Welcome to the Netflix Partner Help Center. Have a question or need help with an issue? Send us a ticket and we'll help you to a resolution.

Netflix Minimum Content Security Recommendations

These are our least minimum recommendations for a basic security program. It’s likely that your organization needs a more comprehensive program which includes the below, but also includes other controls to fully address reasonable risks to your specific organization.

Administrative Security

  • Details of where the facility is located, the size and type of building and the local area.
  • Maintain and provide a list of active clients.
  • All employees (full time, contractors and freelance workers) have signed an NDA.
  • A list of how many employees and contractors are engaged by the vendor and indicate how many will handle Netflix content.
  • Documented policies or guidance around employee responsibilities, secure content handling, personal device usage, social media, business resiliency, breach notification/incident response, etc.
  • Contact details of the person responsible for content security at the vendor.
  • Details of any ongoing security vulnerability management program.
  • Copies of previous audits (MPAA, CDSA, or any content creators/ studios etc) and include the date of evaluation and a copy of the report.
  • Copies of reports from penetration tests carried out at the facility (including who performed the tests).

Physical Security

  • Secure all external entry and exit points to your facility.
  • All visitors must be logged, identified, and be escorted while in the facility.
  • CCTV has been installed covering all entrances and exits plus secure areas (e.g., server room) and that the footage is usable and stored for a minimum of 60 days or the period provided by local law.
  • Electronic access control installed in sensitive areas, details of the number of employees with access and confirm that the logs are stored for 12 months.
  • A facility alarm is installed and unique codes are used for each code holder.
  • A secure storage area is available for any designated sensitive physical material.

Information Security 

  • Provide details of the network configuration and the number of systems and users that can access pre-release material. Provide diagrams as supporting evidence.
  • Conduct vulnerability scans and address any identified vulnerabilities regularly.
  • Host-based firewalls are enabled, and a stateful inspection firewalls are used on the network.
  • Wireless networks that have access to the content-handling network must use strong encryption and authentication
  • Every computer user has their own unique account with strong passphrases and multi-factor authentication, where possible.
  • Systems should run one of the last two available versions of the commercial operating system and should be configured to auto-update for security patches. Further, they should check quarterly to verify security patches are being applied.
  • A screen saver is set up to appear after 15 mins and needs re-authentication to unlock.
  • Multifactor authentication is used on all systems that handle content.
  • External hard drives, thumb drives and laptops have full disk encryption.
  • Remote access to content-handling networks is restricted and tightly controlled. To the extent that remote access is allowed, it must be done over encrypted VPN and use multi-factor authentication.
  • Restrict internet access on workstations or servers (systems) holding Netflix content.
  • Mass media read/write access is restricted on all ports of systems with access to pre-release materials.
  • Only use Netflix approved methods of encrypted storage for physically storing and transmitting content.
  • Any transfers of Netflix content may only occur over approved encrypted file transfer platforms, such as Aspera. Netflix must approve any other methods of file transfer.
  • No files are to be shared or stored on cloud based or open/public networks or platforms w/out prior approval.
  • Securely delete content upon project/task completion or at the request of Netflix.

What to do in the event of an incident?

  • Notify Netflix’s vendor security team at - vendorsecurity@netflix.com - immediately on discovery of any breach of security, suspected content theft or other security incident which might impact Netflix’s content.
  • Permit Netflix, or their designated third-party, to audit on receipt of reasonable written notice or in the event of an incident.

If you seek additional guidance, please contact scs@netflix.com or refer to the TPN Best Practices.

Was this article helpful?
6 out of 6 found this helpful