User icon
Application Security & Protocols in Digital Signage

Application Security & Protocols

Security for Digital Signage is an aspect most don’t ever think about, but everybody should be thinking about it.

In Play Digital Signage, we take the security of your data very seriously. This page gives a brief summary of the security procedures at Play Digital Signage.

Your passwords are stored in our database and encrypted using top of-the-line Argon2 password hashing algorithm. This way, your passwords are not known to our staff and will not be compromised in the unlikely event of a data breach. Your login sessions are facilitated using Secure HTTPS-only cookies to eliminate the risk of eavesdroppers stealing them by intercepting your connections.

When you register (or change your password), we will go the extra mile to check your password against a public database of leaked passwords to ensure that you’re not using an insecure password. Your password does not leave our servers during the check, we use K-anonymity protocol to check the password at a trusted service HaveIBeenPwned.

Your web chat is managed by, yet another security-conscious company, you can find their practices described in detail.


  • All the communications between your device and browser are protected using SSL and DNSSEC.
  • We backup your data multiple times a day.
  • We use CloudFlare to detect and mitigate hacker attacks.
  • We support Two-Factor Authentication.
  • All the communication between our servers is encrypted and done over private networks.
  • Our web portal uses CSP rules to prevent XSS attacks.
  • Our API allows only CORS requests from our domain websites.

Read more:

All connections to our servers are HTTPS, which means that the traffic is encrypted, which includes web-socket connections. We have disabled SSLv3 and use TLS exclusively.

The Internet traffic is routed through the Cloudflare network, which protects our servers against Denial Of Service (DoS) and brute force attacks.

Read more:

Your files are hosted on Digital Ocean Spaces service, either in Frankfurt or San Francisco data-center depending on your location. While we can not make the files private, because the players need to be able to download the files from the Internet, we generate a unique id for each file, so the URL is virtually impossible to guess. For example, this is the URL of an uploaded file:

An attacker has a better chance of guessing your password! (so make sure it’s secure)

Your uploaded files are also backed up at Amazon S3 (either EU-central-1 or us-west-1 region, depending on your location) as a fail-over in case there is a disruption to the Digital Ocean Spaces service.

For files that require conversion (any video file except for .mp4 and OSX office formats .key.numbers, and .pages), we use a conversion service CloudConvert. They outline the file handling in their privacy policy:

In the course of providing the service your files are transferred to and temporary stored on servers of CloudConvert. We do not read, look into or mine any data from your files or its metadata. We do not make any copies of it. All file processing is done by machine and there is no human interaction with your files. Your files are deleted immediately and irreversible from our servers when you click the “×” icon (on the right beside the Download button). This will happen automatically at the latest after 24 hours.

If your files can not be stored on the public web due to company policy or any other reason, it’s also possible to reference files from a private file server, read more on private files.

When a player is linked to a user account, the server generates a unique secret token that is sent to the player once. Every subsequent request made by the player to our servers requires the token to be present in order to prevent malicious attackers from impersonating the player. The weakest link is the physical player security, so make sure it’s out of sight and if possible, then out of reach!

Read more:

We use Stripe as our payment gateway and they take care of storing your information securely. Stripe is a PCI Data Security Standard-certified company. When you link a credit card with your account, your credit card numbers are sent to Stripe servers directly from your browser, our system does not store or process your credit card information.

Read more:

In case the player is behind a corporate firewall, you need to white-list the following domains (port 443) on https:// protocol and wss:// protocol:

  • We recommend whitelisting all subdomains of * to be future-proof. If wildcard white-listing is not possible, then the player may also use the following sub-domains:
    • (WebSocket connection wss:// protocol)
    • OR (WebSocket connection wss:// protocol)
    • OR (API connection)
    • (only for Windows / OSX / Linux players to auto-update)
    • OR (File storage)
    • (Quote plugin is using this endpoint to fetch quotes)
    • (Today In History plugin is using this endpoint to fetch data)
    • (Facebook, Instagram, and RSS reader plugins)
    • (Weather, Facebook, and Instagram plugins use this domain)
    • (Location of proxy used to fetch insecure non-HTTPS web resources)
    • (Optional, for us to receive player logs and help us debug issues)
    •  OR (Optional, if you want to use analytics functionality)
  • Some plugins communicate with external systems:
    • (When using images from the Unsplash integration plugin)
    • (When using videos from the Pixabay integration plugin)
    •,,, (When using GIFs from Giphy integration plugin)

I don’t remember if I created a login using a social account.

If you created your account using your Facebook account you should keep on using this, but in case you’ve forgotten and you create a new login using for example username and password we link both logins to the same account. This way it does not matter if you log in using Facebook or a username and password, cause it’s one and the same account you’re accessing.

If you can’t log in please use the “Forgot password”. If you have questions contact us via our Live Chat or at [email protected]

How do you know that my password is compromised?

Upon every successful login, we use k-anonymity protocol to securely check your password against an online database of compromised passwords – Pwned Passwords. Our system will notify you if your password has been a part of one or more data breaches in the past and ask you to change it to keep your account secure.

IMPORTANT: all the passwords in our database are encrypted (hashed) using a top-of-the-line Argon2 algorithm and nobody but you knows what your actual password is.

How to report security vulnerabilities that I find in your software?

If you believe you found a security vulnerability in our software or would like to conduct penetration testing, please read our Vulnerability Disclosure Program to find out how to report it to our team.

Where do you have server hubs?

We use Digital Ocean for our application servers and AWS for file storage. The European servers are located in Amsterdam and Frankfurt whereas the US servers are located in San Francisco. If the first user on the team signs up from a US-based IP address, then that team’s data is gonna be stored exclusively on US servers.

We need to whitelist your domains, what domains should we focus on?

There are a few domains working together when accessing Play Digital Signage. To name a few:

  • for authentication
  • for accessing the dashboard
  • and for backend API
  • for previewing content
  • for downloading/updating our application

The optimal solution is to whitelist all *

Capterra at Play Digital SignageGetAPP at Play Digital Signagesoftware-advice at Play Digital Signage

Get started designing your content

Most people think designing content for digital signage is super difficult, but if you can use Powerpoint, you can also create and design your own content in our editor.

Play Digital Signage, Inc., 2035 Sunset Lake Road, Newark, DE, 19702, USA
We use cookies to ensure that we give you the best experience on our website.Learn more about Privacy Policies