Security + Trust

Every client-to-edge connection uses TLS 1.3 with HSTS preloaded. Media between participants is DTLS-SRTP — perfect forward secrecy, encrypted-by-default, never plaintext on the wire.

Recordings, transcripts, and chat history sit on AES-256-GCM volumes. Customer-managed KMS available on Enterprise (BYOK).

Optional per-room E2EE via the SDK insertable-streams pipeline. Media frames are encrypted in the publisher and only decrypted on subscribers — the SFU never sees the plaintext frame body.

OIDC SSO on Business + Enterprise tiers (Okta, Microsoft Entra, Google Workspace and any RFC-8252-compliant IdP), with PKCE + nonce + JIT user provisioning. SCIM 2.0 user + group sync endpoints, conformance-tested against the RFC-7644 protocol surface. SAML 2.0 is on the roadmap.

host / co-host / member / viewer roles enforced server-side. JWT tokens are short-lived (≤ 1 hour) + refreshable. mTLS between every internal service.

Every privileged action (admit, kick, recording start, settings change) writes an immutable audit row. Enterprise contracts get 1-year retention + SIEM stream-out (Splunk, Datadog, Elastic).

API + signalling traffic is rate-limited at the gateway. Abusive callers get exponential back-off + 429 — no flooding the SFU.

Every dependency PR runs npm audit / pip-audit / cargo audit / govulncheck. Container images are rebuilt nightly from the latest patched base image; signed with cosign before publish.

Postgres + recording storage snapshotted daily; encrypted; off-region replicated. RPO ≤ 24h, RTO ≤ 4h on managed cloud. Self-host operators configure their own retention.

Default region is EU (Frankfurt + Helsinki on Hetzner). Other regions selectable per-room. Cross-region transfers are governed by the SCCs incorporated in our DPA.