Data Storage & Security
We take data privacy and security very seriously at Whereby, and we've taken measures to ensure your data is stored in a secure way. Additionally, we're fully GDPR compliant and have systems in place so you can see how your data is used or export any data Whereby is storing for you. Below we've laid out some common questions we get about data security with answers on the steps we've taken. If you don't see the question you're looking for, feel free to reach out to us at email@example.com!
Is Whereby a Data Processor?
At Whereby, we decide what data we collect from users and the purpose of processing. This, according to the definitions in GDPR, defines us as a Data Controller, and not a Data Processor with regards to our users. It is therefore not relevant for us to offer a Data Processing Agreement to individual customers.
This is clearly defined in GDPR Article 1 "Definitions"
Point 7: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Point 8: processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Since our Free and Pro plans are only offered to individuals and we do not enter into a corporate commercial agreement where your company instructs us to process personal information for you, every individual user of Whereby will be the data subject in the case where they sign up for an account with us, the Data Controller. A Data Processor is someone who only processes data on the Data Controller's requests and instructions, and within strictly defined purposes, e.g. a hosting provider.
"This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy."
Regarding information that you choose to upload or share through Whereby, our Terms of Service state:
"You are responsible for your use of the Whereby, including the lawfulness of any content displayed, shared, uploaded or otherwise made available by you in the Service (“the User Content”). User Content includes room names, and you are responsible for ensuring room names does not include Prohibited User Content (as listed below). Your room names are used to construct the URLs identifying your rooms, and guests you invite and other third parties can (request to) enter your rooms based on these URLs. As these guests do not need to authenticate to Whereby in order to do this, please be aware that room names must be considered public information. Do not include information that you do not want to make public in room names."
How is my communication in Whereby secured?
The video and audio communication in a Whereby room is only visible to participants inside a room. It's not possible for another user to listen in on room data unless they are present in the room themselves (which means they would be visible to everyone in the room). Because the room URL is a public URL, it's possible for anyone who can guess a room name to enter an open room. If you want to prevent others from coming into the conversation, we recommend locking the room by clicking the Lock button in the room menu. After doing this no new participants will be able to enter the room without the owner's permission. This is thanks to the Knock feature, where a user can ask to be let in, and the owner can the let them in or stop them from joining.
All communication between your browser and Whereby is transmitted over an encrypted connection (HTTPS using TLS). Real time messaging is done using encrypted WebSockets or polling using HTTPS. Video and audio transmitted in the service is sent directly between the participants in a room and is encrypted (DTLS-SRTP) with client-generated encryption keys. In some cases, due to NAT/firewall restrictions, the encrypted data content will be relayed through our server. We take pride in collecting and storing as little user data as possible in the service. No audio or video is ever stored on our servers. Chat history needs to be stored to be distributed across clients.
To control the room, we recommend Creating it so you become the owner of the room. As the owner you can keep the room locked at all times, so no one else can enter it.
As for saving data, we store as a little as possible about the user. Our main goal is to create a service that is fast and reliable, but also easy for new users to get started with as little information as possible. Basically, the only thing we are going to know about you is what you voluntarily tell us (e-mail address if you choose to create a room or sign up for Pro, background pictures/content for the room, etc). No video or audio is ever saved on our servers. Finally, we don't partner with third-party vendors and sell user information for targeted marketing. We believe we are part of a team with our users and respect your privacy as any good team should. You can reference more of our security and privacy standards in our Terms of Service.
Who has my credit card details?
We use Stripe for our credit card processing and storage - specifically Stripe Payments Europe, Ltd. If you aren't familiar with Stripe, they are an extremely reliable, global payment processor that managed transactions for thousands of customers every day. Stripe is a PCI Service Provider Level 1, which is the strictest level of certification possible for a payment processor. They use high-level security to achieve this, and they're also GDPR compliant! You can read more about their security measures and them as a company at https://stripe.com/no/payments