5 security criteria to consider before selecting a WebRTC video and audio API provider

We know how complicated it can be to select the right WebRTC provider for your video and audio API. One central but frequently overlooked feature is how the provider safeguards the data protection and information privacy of you as a customer and your end users.

In this guide, we seek to outline five criteria or questions to consider when making your purchasing decision.

1. Will I be able to encrypt media streams?

Media stream (audio/video/chat) security is essential for both customers and end users. Daily peer-to-peer media streams are end-to-end encrypted. This means that nobody but you and the participants you invite to the call can listen in on or view your online video call. End-to-end encryption is implemented in the web browser, so you can provably audit that all media is encrypted end-to-end.

Daily SFU calls (large calls and sessions that are configured for recording) are encrypted to and from Daily’s servers. Audio and video are decrypted and re-encrypted in memory on the servers, and no unencrypted media is ever stored on the media server or ever available from any external process.

We have a minimum of AES-128 encryption, which applies in P2P mode. In SFU mode, we use AES-256.

AES-128 is the minimum encryption strength applying to all three of Daily's call modes: peer-to-peer, SFU, and Mesh-SFU. 

When evaluating vendors, it is important to know if end-to-end encryption is supported, and if not, why?

2. How will I restrict data flow by country (geofencing)?

Another way of securing media streams is by restricting data traffic to a particular geographic server region (geofencing). This empowers developers to comply with digital privacy laws by region. For example, if you are developing apps in Germany, you can choose to confine the media streams in such a way that no data would leave Germany’s borders.  

Daily offers audio and video geofencing to customers in Europe, the United States, and Asia. We’re currently working to expand geofencing to include operational data/metadata, which today is processed in US-based AWS data centers.

3. How robust are the vendor’s security practices?

Applying state-of-the-art standards for data control and management signals a security practice that is reliable and trustworthy. Make sure you confirm that the vendor’s security management is comprehensive, resilient, and validated by a third-party auditor.

Daily’s system for information security management is ISO27001 certified. We adhere to strict security controls, which govern employee access to data processing systems and personal data. The underlying principle is that of least privilege (access only on a need-to-know basis).

Data access and other security controls are routinely monitored, and a key part of what makes Daily SOC 2 compliant. Dansa D’Arata Soucia LLP has audited and verified the robustness of our information security management. Through periodic reviews, we check that all of our data centers have active ISO27001 certifications.

Importantly, no personal identifiable information (PII) or end user personal data are processed by us. We store call metadata for up to 365 days for analyses and product optimization after which this data will be deleted. Our customers manage their personal data (e.g. user IDs and passwords) within their own dashboard, to which Daily has no access.

4. What are the vendor’s routines for risk management and rapid response?

Security performance and risk level should be continuously monitored and subject to both internal and external audits. Information security management must actively reduce the risk of critical incidents and data breaches to the lowest possible level and strengthen the vendor’s resilience, or ability to bounce back, if and when data security is compromised.

We conduct annual penetration tests to uncover, prevent, and repair weaknesses and vulnerabilities that could place Daily and our customers’ data at risk. Through our partnership with HackerOne, more than 100 security specialists including ethical hackers are actively working with Daily to find and report issues in our product. Our Responsible Disclosure Policy makes it easy for users to notify us about potential vulnerabilities in the service, and for Daily to resolve any issues promptly.

5. To what extent does the vendor comply with privacy laws?

Individual data protection is the cornerstone of privacy legislation. Both you as a customer and your end users have rights to information privacy anchored in global privacy law.

Daily has a Data Privacy Manager that closely monitors changes in the privacy landscape and ensures compliance with data protection law in the markets we operate in. Daily complies with GDPR, CCPA/CPRA and state-level consumer privacy laws (skip to the next paragraph for details). We support the most complete HIPAA compliant video APIs and SDKs. This includes the industry's first HIPAA compliant embed, Daily Prebuilt (our hosted video call component option). Legal experts at the international law firm Gunderson & Dettmer assist us in maintaining compliance.

Why privacy and security compliance matters

The global security landscape is complex and ever changing.

Keeping track of the ever-shifting information privacy landscape is resource-intensive, especially when doing international business. Let’s say your market presence is in Europe, the United States, Canada, and Brazil. You would need to ascertain compliance with GDPR, PIPEDA, Brazil’s GDPR (LGPD), and probably state-level consumer data privacy laws (e.g. California, Colorado, Connecticut, Utah, Virginia). In the latter case, the American Data Privacy and Protection Bill is aiming to strengthen individuals’ digital privacy at the federal level. In the case of the GDPR, data breaches may result in fines between 10 to 20 million € or 4 percent of ARR, whatever is higher.

Respecting consumer privacy laws is essential for building and maintaining customers’ trust in your products and services over time. Daily’s engineering team adheres to the principles of Privacy by Design and Default. Privacy by Design postulates that privacy is taken into account throughout the design process and integral to the final product - this means that Daily, by default, processes only data that is strictly necessary and only for the specific purposes of processing expressed in our privacy policy. We've operationalized this commitment across the organization and our platform. You can visit our Security Center for details on call security, data processing, security controls, and more. Visit IAPP to learn more about Privacy by Design.

Security shortlist criteria recap

To recap, Daily places your information security front and center and is a first choice for privacy-minded companies and industries. Choose wisely and consider these criteria when selecting your WebRTC API provider:

☑️ Industry-leading call security (including end-to-end encryption for peer-to-peer calls)

☑️ Global call media geofencing to specific server regions

☑️ Comprehensive security practices and controls

☑️ Resilient risk management and rapid incident response

☑️ Compliance with relevant privacy legislation


Do you have questions about information security and data protection at Daily? Please contact our developer support. You also can talk with an expert on our sales team.

Never miss a story

Get the latest direct to your inbox.