logotype
search

PLAYipp Hosting Architecture

Overview

The PLAYipp digital signage platform operates on enterprise-grade infrastructure designed to meet the stringent security, availability, and data sovereignty requirements of Nordic public sector organizations and EU-based private enterprises. With over a decade of experience in developing digital signage solutions, PLAYipp has constructed a hosting architecture that prioritizes operational resilience, data protection, and regulatory compliance while maintaining optimal performance for mission-critical communication systems.

Datacenter Infrastructure

Primary Datacenter and Certification

Our primary infrastructure is strategically located in Stockholm, Sweden, hosted by our ISO 27001 certified partner Glesys AB. This Swedish location ensures full compliance with Nordic and European data protection regulations, including GDPR requirements, providing the data sovereignty assurances necessary for public sector and regulated private sector deployments.

Our infrastructure deployment encompasses:

  • Dedicated VMWare vCloud Environment - Dedicated resources in a shared hosting environment alleviating shared hosting concerns. Underlying storage is fully encrypted at rest, and disks are destroyed on site at the hosting facilities.

  • Dedicated Physical Servers - Some components are hosted on dedicated hardware for predictable performance and large storage capabilities.

  • S3-Compatible Object Storage - Scalable storage with built-in redundancy for media assets and configuration data. Storage is fully encrypted at rest and disks are destroyed on site at the hosting facilities.

Geographic Redundancy and Backup Infrastructure

Our backup infrastructure operates in a separate datacenter in Falkenberg, Sweden, providing critical geographic separation from the primary Stockholm facility. Key backup characteristics include:

  • Automated Backup Operations - Executed every hour, providing a maximum 60-minute data loss window

  • LUKS Full Disk Encryption - All backup data encrypted at rest for comprehensive security

  • SSL-Encrypted Transfer - Data protected during transmission between datacenters

  • Secure Architecture - Backup servers initiate transfers and never execute code from production systems

  • Dedicated Backup Servers - Purpose-built infrastructure with no other functions

PLAYipp is actively evaluating secondary datacenter locations to enhance geographic redundancy while maintaining data sovereignty within appropriate jurisdictions.

Network Security Architecture

Perimeter Protection

All network traffic traverses redundant external firewall infrastructure before reaching internal systems. Our firewalls implement:

  • Primary/Replica Configuration - Automatic failover using CARP (Common Address Redundancy Protocol)

  • State Replication - Connections remain uninterrupted during failover events

  • Comprehensive Security Policy Enforcement - Protection against unauthorized access and network-level threats

  • Automatic IP banning - Suspicious traffic is immediately banned

Communication Security

All communication between PLAYipp services and client systems occurs exclusively over HTTPS connections, ensuring that configuration data, authentication credentials, and content remain protected during transmission. The majority of client traffic routes through our load balancing proxy infrastructure for intelligent traffic distribution and security inspection.

Network Requirements

Media player devices require outbound connectivity only on specific TCP ports:

  • Port 80 (HTTP) - For non-encrypted web content and system time synchronization

  • Port 443 (HTTPS) - Primary encrypted channel for content, configuration, and status reporting

All connectivity is strictly outbound to subnet 192.165.76.0/23, eliminating the need for inbound firewall rules at customer locations and significantly simplifying network security management.

Application Layer Architecture

Load Balancing and High Availability

PLAYipp operates paired load balancing proxy servers in primary/failover configuration, continuously monitoring backend server health and automatically routing traffic away from failed or degraded servers. Our infrastructure follows key principles:

  • Stateless Server Design - Enables straightforward horizontal scaling and simplified failover

  • 50% Capacity Resilience - System maintains full operational capability with 50% capacity loss

  • Automatic Failover - Self-healing capability without manual intervention

  • Regular Failover Testing - Validated during system update cycles

Database Architecture

Our hybrid database approach utilizes both SQL and NoSQL technologies with stringent access control:

  • Role-Based Access Control - Each service receives only required permissions

  • Unique Server Credentials - IP-address restricted, enabling secure server decommissioning

  • Single-Primary, Multiple-Replica Topology - Optimized for split-brain resilience

  • Distributed Read Operations - Load balanced across replica servers for maximum throughput

Multi-Tenant Security

Data Isolation Architecture

As a multi-tenant SaaS platform, tenant data isolation is paramount. Our approach includes:

  • Mandatory Code Review - All changes undergo manual review before production deployment

  • Security-Focused Review Process - Emphasis on tenant separation, SQL injection prevention, XSS prevention, and other OWASP Top 10 considerations

  • Redundant Tenant Identification - All database tables with customer data include redundant tenant identifier fields

  • Defense in Depth - Multiple layers of protection against cross-tenant data exposure

Annual Penetration Testing

PLAYipp engages independent third-party security firms (currently Secify AB) for comprehensive annual penetration testing utilizing:

  • Gray Box Testing - Simulating sophisticated attackers with limited insider knowledge

  • Automated Security Scanning - Comprehensive vulnerability identification

  • OWASP Top 10 Framework - Targeting critical web application security risks

Operational Security

Environment Separation

Production and development environments maintain architectural separation with staged release management. Changes progress through multiple staging environments before reaching production, enabling issue identification in increasingly realistic conditions.

Identity and Access Management

Centralized identity management controls:

  • SSH Access - Command-line administrative access

  • Sudo Privilege Management - Granular control over privileged commands. 

  • VPN Connectivity - Secure remote access

Comprehensive Logging - All authentication activities and sudo commands are logged centrally with daily security team review during business days.

Infrastructure Automation

PLAYipp utilizes Red Hat Ansible for automated operations with approximately 90% of procedures fully automated. Our infrastructure policy mandates that no new systems may be deployed without corresponding automation, ensuring operational consistency and rapid disaster recovery.

Media Player Security

Hardened Architecture

PLAYipp's PLAYport media players operate on hardened Android-based firmware stripped of unnecessary network services, reducing the attack surface available to potential attackers.

Pull-Based Communication Model

Media players implement a security-conscious "pull" architecture, initiating all communication with PLAYipp cloud services. This provides:

  • No Inbound Firewall Rules Required - Customer networks need not allow inbound connections

  • Reduced Attack Surface - No exposed network services

  • Network Resilience - Devices continue displaying cached content during connectivity interruptions

Centralized Update Management

PLAYipp centrally manages all media player software updates, ensuring devices consistently run the latest stable firmware releases. This eliminates operational burden while ensuring security patches are consistently deployed across all devices.

 

 

Summary

PLAYipp's hosting architecture reflects our commitment to operational excellence, security best practices, and the specific requirements of Nordic public sector organizations and regulated private sector enterprises. Our infrastructure continues to evolve through ongoing investment in security capabilities, redundancy improvements, and operational automation, ensuring the platform remains well-positioned to serve mission-critical communication needs.

 

Was this article helpful?
Image of user
Written by
Zebastian Aspenfelt
Popular articles
Activate signage screen
Installation of PLAYport HD
Installation of Samsung SSSP11
Screens with support for PLAYipp signage
Publish content
This help center is created by ImBox - About