Trust
Enterprise-Grade Security Built In, Not Bolted On
Streaming infrastructure touches premium content, regulated data subjects, and board-level risk registers. NexCache is designed for auditors: provable encryption, hardware-backed keys, and deployment models that keep sovereignty where your legal team expects it.
Content protection
DRM-compliant design
Studios and sports leagues do not negotiate on output controls. NexCache accelerates delivery without becoming a new trust anchor in the DRM graph — reducing both legal review cycles and technical attack surface.
DRM-compliant design
NexCache participates in the same trust model your licensors approved. We do not MITM player sessions, re-encrypt to alternate keys, or store exploitable cleartext snapshots for operational convenience.
TPM-secured keys
Data-at-rest keys are generated and sealed inside hardware roots of trust. Snapshots, backups, and RMA workflows include explicit key rotation paths so retired drives never leak long-lived secrets.
TPM-secured keys end-to-end
Every edge node boots through measured launch, extending trust into the segment store. Keys unwrap only inside attested enclaves; tampered firmware refuses to authorize cache writes. For enterprises already standardizing on TPM 2.0, NexCache drops into existing key ceremony practices instead of inventing parallel PKIs.
Optional HSM federation allows centralized escrow for multi-site fleets while preserving offline playback when WAN policy demands it.
Attest
Platform quotes bind disk encryption keys to firmware hash.
Seal
Segment indices and housekeeping metadata encrypted with TPM-bound AES keys.
Prove
Exportable audit records for SOC 2 CC6 without exposing content paths.
Telemetry ethics
No packet inspection for Insights
Understanding OTT cost should not require turning your network into a surveillance apparatus. NexCache Insights derives savings opportunities from flow statistics and classification — not from deep packet inspection of encrypted bodies.
If a metric would require breaking TLS or DRM to compute, we do not ship it. Period.
Executive dashboards instead show confidence-banded savings, cacheable share of traffic, and trend lines suitable for finance review.
Governance
Customer-controlled deployment
Regulated industries need contracts that match reality. NexCache runs on your metal, under your change windows, with RBAC mapped to your IdP. Remote support accesses are break-glass, logged, and revocable.
Tenancy on your terms
Dedicated clusters per business unit, country, or clearance level — no noisy-neighbor multi-tenant surprises.
Identity integration
OIDC/SAML for admin consoles; service accounts for automation; hardware tokens where policy mandates step-up.
Evidence packs
Pre-filled control mappings, data flow diagrams, and subprocessor lists streamline vendor risk questionnaires.
Privacy-conscious architecture
NexCache minimizes identifiers in telemetry. Where analytics are enabled, events aggregate across time windows large enough to resist re-identification. IP addresses can be truncated at ingest; user-agent strings hashed with rotating salts.
DPI-class feeds are antithetical to our product philosophy — we compete on cryptographic discipline and statistical inference, not on voyeuristic precision.
Enterprise readiness
NexCache aligns to ISO 27001, SOC 2 Type II, and GDPR processing expectations for typical enterprise streaming deployments. We provide DPIAs, subprocessor registers, and incident response playbooks coordinated with your CERT.
- Contractual data residency and support geography clauses available.
- Penetration test summaries under NDA for procurement deep dives.
Remaining pillars
How we extend your security program
The other half of the security story: operational integrity without heroics.
No packet inspection for Insights
Bandwidth intelligence does not require payload dissection. NexCache classifies flows using principled metadata — never building a shadow library of customer viewing habits from decrypted bodies.
Customer-controlled deployment
You choose regions, uplinks, and administrative roles. Policy enforcement remains on-box with optional aggregation that strips identifiers before anything touches a NexCache-operated service.