Your security and privacy is important to us
Your data and calls are private and protected. We accomplish this by integrating security practices across our infrastructure, vendors, employee operations, and internal policies.
Industry-standard compliance
HIPAA
We’ve built one of the strongest compliant implementations of HIPAA within our services. We take the responsibility of compliant integration away from our customers to ensure smooth integration.
SOC2 Type II
We comply with the Service Organization Controls Trust Services Criteria set by the AICPA. 100ms has a SOC 2 Type II attestation for Security, Confidentiality, and Availability. The audit report is available on request, under an NDA.
Built with security as priority
100ms is engineered to be secure from the ground up. We’ve taken extra care in every server we’ve set up, every permission level that has been shared, and each functionality we’ve built.
Secure calls and infrastructure
100ms’ production infrastructure is hosted on multiple secure cloud services platforms, including Google Cloud Platform (GCP), Amazon Web Services (AWS).
Encryption
All audio, video, and screen sharing media are transmitted encrypted using the Secure Real-time Transport Protocol (SRTP) which are encrypted over Datagram Transport Layer Security (DTLS) with AES 256-bit encryption. All of 100ms’ video and audio calls are encrypted to and from 100ms’ SFU servers.
Data Storage and Protection
100ms never stores, or records audio-video or data streams unless the client explicitly asks 100ms to store recordings. In the most common configuration, recordings are uploaded directly to the customer’s storage bucket. Any data stored with 100ms is encrypted in transit and at rest.
JWT Tokens and Room Permissions
Connections to 100ms rooms are secured with JWT tokens and room permissions. Customers can create roles and tokens with access controls to ensure only authorized people can join a call, and support TTLs.
Data Residency
Our customers have the option to choose where their data is stored. We have core databases setup in United States of America, Europe and India.
Above and beyond
We go an extra mile (or maybe a couple) in making sure what we’ve built is secure, compliant and bullet proof.
Regular Automated and Manual Vulnerability and Penetration Testing (VAPT)
We have implemented an exhaustive list of security controls including technical safeguards like penetration testing by multiple independent security firms, vulnerability scans and encryption.
Private Bug Bounty Program
We have a private bug bounty program hosted on Hackerone where we invite security researchers to test and penetrate assets across our platform infrastructure, SDKs, APIs and website.
Strict Security Policies and Protocols
All 100ms staff are rigorously screened with background checks, granted only essential system access for the purpose of their duties, and receive annual training in security protocols, incident response, and disaster recovery planning.
Active Compliance
- SHA-256 Hashed PHI / PII
- Masking of IP addresses
- Forced Signed Webhooks
Regular Vendor Security Assessments
We do regular security assessments of our vendors and have signed agreements for the same. We provide the same service to our customers on request.
Help us stay secure
Responsible Security Disclosure
Learn how to report platform vulnerabilities, bugs, data breaches and leaks, and other security issues responsibly.
Frequently asked questions
All of 100ms’ video and audio calls are encrypted over DTLS to and from 100ms’ SFU servers.
Security Center
Learn more about different security and compliance practices within 100ms and the industry.
A Primer on HIPAA Compliance
Understand what HIPAA compliance is, who it applies to and its key guiding principles.
