Identity and Access Model
MCSP implements RBAC across four principal types, each with a distinct permission scope and trust level.| Role | Scope | Key Permissions |
|---|---|---|
| Viewer | Own account only | Stream content, manage own playlists/history, submit reports, manage own subscription |
| Creator | Own channel and content | Upload/manage/delete own content, view analytics and revenue, manage payout settings, appeal moderation decisions |
| Organisation Admin | Organisation tenancy | Manage org members, set org-wide residency policy, view org analytics, manage org subscription |
| Platform Admin | Full platform | Manage all users and content, access moderation dashboard, manage ad campaigns, modify subscription plans, view audit logs, approve/revoke residency |
Data Encryption
| Data State | Approach |
|---|---|
| In Transit (client-to-edge) | TLS 1.3 mandatory. HSTS preload. Certificate pinning on iOS and Android apps. |
| In Transit (internal) | mTLS between all microservices via Istio. Kafka traffic encrypted with TLS. All database connections require TLS. |
| At Rest (object storage) | AES-256 server-side encryption. Media content uses envelope encryption: content key encrypted with a master key in KMS/HSM. |
| At Rest (databases) | Postgres transparent data encryption (TDE) at storage layer. PII fields (payment tokens, email) additionally encrypted at the application layer with HSM-managed keys. |
| DRM Media Keys | Never stored in plaintext. Accessible exclusively via authenticated KMS API. The DRM License Server does not cache key material beyond a single license issuance. |
Key Management Hierarchy
MCSP uses a three-tier key hierarchy backed by hardware security modules:Hardware Root of Trust
HSM (AWS CloudHSM or equivalent) holds master key material. Root keys rotate annually with ceremony.
Key Encryption Keys (KEKs)
Managed in KMS. Used to wrap and unwrap Data Encryption Keys. Rotated quarterly. Never leave the KMS boundary in plaintext.
Anti-Piracy and Abuse Mitigation
| Threat | Mitigation |
|---|---|
| DDoS | WAF + volumetric DDoS absorption at edge. CDN absorbs L3/L4 attacks. API Gateway rate limiting mitigates L7 application-layer DDoS. |
| Credential stuffing | Rate limiting on /login. CAPTCHA after 3 failed attempts. Breached password detection via HaveIBeenPwned API at registration. Anomalous login geography triggers a 2FA challenge. |
| Content scraping | Tokenised, time-limited CDN URLs (HMAC-signed, 1-hour TTL). Manifest URLs are user-session-bound. Server-side rendering prevents API key exposure in client bundles. |
| Screen recording | Widevine L1 and FairPlay enforce hardware-backed output restrictions on supported devices. Browser EME API prevents direct access to decrypted media bytes. |
| Copyright infringement upload | AI fingerprint scanner (perceptual hash + audio fingerprint) runs at upload time. Matching content is blocked pre-transcoding. |
Compliance Posture
| Framework | MCSP Approach |
|---|---|
| SOC 2 Type II | Immutable audit logs, RBAC access controls, encryption at rest and in transit, incident response plan, change management via CI/CD approval gates |
| GDPR | Data minimisation at collection, right-to-erasure via cascading account deletion, data portability export, DPA with all sub-processors, EU data stays in EU region |
| NDPR (Nigeria) | Nigeria Data Residency provides verifiable data sovereignty for Nigerian users. Data processing agreements with local entity. Consent flows comply with NDPR requirements. |
| PCI DSS | No card data stored on MCSP infrastructure. Tokenisation via Paystack/Stripe. SAQ-A scope. All payment forms hosted by payment processor. |