Architecture

These pages describe how data moves through Userplay. Each one follows a single data path end to end.

The following properties apply across every flow and are not repeated on each page:

• Hosting region — all Userplay production data is in the United States. Vercel and Render host the application; Mux stores video; Cloudflare fronts traffic globally for delivery only.
• Transport security — all traffic between clients and Userplay (web app, recorder, Chrome extension, API) runs over TLS 1.2 or higher.
• Storage encryption — all data at rest is encrypted using AES-256 or equivalent at the storage layer across Render, Mux, and Cloudflare where used.
• Authentication — every Userplay API call that touches workspace data is authenticated and authorized against the calling principal’s workspace role.
• Tenant isolation — workspace-scoped queries are enforced in the application layer. Data from one workspace is never returned to a principal who does not belong to it.
• No live capture from the extension — the optional Chrome extension operates only after gameplay ends. Nothing is read or transmitted during active play.

For security questions during a review, contact security@userplay.io.