Data Storage and Security

Whereby is built in Norway by privacy-friendly Europeans. As an ethically-ambitious company, we take your security seriously. We don’t sell or mine your data, which is stored securely in the EU, we’re GDPR-compliant, and all content is encrypted.

Because we're GDPR compliant we have systems in place so you can see how your data is used, delete your profile with all data, or export any data Whereby is storing about you. Below we've laid out some common questions we get about data security with answers on the steps we've taken. If you don't see the question you're looking for, feel free to reach out to us at legal@whereby.com.

How is my communication in Whereby secured?

Locking rooms 

The video and audio communication in a Whereby room is only visible to participants inside a room. It's not possible for another user to listen in on room data unless they are present in the room themselves (which means they would be visible to everyone in the room). Because the room URL is a public URL, it's possible for anyone who can guess a room name to enter an open room that has a host present in it. If you want to prevent others from coming into the conversation, we recommend locking the room by clicking the Lock button in the room menu. If you are the owner of a room you can keep the room locked at all times, so no one else can enter it. After doing this no new participants will be able to enter the room without the owner's permission. This is thanks to the Knock feature, where a user can ask to be let in, and the owner can the let them in or stop them from joining.

Chat

Chat messages are not stored permanently. They pass through our server that connects the users in the call temporarily in order to pass them on to each participant in the call, but are deleted from server as soon as it has been delivered to the participant's computer. Additionally, as each participant leaves the room the chat messages that were stored locally on their computer are deleted.

Encryption and security

All communication between your browser and Whereby is transmitted over an encrypted connection (HTTPS using TLS). Real time messaging is done using encrypted WebSockets or polling using HTTPS. By default, rooms are set to Group call mode, and will use a dedicated server infrastructure for calls. With this infrastructure, streams will always be encrypted (DTLS-SRTP) in transit, but will be decrypted and re-encrypted when passing through the video routers. 

Users can also choose to use Small meeting mode if they wish to prioritize having end-to-end encryption over quality and stability. In “Small meeting” mode, communication between participants is primarily sent through peer-to-peer connections, where audio and video streams are sent directly between participants and do not pass through any of our servers. Video and audio transmitted in the Service is then sent directly between the participants in a room and is encrypted (DTLS-SRTP) with client-generated encryption keys. In cases where a user is behind a strict firewall or NAT, video and audio need to be relayed via a TURN server, but end-to-end encryption is still maintained.

We take pride in collecting and storing as little user data as possible in the service. No audio or video is ever stored on our servers. 

How we process media (audio/video)

We will never store any media sent between participants in a room. The "Recording" feature which is available in the Pro and Business plans only allow client-side recording, so the recording is never uploaded to our servers. The user who starts the recording (the user must be a host in a room to do this) are then responsible for getting consents from all participants in the meeting prior to starting the recording. They are also responsible for storing and processing the recording in compliance with regulations after downloading it from Whereby.

By default rooms are set to our Group mode, which is available in all plans. Calls using the Group mode will use a dedicated server infrastructure to allow more people in conversation, and better stability. Your stream will be sent through video router servers which transmits it to the other participants in the call, and also transmits their streams to you. With this infrastructure, streams will always be encrypted (DTLS-SRTP) in transit, but will be decrypted and re-encrypted when passing through the video routers. 

In Small mode, communication between participants are primarily sent through peer-to-peer connections, where audio and video streams are sent directly between participants and do not pass through any of our servers, in cases where this is allowed by the network the user is on. Video and audio transmitted in the Service is then sent directly between the participants in a room and is encrypted (DTLS-SRTP) with client-generated encryption keys. In cases where a user is behind a strict firewall or NAT (e.g. on a strict corporate network roughly), video and audio need to be relayed via a TURN server, but end-to-end encryption is still maintained. 

Where our servers are located

We operate a global infrastructure of video routers distributed across the world, and users will be automatically routed to the closest available one to them. This means that e.g. users in a European country, will connect to a data center physically located within the EEC. The video router servers and all of our infrastructure adhere to strict security measures, preventing any eavesdropping or interruption of the video/audio streams. Media sent between participants in a room will not be stored. Hosting providers used to route video calls do not have ability to access or control the data streams, nor is any transmission initiated by them, and data sent through Whereby is initiated by the customer, the customer select the receiver of the transmission and Whereby or its sub-contractors is not able to select or modify the information contained in the transmission, cf. GDPR Article 2 (4). 

All user account data is stored in Ireland. You can see a full overview of the types of data that are being processed and stored, with the legal reasons for each category, in our Privacy Policy or Data Processing Agreement (PDF).

Privacy 

We in Whereby are committed to safeguarding the privacy of our users. Our business model is to provide a paid service to users who need additional features on top of the Free version, and does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service.

Whereby may collect, store and process various kinds of data, with different legal grounds, as listed in our Privacy Policy. For the categories of data that require your consent, we will actively ask you for consent before collecting any data. You can give and revoke your consents at any time in your Profile page in your account. Here you can also download a JSON file with the information we have stored about you, and delete your user account with all data. 

You can reference more of our security and privacy standards in our Terms of Service.

GDPR

Is Whereby a Data Processor?

For customers on our Free plan, we decide what data we collect from users and the purpose of processing. This, according to the definitions in GDPR, defines us as a Data Controller, and not a Data Processor with regards to our Free users. It is therefore not relevant for us to offer a Data Processing Agreement to individual customers. 

This is clearly defined in GDPR Article 1 "Definitions"

Point 7:  ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Point 8:   processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Since our Free plan is only offered to individuals and we do not enter into a corporate commercial agreement where your company instructs us to process personal information for you, every individual user of Whereby will be the data subject in the case where they sign up for an account with us, the Data Controller. A Data Processor is someone who only processes data on the Data Controller's requests and instructions, and within strictly defined purposes, e.g. a hosting provider. 

Our Privacy Policy states the following: 

"This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy."

Regarding information that you choose to upload or share through Whereby, our Terms of Service state: 

"You are responsible for your use of the Whereby, including the lawfulness of any content displayed, shared, uploaded or otherwise made available by you in the Service (“the User Content”). User Content includes room names, and you are responsible for ensuring room names does not include Prohibited User Content (as listed below). Your room names are used to construct the URLs identifying your rooms, and guests you invite and other third parties can (request to) enter your rooms based on these URLs. As these guests do not need to authenticate to Whereby in order to do this, please be aware that room names must be considered public information. Do not include information that you do not want to make public in room names."

Data Processing Agreement (DPA)

For our paying customers, we offer a Data Processing Agreement. These plans allow companies and organizations to set up team accounts, and thus have the ability that an admin user can import emails of other employees when inviting them (which constitutes Personal Identifiable Information). We have a Data Processing Agreement (DPA) as part of our Terms of Service for all our paying customers.

From 15th February 2022, an updated version of the DPA applies to our Embedded customers. For transparency reasons, we have decided to keep the older versions available for our customers:

DPA Spring 2021

Old DPA

Who has my credit card details?

We use Stripe and Chargebee for our credit card processing and storage. Both are extremely reliable, global payment processors that manage transactions for thousands of customers every day. Both companies are  PCI Service Provider Level 1, which is the strictest level of certification possible for a payment processor and use high-level security to achieve this. They are also GDPR compliant. You can read more about both companies security measures here:

• https://stripe.com/no/payments
• https://www.chargebee.com/security/