Security

How we protect your data and infrastructure

Security is fundamental to how Support King operates. Our Studio Diagnostics application and support infrastructure are built with defence-in-depth principles, ensuring your data is protected at every layer — from the application on your Mac to our cloud infrastructure.

1. Application Security

• Apple Notarisation: Studio Diagnostics is notarised by Apple, confirming it is free from known malware and has been reviewed by Apple's automated security checks.
• Code Signing: The application is signed with a verified Apple Developer certificate.
• Hardened Runtime: The application runs with Apple's Hardened Runtime enabled, preventing code injection, dylib hijacking, and unsigned memory access.
• macOS Keychain: Licence keys and authentication credentials are stored securely in the macOS Keychain — never in plain text or configuration files.
• Sparkle Signed Updates: All application updates are cryptographically signed with EdDSA (Ed25519) and verified before installation. Tampered updates are rejected automatically.
• Licence Key Validation: The application validates its licence key against our server on every launch. Revoked or suspended licences are locked immediately, with no local override possible.
• Minimal Permissions: The application requests only the permissions necessary for system diagnostics. It does not access personal files, project files, or session data.

2. Data in Transit

• TLS 1.3: All data transmitted between Studio Diagnostics and our infrastructure is encrypted using TLS 1.3.
• Cloudflare Edge TLS: API endpoints terminate TLS at Cloudflare's edge network, ensuring encryption up to the point of processing.
• API Key Authentication: Every request requires a valid X-API-Key header. Unauthenticated requests are rejected with HTTP 401.
• Licence Validation: Report submissions include a licence key that is validated server-side, including machine count limits.

3. Data at Rest

• Encrypted Storage: All diagnostic data is encrypted at rest on our infrastructure.
• EU Data Residency: Data is processed and stored within the European Union.
• Private Storage: Diagnostic reports are stored in a private Cloudflare R2 bucket with no public access. Reports cannot be accessed via URL — only through authenticated API endpoints.
• Credential Storage: On client machines, all credentials (licence key, API key) are stored in the macOS Keychain using kSecClassGenericPassword with AES-256-GCM encryption.
• Access Controls: Data access is restricted to authorised Support King engineers assigned to your account.

4. Infrastructure

Our backend services are hosted on Cloudflare's global network, benefiting from enterprise-grade security controls:

• SOC 2 Type II certified
• ISO 27001 certified
• PCI DSS Level 1 certified
• DDoS protection at the network edge
• Web Application Firewall (WAF) protecting API endpoints
• Rate Limiting: Cloudflare WAF rate limiting rules protect the API: 10 requests/minute on the report submission endpoint, 120 requests/minute on general API endpoints. Violations result in a 1-minute block.
• Zero Trust Dashboard: The engineer web dashboard is protected by Cloudflare Access (Zero Trust) with email-based authentication. Only authorised email domains can access the dashboard.
• Automated Monitoring: Daily automated checks detect machines that have stopped reporting ("gone dark" alerts) and notify engineers.

5. GDPR Compliance

Support King is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR):

• Data Controller: KingWalker Ltd is the data controller for all personal data collected through Studio Diagnostics.
• Lawful Basis: We process data under Contract (Article 6(1)(b)), Consent (Article 6(1)(a)), and Legitimate Interest (Article 6(1)(f)).
• We collect only system configuration data — never personal files or content
• Data collection requires explicit consent via the application's first-run prompt
• Data Retention: Data is retained for the duration of your support contract, plus 90 days post-termination. After this period, data is permanently deleted unless you request otherwise.
• Right to Erasure: Deletion requests are confirmed in writing within 30 days.
• Clients may request access, correction, or deletion of their data at any time
• Our data processors (Cloudflare, Resend, Slack) maintain their own GDPR compliance and appropriate certifications

For full details, see our Privacy Policy.

6. Security Compliance Scanning

Studio Diagnostics includes an optional security compliance scanner that assesses your machine's security posture against industry best practices, including TPN (Trusted Partner Network) requirements for studios handling pre-release content.

The scanner checks:

• FileVault disk encryption status
• macOS firewall and stealth mode
• System Integrity Protection (SIP)
• Gatekeeper status
• Screen lock and auto-lock configuration
• Antivirus / endpoint protection presence (CrowdStrike, SentinelOne, Sophos, Microsoft Defender, and others)
• AirDrop discoverability settings
• Sharing services (File Sharing, Screen Sharing, Remote Login)
• Remote access tools (TeamViewer, AnyDesk, etc.)
• iCloud Desktop & Documents sync
• Automatic software update configuration

All checks are read-only — the scanner does not modify any settings on your machine. Security scanning is disabled by default and must be explicitly enabled in the application's Preferences.

7. Incident Response

In the unlikely event of a security incident affecting client data, we will:

• Notify affected clients within 72 hours, in accordance with UK GDPR requirements
• Provide a clear description of the incident, data affected, and remediation steps
• Report to the Information Commissioner's Office (ICO) where required
• Immediate Revocation: All API keys, licence keys, and dashboard access can be revoked within minutes.
• Worker Shutdown: The entire API can be taken offline by removing the Worker deployment if required.

8. Request Full Security Specification

We maintain a comprehensive Security Specification document (SK-SEC-001) that provides full technical details of our security controls, including data flow diagrams, encryption details, third-party service inventory, personnel access controls, and audit procedures.

We can also provide a Data Processing Agreement (DPA) for clients who require one for their own compliance obligations.

To request a copy of the Security Specification or to discuss a DPA, please contact:

Email: support@supportking.co.uk