Userplay is launching soonGet Started
Userplay
Discord0.8kGet Started
Browse security docs Toggle navigation

// Security · Access

Recording Access

Last updated May 31, 2026

Where Recordings Live#

Video and audio are stored at Mux in the United States. Userplay’s database on Render holds the Mux asset reference, recording metadata, transcripts (when AI processing is enabled), AI analysis output, and optional Chrome extension telemetry.

All storage is encrypted at rest (AES-256) and all transfer is over TLS.

Who Can Access a Recording#

Access to a recording requires passing two independent checks:

  1. Workspace membership — the requester must be an authenticated member of the workspace that owns the recording.
  2. Workspace role — the member’s role must include recording access. Workspace owners can restrict access within the workspace to specific roles or specific members per playtest.

Testers, the public, and external recipients of shared links see only what the studio explicitly grants them, bounded by a signed, short-lived URL.

Playback URLs#

Recordings are served via signed URLs generated on demand by the Userplay backend. These URLs:

  • Expire on a short TTL and cannot be shared past their expiry.
  • Cannot be used to enumerate other recordings in the workspace.
  • Are generated only for authenticated members with the appropriate role.

External Sharing#

Studio owners may generate a shareable link for a specific recording. The recipient does not need a Userplay account. Sharing can be disabled at the workspace level for organizations that need to prevent it entirely. Shared links can be revoked at any time; revocation invalidates the link immediately.

Userplay Personnel Access#

Userplay employees do not have standing access to customer recordings. The narrow exceptions are:

  1. Customer-authorized support — a workspace Owner explicitly grants temporary access to a named Userplay employee to investigate a specific issue. The access is time-bounded, scoped to the named recording or playtest, and recorded in the system.
  2. Incident investigation — during a confirmed security incident, Userplay may access recordings strictly limited to the scope of the investigation. All such access is logged and reported to affected customers per the Incident Response policy.

No Userplay employee has a standing entitlement to read arbitrary customer recordings.

Deletion#

When a recording is deleted by a studio:

  1. It is soft-deleted immediately — removed from the UI and no longer playable.
  2. The underlying Mux asset is hard-deleted within 30 days.
  3. Transcripts, AI analysis, and associated telemetry are deleted in lockstep.

Manual deletion is available to Owners and Admins at any time, per recording or in bulk. See Data Handling for workspace-level retention and deletion policies.

Deletion is not reversible.