Lysto's Security Framework

How We Protect Your Builds and Data

Security is foundational to everything we do at Lysto. Game studios trust us with their most sensitive assets, from unreleased builds and proprietary game data to confidential player insights. We've built multiple layers of protection into our Player Experience Platform to ensure that trust is never compromised.

Why Security Matters in Playtesting

Unreleased game builds represent months or years of creative and technical investment. A single leak can undermine marketing strategies, damage competitive positioning, or expose unfinished work to public scrutiny before teams are ready.

While NDAs provide legal protection, they're only effective when paired with technical safeguards that actually prevent leaks from happening. 

Lysto combines legal protection with platform-specific technical enforcement, ensuring builds are controlled at every step, from distribution through session end.

Our Security Framework

Lysto's security approach covers every layer of the playtesting process: legal protection, infrastructure security, access control, distribution security, session monitoring, data handling, and auditability. Here's how each layer works together for risk-free playtesting:

Strict NDA Gatekeeping

Players cannot access your build until they have signed a legally enforceable Non-Disclosure Agreement (NDA). This creates a binding confidentiality obligation before any gameplay begins.

Each NDA is tied to the playtester's verified identity, ensuring accountability. Players agree to restrictions on sharing, distributing, streaming, or publicly disclosing anything about the game or build. All NDA sign-ins are logged and timestamped, creating a clear, traceable record of violators, if any.

Platform & Infrastructure Security

Lysto’s platform is built using secure cloud infrastructure providers with industry-standard security certifications.

Encryption

• All data is encrypted in transit (TLS 1.2+)
• Data is encrypted at rest (256-bit encryption or higher)
• Build uploads are encrypted during transfer and storage
  
  

Secure Build Distribution

Builds are encrypted end-to-end during distribution and storage. Only verified testers who have cleared NDA consent and identity checks can access them.

For PC/Mobile Playtesting, builds can only be accessed through the Lysto app. APKs and game files will not open outside of our secure environment.

Builds are delivered through Lysto's secure infrastructure, never through public file-sharing services or uncontrolled channels. This ensures that builds remain protected from download through gameplay, with no exposure to unauthorized parties.

For PC tests that use Steam, encryption and distribution security provided by Steam are governed by Steam’s own security standards.

Platform-Specific Technical Security

Security controls differ depending on device and distribution method. Here's how:

Mobile

Android Playtesting (Unreleased APK / AAB)

Playtesting for Android devices require no SDK integration. Security measures include:

Access Control

Only invited testers who have signed an NDA can install and launch the build.

Conditional Access

Builds can only be launched within approved testing windows.

Remote Kill Switch

Once a session concludes:

• The build is automatically deactivated
• The APK becomes unusable
• Access cannot be restored without authorization

Automatic Data and APK Deletion

After session completion:

• All gameplay recordings are automatically deleted from the player's device once the playtest concludes. 
• The APK is deleted from the player’s device
• No playable file remains locally

Screenshot & Screen Recording Protection

• Screenshot attempts are blocked
• Screen recording attempts are detected
• Attempts are logged and linked to verified identity

PC Playtesting

When testing via Steam:

• Steam key distribution is controlled

• Keys are provided only after NDA acceptance

• Access control is enforced at key distribution level

Build deactivation or key revocation depends on Steam’s capabilities at the time of testing.

For additional Steam-level security standards, studios should refer to Steamworks documentation.

When studios choose to distribute builds directly:

• Download access is restricted to NDA-signed testers

• All access is logged and timestamped

Note: Once downloaded locally, remote build deactivation is not supported at the moment.

For either method, screenshot/screen recording attempts are blocked, and logged and linked to the players verified identity.

Role-Based Access Controls (Studio Control)

All playtest data is accessible only to authorized studio personnel. Studios decide who gets platform permissions, down to the individual level.

This ensures that even within a studio, access is controlled and limited to relevant team members. External collaborators, agencies, or partners can also be granted specific permissions without exposing the full scope of the playtest.

Activity Trail and Access Logging

Every action within the platform is logged, timestamped, and auditable. From NDA sign-in to build access, gameplay submission, and data review, Lysto maintains a complete activity trail.

These logs can be shared with studios on request, providing full transparency around who accessed what, when, and how. This level of auditability supports compliance, internal security reviews, and accountability.

What This Means for Studios

Lysto locks down every layer of your playtest—infrastructure, player panel, permissions, and distribution—so teams can run research at speed without exposing builds or compromising insight quality.

You get:

• Legal protection through enforceable NDAs tied to verified identities
• Technical protection through encryption, kill switches, session monitoring, and device-specific security
• Operational protection through role-based access and activity logging
• Peace of mind knowing your builds are as secure as your internal development environment
  
  

Security Across All Playtest Types

These security measures apply to all playtesting services on the platform, regardless of study type or recruitment method:

• Single-Session, Multi-Session, and Longitudinal Playtests
• Concept Testing and Moderated Studies
• PC, mobile, and console playtests
• Self-hosted (BYOP) and panel-based recruitment

Whether you're testing with your own community or recruiting from Lysto's player panel, the same security standards protect your work.

Getting Support

If you have specific security requirements, compliance needs, or questions about how Lysto's security framework applies to your studio, contact your Games Partnership Manager or reach out to us at contact@lysto.io.