Data Processing Addendum
How we process data with LiveKit's cloud-managed service.
Last Updated: 10/25/2025
This Data Processing Addendum (the "Addendum") forms part of, and is subject to, the Terms of Service or other written or electronic terms of service or subscription agreement between LiveKit Incorporated ("LiveKit") and the legal entity defined as 'Customer' thereunder together with all Customer affiliates ("Affiliates") who are signatories to an Order Form for their own LiveKit account pursuant to such agreement (collectively, for purposes of this Addendum, "Customer", and together with LiveKit, the "parties") (such agreement, the "Agreement").
This Addendum shall be effective on the effective date of the Agreement (the "DPA Effective Date"). All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.
I. Introduction
1. Definitions
"Applicable Data Protection Law" refers to all privacy laws and regulations applicable to LiveKit's processing of Personal Data under the Agreement, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"); the UK GDPR as defined by section 205(4) of the UK Data Protection Act 2018 ("UK GDPR"); the UK Data Protection Act 2018; U.S. Privacy Laws, and any implementing regulation thereof of any jurisdiction, and all other applicable data protection laws of the EU and UK, each as applicable, in each case as amended, updated or replaced from time to time.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"Customer Account Data" means Personal Data that relates to Customer's relationship with LiveKit, including the names or contact information of individuals authorized by Customer to access Customer's account.
"Customer Content" means, collectively, Developer Application Data, User Content, Inference Data, and Observability Data, to the extent that such data comprises Personal Data.
"Data Subject Rights" means Data Subjects' rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Applicable Data Protection Law.
"Developer Application Data" means Customer's source code, binaries, and uploaded application files (including hosted agents) submitted for hosting by LiveKit.
"Inference Data" means model inputs (including prompts, parameters, or media snippets), related metadata, and resulting outputs or responses transmitted through LiveKit's Inference services.
"International Data Transfer" means any disclosure of Personal Data by an organization subject to Applicable Data Protection Law to another organization located outside the EEA, the UK, or Switzerland.
"Observability Data" means logs, traces, error/latency metrics, and limited audio, video, or text snippets generated by the Services in connection with observability features.
"Operational Metrics" means telephone records, usage statistics, and other operational data automatically generated by the Services.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processor" means the entity which Processes Personal Data on behalf of the Controller.
"processing" (and "process") means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content transmitted, stored or otherwise processed by LiveKit.
"Sensitive Data" means information or combinations of information that falls within the definition of "special categories of data" under the UK GDPR.
"Services" means the products and services provided by LiveKit or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an Order Form. Services include products and services that provide both (x) platform services, including access to any application programming interface ("LiveKit API") and (y) where applicable, communications services used in connection with the LiveKit APIs.
"Sub-processor" means (a) LiveKit, when LiveKit is processing Customer Content and where Customer is a Processor of such Customer Content or (b) any third-party Processor engaged by LiveKit to process Customer Content in order to provide the Services to Customer.
"Third-Party Request" means any request, correspondence, inquiry, or complaint from a Data Subject, regulatory authority, or third party.
"Third-Party Controller" means a Controller for which LiveKit is a Processor; and
"U.S. Privacy Laws" means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health information). U.S. Privacy Laws include, but are not limited to, the following:
1.1.1. California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA"); 1.1.2. Colorado Privacy Act; 1.1.3. Connecticut Personal Data Privacy and Online Monitoring Act; 1.1.4. Delaware Personal Data Privacy Act; 1.1.5. Indiana Consumer Data Protection Act; 1.1.6. Iowa Consumer Data Protection Act; 1.1.7. Kentucky Consumer Data Protection Act; 1.1.8. Maryland Online Data Privacy Act; 1.1.9. Minnesota Consumer Data Privacy Act; 1.1.10. Montana Consumer Data Privacy Act; 1.1.11. Nebraska Data Privacy Act; 1.1.12. New Hampshire Act Relative to the Expectation of Privacy; 1.1.13. New Jersey Act Concerning Online Services, Consumers, and Personal Data; 1.1.14. Oregon Consumer Privacy Act; 1.1.15. Rhode Island Data Transparency and Privacy Protection Act; 1.1.16. Tennessee Information Privacy Act; 1.1.17. Texas Data Privacy and Security Act; 1.1.18. Utah Consumer Privacy Act; and 1.1.19. Virginia Consumer Data Protection Act.
"User Content" means information submitted or generated by Customer or its end users while using the Services, including communications (voice, video, text, images), model inputs and outputs, and session metadata.
"LiveKit Privacy Policy" means the privacy policy for the Services published by LiveKit and updated from time to time, the current version of which is available at https://livekit.io/legal/privacy-policy.
Capitalized terms not defined in this Section 1 will have the meaning given to them in this Addendum or the Agreement, as applicable.
II. Controller and Processor
2. Relationship of the Parties
2.1 Scope of this Addendum. This Addendum applies to the Processing of Personal Data by LiveKit as a Processor subject to Applicable Data Protection Law to provide the Services. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Schedule I, which is an integral part of this Addendum.
2.2 LiveKit as a Processor.
a. Customer is a Controller and appoints LiveKit as a Processor on behalf of Customer to process Customer Content. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
b. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Company; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
2.3 LiveKit as a Controller. Customer acknowledges that LiveKit may process Personal Data as a Controller under Data Protection Laws, including in relation to Customer Account Data and Operational Metrics (including limited phone number metadata). LiveKit will process Customer Account Data and Operational Metrics as a Controller for purposes which include (a) managing the relationship with Customer; (b) carrying out LiveKit's core business operations, such as accounting and filing taxes; (c) detecting, preventing, or investigating security incidents, fraud, and other abuse or misuse of the Services; (d) providing, optimizing, and maintaining the Services, platform, and security; (e) performing identity verification; and (e) complying with applicable law or regulation or as otherwise permitted under Applicable Data Protection Law and otherwise in accordance with the LiveKit Privacy Policy.
For the avoidance of doubt, this Addendum only applies to the processing of Personal Data by LiveKit as a Processor on behalf of Customer, except where it concerns International Data Transfers.
2.4 Responsibility for Affiliates. Customer shall be responsible for Affiliates' compliance with this Addendum and all acts and/or omissions by an Affiliate with respect to Customer's obligations in this Addendum shall be considered the acts and/or omissions of Customer. Affiliates shall not bring a claim directly against LiveKit. If an Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against LiveKit ("Affiliate Claim"): (i) Customer must bring such Affiliate Claim directly against LiveKit on behalf of such Affiliate, unless Applicable Data Protection Law requires the Affiliate be a party to such claim; and (ii) all Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability.
2.5 Region Pinning. Where Customer configures the Services to use a specific geographic region (a "Pinned Region") through the LiveKit Cloud dashboard or API, LiveKit will process the following categories of Customer Content in the Pinned Region:
-
Developer Application Data, to the extent necessary to host, execute, and maintain Customer's deployed applications or hosted agents;
-
User Content, including audio, video, text, and session metadata transmitted through the Services, for purposes of real-time media transport, signaling, and delivery within the Pinned Region; and
-
Inference Data, solely where Customer selects an Inference Provider that operates infrastructure within the same Pinned Region.
Region pinning limits the routing and processing of the above data categories to compute and network resources located within the designated Pinned Region. Region pinning does not provide cross-region failover; if the selected Pinned Region becomes unavailable, Services in that region may be disrupted until restored.
Customer acknowledges that certain other categories of Personal Data are not subject to region pinning:
-
Observability Data, telemetry, and related logs are stored and processed in the United States regardless of the selected Pinned Region;
-
where Customer selects an Inference Provider that operates outside the Pinned Region, the corresponding Inference Data will be transmitted to and processed by that provider in accordance with Customer's configuration and the Inference Provider's data-handling terms;
-
Operational Metrics related to telephony (including SIP interconnects, call-detail records, and carrier metadata) may be subject to carrier-specific routing, processing, or retention requirements outside the Pinned Region; and
-
beta, preview, or experimental features are provided "as is" and may not support region pinning. LiveKit makes no representation or warranty that such features will adhere to Customer's Pinned Region configuration.
For clarity, the categories of Personal Data LiveKit acts as a Controller of, as set out in our Privacy Policy from time to time, are not subject to Pinned Region constraints.
3. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of Personal Data and (b) it has, and will continue to have, the right to transfer, or provide access to, Personal Data to LiveKit for processing in accordance with the terms of the Agreement and this Addendum.
III. LiveKit as a Processor - Processing Customer Content
4. Customer Instructions. Customer appoints LiveKit as a Processor to process Customer Content on behalf of, and in accordance with, Customer's instructions as set forth in the Agreement, this Addendum, and any applicable statement of work ("Permitted Purposes").
4.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that LiveKit is neither responsible for determining which laws or regulations are applicable to Customer's business nor whether LiveKit's provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that LiveKit's processing of Customer Content, when done in accordance with Customer's instructions, will not cause LiveKit to violate any applicable law or regulation, including Applicable Data Protection Law. LiveKit will inform Customer if it becomes aware, or reasonably believes, that Customer's instructions violate any applicable law or regulation, including Applicable Data Protection Law.
4.2 Additional Instructions. Customer may reasonably issue additional instructions as necessary to comply with applicable law or regulation, including Applicable Data Protection Law and as otherwise agreed in writing between the parties. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to LiveKit for carrying out such additional instructions.
5. Confidentiality
5.2 Confidentiality Obligations of LiveKit Personnel. LiveKit will ensure that any person it authorizes to process Customer Content (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
6. Sub-processors
6.1 Authorization for Onward Sub-processing. Customer provides a general authorization for LiveKit to engage Sub-processors. A list of LiveKit's current Sub-processors is in https://livekit.io/legal/sub-processors. LiveKit agrees to impose contractual data protection obligations on any sub-processor it appoints that require such Sub-processor to protect Customer Content as required by Applicable Data Protection Law. LiveKit will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its Sub-processors.
6.2 Current Sub-processors and Notification of Sub-processor Changes. Customer authorizes LiveKit to engage Sub-processors to process Customer Content within the Services for the Permitted Purposes provided that LiveKit maintains an up-to-date list of its Sub-processors at https://livekit.io/legal/sub-processors, which contains a mechanism for Customer to subscribe to notifications of new sub-processors. If Customer subscribes to such notifications, LiveKit will provide details of any change in Sub-processors as soon as reasonably practicable. With respect to LiveKit's Sub-processors, LiveKit will give written notice no less than ten (10) days prior to any such change.
6.3 Objection Right for new Sub-processors. Customer may object to LiveKit's appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. Customer acknowledges that certain Sub-processors are essential to providing the Services and that objecting to the use of a Sub-processor may prevent LiveKit from continuing to offer the Services to Customer. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised within the ten (10) day period mentioned in Section 7.2, , LiveKit will deem Customer to have authorized the new Sub-processor.
7. Data Subject Rights. Taking into account the nature of the Processing, and the information available to LiveKit, LiveKit will assist Customer to comply with requests to exercise Data Subject Rights. As part of the Services, LiveKit provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict access to Customer Content. Customer may use these self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from Data Subjects via the Services at no additional cost. To the extent Customer does not have the ability to resolve a Data Subject request through the self-service features, upon Customer's request, LiveKit will provide reasonable additional and timely assistance to assist Customer in complying with its data protection obligations with respect to Data Subject Rights.
8. Impact Assessments and Consultations. LiveKit will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer's expense only if such reasonable cooperation will require LiveKit to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
9. Return or Deletion of Customer Content. LiveKit will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the Services.
9.1 Retention Required by Law. Notwithstanding anything to the contrary in this Section 9, LiveKit may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
IV. Security and Audits
10. Security
10.1 Security Measures. LiveKit has implemented and will maintain the technical and organizational security measures as set forth in the LiveKit Security Overview document available at https://livekit.io/legal/security. Additional information about LiveKit's technical and organizational security measures to protect Customer Content is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
10.2 Determination of Security Requirements. Customer is responsible for reviewing the information LiveKit makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer's requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by LiveKit to maintain appropriate security in light of the nature of Customer Content processed as a result of Customer's use of the Services.
10.3 Security Incident Notification and Response. LiveKit will provide notification of a Security Incident in the following manner:
(a) LiveKit will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after LiveKit's discovery of a Security Incident impacting Customer Content of which LiveKit is a Processor;
(b) LiveKit will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer's account.
LiveKit will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by LiveKit's violation of this Addendum, remediate the cause of such Security Incident. LiveKit will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any Data Subjects impacted by a Security Incident.
LiveKit's obligation to respond to a Security Incident under this Section 11.3 will not be construed as an acknowledgement by LiveKit of any fault or liability with respect to such Security Incident.
11. Audits. The parties acknowledge that Customer must be able to assess LiveKit's compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as LiveKit is acting as a Processor on behalf of Customer.
11.1 LiveKit's Audit Program. LiveKit uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually at LiveKit's expense by independent third-party security professionals at LiveKit's selection and result in the generation of a confidential audit report ("Audit Report").
11.2 Customer Audit. Upon Customer's reasonable written request, and subject to reasonable confidentiality controls, LiveKit will make available to Customer a copy of LiveKit's most recent Audit Report. To the extent that LiveKit's provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with LiveKit that: (a) ensures the use of an independent third party; (b) provides written notice to LiveKit in a timely fashion; (c) requests access only during business hours and requires that the audit be conducted in a manner that causes minimal disruption; (d) accepts billing to Customer at LiveKit's then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
V. International Provisions
12. Jurisdiction Specific Terms. To the extent LiveKit processes Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.
13. Cross Border Data Transfer Mechanisms for Data Transfers. To the extent Customer's use of the Services requires an onward transfer mechanism to lawfully transfer Personal Data from a jurisdiction (i.e., the European Economic Area*,* the United Kingdom, Switzerland, or any other jurisdiction listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum) to LiveKit located outside of that jurisdiction ("Transfer Mechanism"), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum will apply.
VI. Miscellaneous
14. Liability. Notwithstanding anything to the contrary in the Agreement or this Addendum:
Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or relating to this Addendum, the EU Standard Contractual Clauses, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the parties' obligations under the Agreement, each party agrees that any regulatory penalties incurred by one party (the "Incurring Party") in relation to the Customer Content that arise as a result of, or in connection with, the other party's failure to comply with its obligations under this Addendum or any Applicable Data Protection Law shall count toward and reduce the Incurring Party's liability under the Agreement as if it were liability to the other party under the Agreement.
Neither party will be responsible for any fines issued or levied under Applicable Data Protection Law against the other party by a regulatory authority or governmental body in connection with such other party's violation of the Applicable Data Protection Law.
15. Cooperation and Data Subject Rights. In the event that either party receives any Third-Party Request relating to the processing of Customer Account Data or Operational Metrics conducted by the other party, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third-Party Request and fulfill their respective obligations under Applicable Data Protection Law.
16. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); (3) the Agreement; and (4) the LiveKit Privacy Policy. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.
17. Updates. LiveKit may, from time to time, update the terms of this Addendum; which contains a mechanism for Customer to subscribe to notifications of updates. If Customer subscribes to such notifications, LiveKit will provide notice at least thirty (30) days in advance when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://livekit.io/legal/data-processing-addendum.
SCHEDULE 1
DETAILS OF PROCESSING
The following table describes the categories of data processed by LiveKit, the purposes of processing, the processing activities performed, the duration of processing, and the categories of data subjects.
| SCC modules | Category of Data | Purpose of Processing | Processing Activities | Duration / Retention | Data Subjects |
|---|---|---|---|---|---|
| Modules 2 and 3 | Developer Application | Provide hosting and execution of Customer's applications and agents. | Storage, execution, containerization, deployment, debugging. | Retained until Customer deletes hosted agents or terminates the Service, unless a longer retention is required to comply with applicable laws. | Customer personnel. |
| Modules 2 and 3 | User Data | Transmit and deliver communications (voice, video, text, images, model inputs/outputs) between end users. | Routing, delivery, encryption, transient storage for quality of service. | Deleted after delivery, except where required by law, or where Customer enables recording or logging. | Customer end users. |
| Modules 2 and 3 | Inference Data | Generate outputs from third-party inference/model providers. | Transmission of prompts/inputs and return of outputs; transient caching; optional logging. | Ephemeral except transient caching/fraud checks or Customer-enabled logging. | Customer personnel and end users. |
| Modules 2 and 3 | Observability Data | Provide monitoring, debugging, analytics, and performance insights. | Collection of logs, traces, transcripts, error/latency metrics; session-level telemetry. | Retained up to 60 days by default from the date of collection unless Customer requests earlier deletion; backups may persist up to 30 additional days. | Customer personnel and end users. |
| Module 1 | Operational Metrics | Provide and improve service reliability; meet telecom obligations. | Generation of usage logs, call detail records, telecom metadata, system metrics. | Retained 12 months from the date of collection (or longer if required by law or carrier rules). | Customer personnel and end users. |
| Module 1 | Customer Account Data | Manage billing, account administration, support, compliance. | Collection of account details, billing, support logs, credentials. | Retained for the life of the account + up to 30 days after closure; longer where required for tax, audit, or compliance with applicable laws. | Customer personnel. |
Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the communications that are transmitted using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer's end users to transmit or process any Sensitive Data via the Services.
SCHEDULE 2
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses and Appendix 2 of the UK SCCs. The following table provides more information regarding the technical and organizational security measures set forth below.
| Technical and Organizational Security Measure | Evidence of Technical and Organizational Security Measure |
|---|---|
| Measures of pseudonymization and encryption of Personal Data | LiveKit assigns randomly-generated identifiers to all participants in a session. All session metadata references these generated identifiers. Telemetry data is encrypted at rest. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | LiveKit manages redundant service components to prevent single points of failure at each level, including databases, media servers, network components, and physical data centers. In the event of a component failure, applications and services are designed to recover automatically. |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | Backups of all databases are created automatically. Data restoration is performed manually according to procedures for each database. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | LiveKit maintains SOC2 certification including regular audits and penetration testing. LiveKit operates a public bug bounty program at https://docs.livekit.io/security/policy/. |
| Measures for user identification and authorization | LiveKit requires individual user accounts with multi-factor authentication for administrative access to cloud systems. Access is granted on the basis of the minimum necessary level required to perform job duties. |
| Measures for the protection of data during transmission | All data transmitted over the Internet is encrypted. In compliance with WebRTC standards, realtime session data is encrypted using DTLS-SRTP. Other data is encrypted using TLS. |
| Measures for the protection of data during storage | All database backups and session telemetry are encrypted at rest. Payment-related data is stored by a PCI Level-1 service provider. |
| Measures for ensuring physical security of locations at which Personal Data are processed | Physical processing locations are hosted and secured by LiveKit's cloud infrastructure providers: Google Cloud Platform, Amazon Web Services, Linode, and Digital Ocean. |
| Measures for ensuring events logging | LiveKit securely logs events in Datadog. |
| Measures for ensuring system configuration, including default configuration | LiveKit uses Infrastructure as Code principles to maintain cloud resources. Cloud resources are provisioned, configured, and maintained using Terraform and Zeet. |
| Measures for internal IT and IT security governance and management | LiveKit uses Vanta to manage and automate adherence to IT and security policies. |
| Measures for certification/assurance of processes and products | LiveKit maintains a SOC 2 Type II certification. |
| Measures for ensuring data minimization | LiveKit does not collect or store any Personal Data. Data for each session's participants is anonymized using randomly-generated identifiers. Customer may choose to assign a separate identifier for a session participant, however LiveKit uses the generated identifier to relate all data. |
| Measures for ensuring data quality | LiveKit maintains an engineering team which implements and improves the quality of all session and telemetry data. |
| Measures for ensuring limited data retention | Telemetry data is automatically purged after its configured retention period. |
| Measures for ensuring accountability | LiveKit ensures accountability to defined policies using Vanta, which monitors compliance, and tracks employee acknowledgement of policies and updates. Training for security awareness and privacy practices are provided annually to all employees. |
| Measures for allowing data portability and ensuring erasure | LiveKit accepts requests for data transfers and/or erasure via its support team at [email protected] or security team at [email protected]. |
| Technical and organizational measures of sub- processors | LiveKit enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this DPA. |
SCHEDULE 3
CROSS BORDER DATA TRANSFER MECHANISMS
1. Definitions
"Data Privacy Framework" means the self-regulatory framework administered by the U.S. Department of Commerce in accordance with the European Commission's adequacy decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) on the adequacy of the protection provided by the EU-U.S. Data Privacy Framework. This framework governs the adequacy of data transfers from the European Union to the United States, replacing the previous EU-U.S. Privacy Shield. The Data Privacy Framework also includes the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework as approved by the Swiss Federal Council, as applicable, and may be amended or replaced from time to time.
"EEA" means the European Economic Area.
"EU Standard Contractual Clauses" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time.
"UK International Data Transfer Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.
2. Cross Border Data Transfer Mechanisms.
2.1 Personal Data Transfers. Customer hereby authorizes LiveKit to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; the Data Privacy Framework referred to in Section 2.2; or pursuant to the EU Standard Contractual Clauses and the UK International Data Transfer Addendum referred to in Sections 2.3 and 2.4.
2.2 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the Data Privacy Framework; (b) the EU Standard Contractual Clauses as set forth in Section 2.3 (EU Standard Contractual Clauses) of this Schedule 3 or the UK International Data Transfer Addendum as set forth in Section 2.4 (UK International Data Transfer Addendum) of this Schedule 3, as applicable; and, if neither (a) nor (b) is applicable, then (c) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
2.3 Data Privacy Framework. To the extent LiveKit processes Personal Data that is covered by the Data Privacy Framework certification:
LiveKit will provide at least the same level of privacy protection as required by the Data Privacy Framework principles;
LiveKit will notify Customer if it determines that it can no longer meet its obligation to provide at least the same level of protection as is required by the Data Privacy Framework, in which case Customer may take reasonable steps to stop and remediate unauthorized processing; and
Customer and LiveKit may provide a summary or a representative copy of the relevant privacy provisions of this agreement to the U.S. Department of Commerce upon request.
2.4 EU Standard Contractual Clauses. To the extent the Data Privacy Framework is invalidated, declared unenforceable, or otherwise rendered inapplicable for any reason,the parties agree that the EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the EEA that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where Customer is a Controller of Customer Account Data or Operational Metrics, and Customer shares this data with LiveKit as a Controller.
(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a Controller of Customer Content and shares this data with LiveKit to process as a Processor;
(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a Processor of Customer Content and shares this data with LiveKit to process on behalf of Customer as a Sub-processor;
(d) For each Module, where applicable:
(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;
(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of Sub-processor changes will be as set forth in Section 7.2 (Current Sub-processors and Notification of Sub-processor Changes) of this Addendum;
(iii) in Clause 11(a) of the EU Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the EU Standard Contractual Clauses:
Data Exporter: Name: Customer Contact details: The email address(es) designated by Customer in Customer's account. Data Exporter Role: The Data Exporter's role is set forth in Section 2 (Relationship of the Parties) of this Addendum. Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
Data Importer: Name: LiveKit Incorporated Contact details: LiveKit Privacy Team - [email protected] Data Importer Role: The Data Importer's role is set forth in Section 2 (Relationship of the Parties) of this Addendum. Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
(vii) in Annex I, Part B of the EU Standard Contractual Clauses:
The categories of Data Subjects are set forth in Schedule 1 (Details of Processing) of this Addendum.
The Sensitive Data transferred is set forth in Schedule 1 (Details of Processing) of this Addendum.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is set forth in Schedule 1 (Details of Processing) of this Addendum.
The purpose of the processing is set forth in Schedule 1 (Details of Processing) of this Addendum.
The period for which the Personal Data will be retained is set forth in Schedule 1 (Details of Processing) of this Addendum.
For transfers to Sub-processors, LiveKit will maintain a list of authorized Sub-processors set forth at https://livekit.io/legal/sub-processors;
(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority; and
(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.
2.4 UK International Data Transfer Addendum. The parties agree that the UK International Data Transfer Addendum will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) In Table 1 of the UK International Data Transfer Addendum, the parties' details and key contact information is located in Section 2.4(d)(vi) of this Schedule 3.
(b) In Table 2 of the UK International Data Transfer Addendum, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Addendum is appended to is located in Section 2.4 (EU Standard Contractual Clauses) of this Schedule 3.
(c) In Table 3 of the UK International Data Transfer Addendum:
The list of Parties is located in Section 2.4(d)(vi) of this Schedule 3. The description of the transfer is set forth in (Nature and Purpose of the Processing) of Schedule 1 (Nature and Purpose of the Processing), (Details of the Processing). Annex II is located in Schedule 2 (Technical and Organizational Security Measures) The list of Sub-processors is located at https://livekit.io/legal/sub-processors.
(d) In Table 4 of the UK International Data Transfer Addendum, both the Importer and the Exporter may end the UK International Data Transfer Addendum in accordance with the terms of the UK International Data Transfer Addendum.
2.4 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Addendum and any other terms in this Addendum,, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Addendum, as applicable, will prevail.
SCHEDULE 4
JURISDICTION SPECIFIC TERMS
1. California:
Except as expressly permitted by Applicable Data Protection Law, LiveKit is prohibited from (i) Selling or Sharing personal information of California residents, (ii) retaining, using, or disclosing personal information of California residents for any purpose other than for the specific purpose of performing the Services specified in Schedule 1, (iii) retaining, using, or disclosing personal information of California residents outside of the direct business relationship between the parties, and (iv) combining personal information of California residents with personal information obtained from, or on behalf of, sources other than Customer, except as expressly permitted under Applicable Data Protection Laws. For the avoidance of doubt, LiveKit is permitted to retain, use, and disclose personal information of California residents for product improvement purposes. All terms used but not defined in this Schedule 4, Section 1 shall have the meaning given to such terms under the CCPA.
2. Switzerland:
3.1 The definition of "Applicable Data Protection Law" includes the Swiss Federal Act on Data Protection, as revised (FADP).
3.2 To the extent that Personal Data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.4 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
a. references to "EU Member State" and "Member State' will be interpreted to include Switzerland, and
b. insofar as the transfer or onward transfers are subject to the FADP:
(i). references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
(ii). the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
(iii). in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
(iv). in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.