Security Architecture
Security Overview
Mediabriz uses a layered security approach:
- Client-side browser extension (no system installation)
- Designed with no inbound network exposure
- All communication over HTTPS (TLS 1.2 or higher)
- Uses existing Genesys Cloud authentication and permissions
- Data scoped per organization and user
- Not designed to access local files or unrelated browser data
- Encrypted data storage with automatic expiration
Mediabriz is designed to operate within the user's existing environment and security boundaries.
Mediabriz is not designed to introduce additional access to customer data beyond what is already available within the user's existing environment.
While CloudBriz implements reasonable technical and organizational measures to protect the Service and its data, no system can be guaranteed to be completely secure. Security also depends on third-party platforms, browser environments, and customer configurations.
Certain features may be configurable or disabled by the organization through available settings, allowing control over how the Service is used. This may include control over optional capabilities such as search or data access features.
Overview
This page describes how Mediabriz operates, what data it processes, how that data is stored, and the security controls in place.
How Mediabriz Operates
Mediabriz is a browser-based application that integrates with Genesys Cloud services. It operates as a browser extension that integrates with Genesys Cloud and may also be used within supported custom web environments configured by the organization.
- The extension operates in supported contexts, including active interactions, search functionality, and user-managed content views
- It interacts with media available to the authenticated user (images, videos, audio, documents)
- It is not designed to modify the source data in Genesys Cloud
- Mediabriz is designed to access conversations and media available to the authenticated user based on their permissions in Genesys Cloud
- All communication between the extension and Mediabriz uses HTTPS
The extension is designed to operate without altering the underlying functionality of host applications and is not designed to modify application data or workflows. Any interaction with the page is intended to be limited to user interface enhancements provided by the Service.
Mediabriz is designed to operate only within approved application domains and is not intended to access unrelated websites, browser history, or local user files.
Data Handling
Media may be accessed and processed as required for functionality, including background operations and real-time interaction handling.
- On-demand and background access: Media is fetched as required for display, processing, or other service functionality
- Contextual scope: Functionality may operate across multiple contexts, including active interactions and other user-initiated workflows such as search or historical views. Media is not intended to be aggregated or indexed beyond what is necessary for the Service
- Derivative content: Original media files remain in Genesys Cloud. Mediabriz generates derivative content (thumbnails, document previews) when required for the Service
- User-generated metadata: Mediabriz may generate and store user-generated metadata associated with media items or interactions. This metadata is created and maintained within Mediabriz and is not sourced from or written back to Genesys Cloud. It is not intended to modify or alter the original media or conversation data
Processing occurs in response to user activity or system events and is limited to what is necessary to provide the Service.
Mediabriz is not designed to store or take ownership of customer conversation data. Core interaction data remains within Genesys Cloud.
Data Storage
Data is stored only as necessary to support the Service and is subject to controlled retention and automatic deletion policies. Stored data may include:
- Thumbnails and document previews — generated derivative content, subject to limited retention with automatic deletion
- Organization configuration — settings and preferences, retained while the subscription is active
- Authentication data — token hashes handled using secure practices under normal operating conditions, with short-lived automatic expiration
See our Privacy Policy for specific retention periods and data handling details.
What Is NOT Stored
- Mediabriz is not designed to store original media files permanently
- Conversation transcripts are not designed to be collected or stored by the Service
- Customer personal data does not intentionally get collected or stored beyond what Genesys Cloud provides in the interaction context
- OAuth tokens are handled using secure practices and the Service does not intentionally retain them in plaintext
Temporary data is subject to automatic expiry via lifecycle rules. See our Privacy Policy for retention details.
Security Controls
Encryption
- In transit: All communication is designed to use HTTPS with TLS 1.2 or higher
- At rest: Stored data is encrypted using managed encryption keys with automatic key rotation
- Browser storage: OAuth tokens are stored in browser extension storage, which is designed to be inaccessible to web pages or external sites under normal browser operating conditions
Access Control
- Authentication required: Data-access endpoints are designed to require a valid API key and a verified Genesys Cloud OAuth token
- Organization scoping: Requests are scoped to the authenticated user's organization. Cross-organization access is restricted by design
- Organization status enforcement: Access is restricted to organizations with active or trial subscriptions. Suspended or cancelled organizations are blocked
- Administrative analytics: Access to the Mediabriz Insights dashboard is restricted to users granted the corresponding Genesys Cloud permission and remains scoped to that user’s organization
- Request validation: All API requests are subject to multi-layer authentication and authorization checks
Media Access
- Media cache storage is private by design - public access is restricted
- Media is designed to be accessible through the CDN using access controls
- The extension is not designed to access storage directly
- HTTPS is designed to be enforced on both storage and CDN layers
Infrastructure Protection
- Web Application Firewall (WAF): API endpoints are protected with per-IP rate limiting, OWASP core rules, known bad input patterns, and IP reputation blocking
- DDoS protection: Layer 3/4 protection is active on endpoints
- API throttling: Rate and burst limits are designed to reject excessive requests
- Network isolation: Service functions run in isolated environments with least-privilege access
- Logging and monitoring: Service invocations are logged. Monitoring alarms are configured for anomalous traffic
- Log sanitization: Tokens, secrets, and API keys are designed to be sanitized from logs
Optional Security Add-ons
Mediabriz Guard (Media Scanning)
Mediabriz Guard is an optional add-on that submits uploaded media files for malware scanning before they are made available to users in the extension. When enabled by an organization administrator:
- Uploaded files are scanned by Amazon GuardDuty Malware Protection prior to delivery
- Scan results are cached per unique file (file hash + organization) for one year, so the same file is not re-scanned on each access
- Files identified as infected are blocked from in-app preview and download, and surfaced with a visible scan-status indicator in the user interface
- Scan status (clean, infected, pending, error) is logged per organization for visibility and billing
Mediabriz Guard is a supplementary security measure. It is not designed to replace endpoint security, antivirus, or enterprise cybersecurity controls, and CloudBriz does not warrant that all malware, viruses, or malicious content will be detected. The scanning service relies on third-party malware-detection technology and is subject to the detection capabilities and limitations of that technology.
For the complete scanning-service disclaimer and limitation of liability, see EULA §12.1.
Network Requirements
Mediabriz requires outbound HTTPS access to its service endpoints, in addition to the standard Genesys Cloud network access your organization already has in place — both are required for Mediabriz to function, and no changes are needed to your existing Genesys Cloud connectivity.
Mediabriz is not designed to require any inbound firewall rules, ports, or network exposure.
Organizations with restrictive firewalls or web proxies must allow outbound HTTPS (port 443) to the Mediabriz domains listed below. All non-EU-prefixed Mediabriz domains and the Microsoft Office Online viewer apply to every organization. The EU domains are only required for organizations whose data is hosted in the EU data region — organizations in the US data region do not need them. If you’re unsure which domains apply to your organization, contact Mediabriz support.
| Domain | Purpose | Required for |
|---|---|---|
api.mediabriz.com | Mediabriz API | All organizations |
media.mediabriz.com | Mediabriz media CDN (thumbnails, file previews) | All organizations |
wizard.mediabriz.com | Mediabriz installation + admin tile (loaded as iframe inside Genesys Apps; required for the initial install and any subsequent re-entry to the integration tile) | All organizations |
insights.mediabriz.com | Mediabriz Insights dashboard (loaded as iframe inside Genesys Apps after installation; available to users with the integration:cloudBriz:view Genesys permission) | All organizations |
eu.api.mediabriz.com | Mediabriz API (EU) | Organizations in the Mediabriz EU data region |
eu.media.mediabriz.com | Mediabriz media CDN (EU) | Organizations in the Mediabriz EU data region |
view.officeapps.live.com | Microsoft Office Online viewer (required for document previews). If blocked, document preview is unavailable but other functionality remains unaffected | All organizations |
Real-time updates (WebSocket). Genesys Cloud delivers conversation notifications over an outbound secure WebSocket connection to streaming.{region} (port 443). This channel is part of the existing Genesys Cloud connectivity referenced above; if your firewall enforces outbound WebSocket (WSS) rules separately from HTTPS, ensure WSS to streaming.{region} is allowed for your organization’s Genesys Cloud region (for example, streaming.mypurecloud.com for US East).
Iframe note. Loading a domain in an iframe still counts as outbound HTTPS from the browser to that domain — the iframe wrapper is an HTML container, not a network proxy. Strict outbound-allowlist firewalls must include wizard.mediabriz.com and insights.mediabriz.com even though they only ever load inside the Genesys Apps page.
All traffic is outbound HTTPS on port 443.
Disclaimers
The security measures described on this page represent CloudBriz's current practices and are subject to change. CloudBriz implements reasonable technical and organizational measures to protect the Service, but does not guarantee that the Service is free from vulnerabilities or that security incidents will not occur.
The Service depends on third-party platforms, including Genesys Cloud, cloud infrastructure providers, and web browsers. CloudBriz is not responsible for the security, availability, or performance of third-party platforms and does not guarantee their continued operation or compatibility.
Functionality and security may vary depending on the user's browser environment, version, configuration, and network conditions. CloudBriz does not guarantee compatibility with all browser versions or environments.
This page is provided for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. For binding terms, refer to the Terms of Use, EULA, and Privacy Policy.
For questions about our security practices, visit our Support Center or contact us.