Navigating the Video Call API Landscape: Compliance & Security

The simple fact of existing on the internet means that your data will be vulnerable to breach, theft, and unauthorized usage — malicious or otherwise. To prevent such occurrences, an audio-video infra provider’s security framework and compliance certifications become an essential point of consideration for prospective customers. You’d want to know that the tool you choose is serious about protecting your data from undesired access and legal complications.

Why Compliance and Security Are So Important

As data breaches become more frequent, data security becomes a central concern for anyone seeking to use any software. Even the world’s largest companies (Weibo, Target, eBay, etc.) suffer the consequences of inadequate data protection. Vendors you choose must be able to shield the security and privacy of your data from malicious or undesirable parties.

In this regard, it’s essential to pay attention to a vendor’s IT security fabric. Gauging this requires observation of two aspects: compliance certifications and specific security features.

Compliance certifications denote that an organization and its infrastructure meet the industry standards for data security and privacy.

Specific security features such as access control and end-to-end encryption reveal the particular techniques used to guard your data and provide transparency to the right people. For example:

• Access control ensures that uninvited individuals don’t barge in on your online meeting rooms.
• End-to-end encryption ensures that third parties cannot view or access data when it is being transferred from one system/device to another.

Close attention to IT security and compliance reveals how invested a company is in protecting its customers from invasions of privacy as well as the losses and failures that come with data theft or manipulation.

When evaluating vendors for purchase, keep an eye out for the following key security compliance standards and features.

Compliance Certifications to Consider

1. SOC 2 Type I & SOC 2 Type II: A SOC 2 Type I report assesses the nature of security processes and control in an organization at a specific point in time. The report describes what said controls are, and evaluates if they are implemented effectively.

   A SOC 2 Type II report assesses the efficacy of an organization’s controls over a certain period. The auditor will usually observe operations over a few months (minimum of six months). Unlike HIPAA or GDPR, SOC 2 reports are not legally mandated but voluntary. However, they are a significant marker of how well a company (SaaS, cloud computing orgs, IT-first providers) is protecting data within their information centers.

2. General Data Protection Regulation (GDPR): Drafted and passed by the European Union (EU), the GDPR is a set of legal obligations placed upon organizations worldwide that work with or accumulate data from or related to EU citizens. The regulations lay out meticulous privacy and security standards, and violating them results in penalties and heavy fines. GDPR intends to secure citizens’ information and ensure data privacy and security in an increasingly online world.

3. Health Insurance Portability and Accountability Act, 1996 (HIPAA): HIPAA is an American federal law passed by the US Department of Health and Human Services (HHS). It is a set of national standards created to safeguard sensitive patient data from being disclosed without the patient’s consent/knowledge. American healthcare providers, health plans, healthcare clearinghouses, and business associates working with individually identifiable health information have to follow HIPAA. HIPAA is mainly relevant for healthcare entities operating in the US or using the medical information of American citizens.

4. ISO/IEC 27001 Information Security Management (ISO/IEC 27001): This international standard defines a set of requirements for information security management. Complying with this framework ensures that an organization securely manages assets like intellectual property, financial data, employee information, or any information entrusted by third parties.

5. California Consumer Privacy Act (CCPA): CCPA is meant to secure privacy rights for California consumers by giving them greater control over the information businesses may collect about them. Among other things, it gives consumers the right to demand the deletion of personal data a company collected from them. They can also deny enterprises the right to sell their personal information to other parties.

6. Children's Online Privacy Protection Rule (COPPA): COPPA is an American federal law enforced by the Federal Trade Commission. It obligates specific requirements on websites and online services that intentionally collect personal information of children younger than 13 years of age. The FTC states that COPPA applies to:

   1. Any online service (regardless of where it originates) aimed at US users.
   2. Any service that deliberately collects information from children in the US.

Security Features to Consider

1. Access control: The SDK must have an in-build ability to restrict who has access to active meeting rooms and the admin dashboard. For example, certain video apps admit every meeting participant into a virtual “waiting area” where they wait until the host or administrator allows them to join the meeting.

   Role-Based Access Control (RBAC) is also a priority. Customers should be able to restrict dashboard access based on an individual’s role within the organization. For example, someone in an administrative role should be able to access sensitive data on the usage dashboard, but those permissions may not apply to regular employees.

2. Enterprise Authentication: Enterprise authentication mechanisms like SSO/SAML cut down on operational overhead by centrally managing user credentials. SSO offers a single system to authenticate users and grant them access to multiple applications across a company or organization.

3. End-to-End Encryption (E2E Encryption): End-to-end encryption ensures that the only people who can access data in a communication channel are the sender and intended receiver(s). No one else, be it hackers, unwanted third parties, or even the audio-video service used to communicate said data, can access the encrypted data.

4. Privacy of Recordings: Often, online meetings and calls are recorded with a recording feature provided by the vendor. If stored on the vendor’s cloud, the recordings must be private and inaccessible to anyone but authorized personnel — be it the customer or specific individuals on the vendor’s team.

5. Audit Trails: Audit trails track and present a record of all system and user activity so that any changes to app operations are captured and viewable by relevant administrators. With the right tools and protocols in place, audit trails are integral to identifying performance issues, security infractions, or unsanctioned process changes.

---

Comparing Vendors

Note: All information in this piece is taken from publicly available product/vendor documentation.

Agora

Agora’s Compliance Certifications

1. GDPR
2. HIPAA
3. CCPA
4. COPPA
5. ISO/IEC 27001
6. SOC 2

Source: Agora Compliance & Privacy*

Agora’s Security Features

1. Access Control:

   • By default, Agora creates an independent and isolated channel for every audio, video, or messaging data transmission. Channels are logically separated. Only users authenticated from the same App ID can join the same channel. Source.
   • Agora uses dynamic token authentication. The app backend generates the token, and users can access the Agora platform after the app has validated them. Source.
   • The Agora RTC SDK and the RTM SDK support network geofencing. This restricts data transmission to a specific geographic area and allows customers to meet the laws and regulations of different locations. Source.

2. Enterprise Authentication: We examined Agora’s documentation and asked on Agora’s StackOverflow, but were unable to determine the answer with complete accuracy. We have contacted Agora for more data and will update the article when receiving more clarity. You can contact Agora Sales for more information.

3. End-to-End Encryption:

   • Agora does not support end-to-end encryption by default. It supports the same in limited use cases where server-side services (e.g., recording, transcoding, etc.) are not involved. It supports data and transmission encryption, and uses a proprietary secure transport layer, Agora Universal Transport (AUT), to ensure data confidentiality during transmission. Source.

   • All communication between a user and the Agora server is secured by numerous transmission protocols - the Agora private transmission protocol, Transport Layer Security (TLS), and Web Socket Secure (WSS). Users can choose to leverage the Advanced Encryption Standard (AES) or a customized encryption algorithm to guard audio and video data.

     While data is being transmitted, the Agora SD-RTN™ does not communicate encryption key information of any kind. Data related to a call’s content will only be decrypted on the terminal device (the client app & the customer's on-premise recording server) via the client authorization key. Source.

   • With the SDK, devs can encrypt users' media streams during real-time communication using the media stream encryption Agora provides. They can call the API, choose the encryption mode, and set the encryption secret and salt.

   • Agora supports the following encryption modes:

     • "aes-128-xts": 128-bit AES encryption, XTS mode

     • "aes-256-xts": 256-bit AES encryption, XTS mode

     • "aes-128-gcm": 128-bit AES encryption, GCM mode

     • "aes-256-gcm": 256-bit AES encryption, GCM mode

     • "aes-128-ecb": 128-bit AES encryption, ECB mode

     • "sm4-128-ecb": 128-bit SM4 encryption, ECB mode

     • "aes-128-gcm2": 128-bit AES encryption, GCM mode, with salt. Only applicable to the Web SDK v3.6.0 or later

     • "aes-256-gcm2": 256-bit AES encryption, GCM mode, with salt. Only applicable to the Web SDK v3.6.0 or later

       Source: Agora Media Stream Encryption*

4. Privacy & Encryption of Recordings:

   • Agora’s documentation mentions that it “Provides end-to-end security mechanisms for video calls, data transmission, data storage, and so on.” No further details on the page. Source.
   • Agora allows customers to record real-time calls with the Agora On-premise Recording SDK and Agora Cloud Recording SDK. Recorded files are stored on the user’s device or on a cloud storage device chosen by the customer. If required, customers can choose to further encrypt local or cloud recordings. Source.

5. Audit Trails:

   Agora meticulously monitors and restricts access to its internal systems. Users have independent internal accounts with corresponding authorization procedures such as two-step verification. All the access details are recorded. Source.

---

Twilio

Twilio’s Compliance Certifications

1. GDPR
2. ISO 27001
3. AICPA SOC 2
4. HIPAA

Source: Twilio Security*

Twilio’s Security Features

1. Access Controls:

   • Account Owners and Administrators can add and remove users to and from their Twilio accounts. They can also change a user's role, which will accordingly adjust their access level. Source.
   • Twilio uses Access Tokens (JSON Web Tokens) to allow end-users to join a Video Room. These tokens are credentials that must be signed with a Twillio API Key Secret. They also carry grants that determine what the client holding the token can do. Source.
   • Twilio allows Role-Based Access Control (RBAC), enabling administrators to control and constrain each user's access and capabilities in the Console. Source.

2. Enterprise Authentication:

   • Twilio supports Single Sign-On, which lets customers allow log-ins using a corporate Identity Provider (Azure Active Directory, Okta, Onelogin, etc.).

   • SSO gives customers the ability to authenticate users via a single source. It lets them manage security and compliance requirements, such as establishing two-factor authentication.

   • Users who leave an organization can be entirely removed from a single dashboard.

     Source: Twilio Single Sign-On*

3. End-to-End Encryption:

   • Twilio uses encryption to safeguard communications between Twilio and the customer’s web application. However, it cannot, at present, handle self-signed certificates. It supports the TLS cryptographic protocol, HTTP Basic and Digest Authentication. Source.
   • In 2016, Twilio partnered with Virgil Security to make the incorporation of end-to-end encryption into applications easy with Twilio IP Messaging, the Virgil Crypto SDK, and Key Management. By default, Twilio IP Messaging is encrypted in transit with HTTPS. However, activating E2E Encryption may prevent users from accessing advanced features like searching chat history. Source.
   • All media shared or exchanged in Peer-to-Peer Rooms is encrypted end-to-end and cannot ever be accessed by Twilio. Media shared in Group Rooms is encrypted during transport, briefly decrypted in memory in Twilio's cloud, and immediately re-encrypted before sending to other participants. Decrypted media is not written to any persistent storage or sent across any network. Source.

4. Privacy & Encryption of Recordings:

   • By default, all Programmable Voice Recordings on Twilio are encrypted at rest when stored in the Twilio cloud. If you enable Voice Recording Encryption, voice recordings will be encrypted with your public key the minute a call ends. The recording stays encrypted until the user retrieves it. Source.
   • On activating encryption, Twilio ensures that only the user can decipher the recording. No one else is allowed that ability, not even Twilio Support. Source.
   • By default, all call recordings are encrypted at rest when stored within Twilio. They also offer a Call Recording Encryption feature that, when activated, encrypts all records with a user-chosen public key. Only those with the corresponding private key can access the recording. Source.

5. Audit Trails:

   • Twilio Monitor offers visibility into and analysis of Twilio resources. The data is made accessible through their API to Ops personnel. Monitor also includes the capabilities for logging events and tracking changes through capabilities called Events. Source.
   • Events allow users to follow what changes were made to their account, by whom, and at what time. All user activity is tracked and recorded. Source.

---

8x8 - Jitsi as a Service(JaaS)

Jitsi’s Compliance Certifications

1. HIPAA
2. GDPR compliant for data processors

Source: Jitsi as a Service*

Jitsi’s Security Features

1. Access Control:

   Moderators can secure meetings by adding a pin code on enabling the lobby option or doing both. With the latter, every participant will initially join the lobby area and ask to be admitted into the meeting (via a button in the UI). The moderator will be notified that a particular individual with a specific user name is requesting entry and can accept or reject their request.

   Source: JaaS Meeting Security

2. Enterprise Authentication:

   We examined JaaS’s documentation but were unable to determine the answer with complete accuracy. We have tried to contact JaaS and will update the article when we receive more clarity. You can contact JaaS Sales for more information.

3. End-to-End Encryption:

   JaaS states that they provide “true end-to-end encryption even with video bridge for desktop video meetings.” No further details on the page.

   Source: JaaS Pricing

4. Privacy & Encryption of Recordings:

   We examined JaaS’s documentation but were unable to determine the answer with complete accuracy. We have tried to contact JaaS and will update the article when we receive more clarity. You can contact JaaS Sales for more information.

5. Audit Trails:

   We examined JaaS’s documentation but were unable to determine the answer with complete accuracy. We have tried to contact JaaS and will update the article when we receive more clarity. You can contact JaaS Sales for more information.

---

Zoom

Zoom’s Compliance Certifications

1. SOC 2 Type II
2. GDPR
3. HIPAA
4. ISO/IEC 27001:2013

Source: Zoom Legal Compliance*

Zoom’s Security Features

1. Access Control:

   • Zoom offers multiple features to implement access control. Some of them include:

     • Locking the meeting once it has started so that even individuals with the ID cannot join
     • Setting a meeting passcode
     • Muting, disabling video, or removing participants from a meeting (as host)
     • Disabling file transfer, annotations, and private chat

     Source

   • Each user with a Zoom account is automatically assigned a system role: owner, administrator, or member. Roles determine the default set of permissions; what users can do when they sign in to Zoom. Source.

   • Only account owners can change or reassign roles. Zoom offers role-based access control, which lets admins create additional user roles. These user roles can further restrict permissions by allowing individuals to access only specific pages. Owners can also change permissions for those in the Admin role. Source.

2. Enterprise Authentication:

   • Zoom supports SSO, which is based on SAML 2.0. It works with enterprise identity management tools like Okta, Centrify, Microsoft Active Directory, Gluu, OneLogin, PingOne, Shibboleth, etc. It allows administrators to provision users to different groups via feature controls. Source.
   • Zoom also allows basic and advanced SAML Mapping. With the basic protocol, admins can designate a default License Type if a user signs in with SSO. Admins can also map SAML attributes passed by their IP: email, first and last name, phone number, pronouns, department, etc. Source.
   • Advanced SAML mapping is also possible, allowing admins to assign users specific roles, add-ons, or groups based on the attributes passed. Source.

3. End-to-End Encryption:

   • On Zoom, account owners and admins can enable E2E encryption for meetings, but all participants must join from the Zoom desktop client, mobile app, or Zoom Rooms.

   • However, activating E2E encryption disables server-side functions like recording, breakout rooms, polling, live streaming, transcription, etc.

   • It also prevents users from joining by telephone, SIP/H.323 devices, on-premise configurations, Zoom’s web client, third-party clients leveraging the Zoom Web SDK, or Lync/Skype clients.

     Source: E2EE for meetings

4. Privacy & Encryption of Recordings:

   • Zoom allows encryption of a session’s audio, video, and screen sharing. The content is guarded by the Advanced Encryption Standard (AES) 256 with a one-time key, specific to each session while using a Zoom client.

   • Recordings stored on the host’s device must be encrypted separately using an external source. All cloud recordings are stored in the cloud right after a meeting ends. They can be password protected and made available to users within an organization.

   • Only a meeting host and the account admin can access the recording feature in meetings. They can allow others to access the recording as required.

     Source: Privacy & Security for Zoom Video Communications

5. Audit Trails:

   Zoom’s Reports sections allow paid account owners and admins to view multiple layers of meeting, account, and webinar statistics. They can view who is attending meetings, get stats on registrations for webinars, track changes to Account & Group settings, roles, user license assignments, subscriptions, SSO config, who signed in or out, and much more. For a much deeper dive into what Zoom offers, have a look at the Zoom reporting page.

---

100ms

100ms’ Compliance Certifications

1. SOC2 Type 1 & SOC 2 Type 2
2. HIPAA

100ms’ Security Features

Note: VAPT tests are run every year by a third-party vendor to assess the 100ms infrastructure and tech stack.*

2. Access Control:

   • Each 100ms meeting room is logically separate from every other room. Access to meetings can only be obtained via tokens — short-term room level/role-specific credentials transferred to participants via links.
   • During meetings, the host can restrict participants’ ability to speak, display video, and share their screen (if required) via 100ms’ Roles feature.
   • RBAC is not available at the time this article was published but is actively in the process of being developed and implemented.

3. Enterprise Authentication:

   The feature is unavailable at the time of writing.

4. End-to-End Encryption:

   Transmissions are encrypted from peer to server and server to peer. The server is a private entity that cannot be accessed by unauthorized personnel, rendering all sessions and recordings immune from undesirable access and usage.

5. Privacy & Encryption of Recordings:

   Call recordings are encrypted during transmission and in storage. In other words, customers can expect encryption at rest and at transmission.

6. Audit Trails:

   The feature is not available at the time of writing. However, like RBAC, it is in the process of being developed and implemented.

---

Compliance & Security Comparison Table

COMPLIANCE & SECURITY	Agora	Twilio	Jitsi	Zoom	100ms
Certifications	SOC 2 ✓  GDPR ✓  HIPAA ✓ ISO/IEC 27001 ✓  CCPA ✓ COPPA ✓	AICPA SOC 2 ✓ GDPR ✓  HIPAA ✓ ISO/IEC 27001 ✓  CCPA × COPPA ×	SOC 2 ×  GDPR ✓  HIPAA ✓ ISO/IEC 27001 ×  CCPA × COPPA ×	SOC 2 Type II ✓  GDPR ✓  HIPAA ✓  ISO/IEC 27001 ✓  CCPA × COPPA ×	SOC 2 (Type I & Type II) ✓  GDPR ×  HIPAA ✓  ISO/IEC 27001 × CCPA ×  COPPA ×
Access Control	✓	✓	✓	✓	✓  RBAC ×
Enterprise Authentication	?	✓	?	✓	×
E2E Encryption	In limited instances ✓	In Peer-to-Peer Rooms ✓	✓	In limited use cases ✓	Peer to server, and server to peer ✓
Privacy of Recordings	✓	✓	?	✓	✓
Audit Trails	✓	✓	?	✓	×