPL-aligned.

Encryption

SSE-KMS at rest, TLS 1.2+ in transit, per-tenant keys.

Isolation

Dedicated S3, KMS keys, and CDN origins per organization.

Residency

Per-org, customer-controlled region selection.

Auditability

CloudTrail across all accounts; per-tenant dashboards.

Architecture overview

Architecture diagram — Buyer → CloudFront → ALB → App tier → per-tenant S3 + KMS · Async pipeline: SQS → Lambda → MediaConvert → Transcribe → Comprehend

AWS services used

Service	Purpose
Amazon S3	Per-tenant object storage for source and encoded media.
CloudFront	Global CDN delivery with signed URLs.
MediaConvert	Multi-quality adaptive (HLS) encoding.
Transcribe	AI transcription and caption generation.
Comprehend	Auto-tagging and content classification.
Rekognition	Automated content moderation.
KMS	Per-tenant customer master keys with rotation.
Lambda	Asynchronous processing orchestration.
CloudWatch	Monitoring, metrics, and per-tenant dashboards.

Regional deployment topology is described in Regional capabilities & residency.

Tenant isolation model

Per-organization S3 buckets with bucket policies scoping access to the org's IAM role only.
Per-organization KMS keys with automatic rotation.
IAM least-privilege — each tenant's resources are accessed via scoped role assumption.
Logical isolation in the application layer — org_id enforced at every API boundary.
Database — row-level security with mandatory org_id predicates.

Data security

Encryption at rest — SSE-KMS on S3, RDS encryption, EBS encryption.
Encryption in transit — TLS 1.2+ everywhere, signed CloudFront URLs.
Secrets — AWS Secrets Manager with automatic rotation.
Backups — S3 versioning, RDS automated backups, point-in-time recovery.
Key management — per-tenant CMKs, no shared keys.

Regional capabilities & data residency

LogicStream offers a tiered capability model (Core / Standard / Premium AI) that varies by region depending on available AWS services. Residency policy is set per organization and is customer-controlled.

Region	AWS region	Tier
UAE	me-central-1	Standard
Bahrain	me-south-1	Standard
Europe	eu-west-1	Premium AI
US East	us-east-1	Premium AI
India	ap-south-1	Standard
Singapore	ap-southeast-1	Premium AI
Africa	af-south-1	Core

Cross-region AI option — audio-only routing, customer-configurable.
Strict residency mode — AI disabled, no cross-region transfer.

Operations, monitoring & incident response

CloudTrail enabled across all accounts.
CloudWatch dashboards per tenant plus aggregated.
24×7 alerting via PagerDuty / OpsGenie.
Incident response runbook — Detection → Triage → Customer notification → Containment → Post-mortem.
Customer notification SLA — under 72 hours for security incidents.
Penetration testing — annual third-party.
Vulnerability management — continuous scanning, monthly patching cycle.

Appendix

Sub-processors list — available on request.
Security inquiries: security@human-logic.com

Have a security question?

Our security team responds to all inquiries. Reach us at security@human-logic.com.