Security Overview
An overview of the policies, procedures, controls and safeguards pertaining to LiveKit's products and services.
Last Updated: 06/10/2023
This LiveKit Security Overview ("Security Overview") is incorporated into and made a part of the Terms of Service or other written or electronic terms of service or subscription agreement (the "Agreement") between LiveKit Incorporated ("LiveKit") and the legal entity defined as 'Customer' thereunder together with all Customer Affiliates who are signatories to an Order Form for their own LiveKit account pursuant to such Agreement (collectively, for purposes of this Security Overview, "Customer", and together with LiveKit, the "parties"). All capitalized terms not defined in this Security Overview shall have the meanings set forth in the Agreement.
1. Definitions
"Services" means any services or application programming interfaces branded as "LiveKit".
2. Purpose. This Security Overview describes LiveKit's security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats change, LiveKit continues to update its security program and strategy to help protect Customer Data and the Services. As such, LiveKit reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. The then-current terms of this Security Overview are available at https://livekit.io/legal/security. This Security Overview does not apply to any Services that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services offered by LiveKit.
3. Security Organization and Program. LiveKit maintains a risk-based assessment security program. The framework for LiveKit's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, security, and availability of Customer Data. LiveKit's security program is intended to be appropriate to the nature of the Services and the size and complexity of LiveKit's business operations. LiveKit has an Information Security team that manages LiveKit's security program. There is a team that facilitates and supports independent audits and assessments performed by third parties. LiveKit's security framework is based on the Service Organization Controls (SOC 2) Trust Services Criteria and includes policies covering: Access Control, Asset Management, Backup Security, Physical Security, Information Security, Communications Security, Data Protection, Business Continuity, Disaster Recovery, Risk Assessment, People Security, Cryptography, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, Vendor Management, Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with LiveKit's Chief Security Officer (CSO) meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all LiveKit employees for their reference.
4. Confidentiality. LiveKit has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All LiveKit employees and contract personnel are bound by LiveKit's internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
5. People Security
5.1 Employee Background Checks. LiveKit performs background checks on all new employees at the time of hire in accordance with applicable local laws. LiveKit currently verifies a new employee's previous employment and performs reference checks when reasonably required. Where permitted by applicable law, LiveKit may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee's role.
5.2 Employee Training. At least once (1) per year, LiveKit employees must complete a security and privacy training which covers LiveKit's security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. LiveKit's dedicated security team communicates emerging threats to employees. LiveKit has also established an anonymous communication channel for employees to report any unethical behavior where anonymous reporting is legally permitted.
6. Third-Party Vendor Management
6.1 Vendor Assessment. LiveKit may use third-party vendors to provide the Services. LiveKit carries out a security risk-based assessment of prospective vendors before working with them to validate they meet LiveKit's security requirements. LiveKit periodically reviews each vendor in light of LiveKit's security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements. LiveKit ensures that Customer Data is returned and/or deleted at the end of a vendor relationship.
6.2 Vendor Agreements. LiveKit enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
7. Security Certifications and Attestations. LiveKit holds the following security-related certifications and attestations:
- SOC 2 Type 2 (Trust Service Principles: Confidentiality, Security and Availability)
8. Hosting Architecture and Data Segregation
8.1 Cloud Providers. The Services are hosted on Google Cloud Platform, Akamai, and Digital Ocean ("Cloud Providers") in the United States of America, EEA, and Singapore. Cloud Providers are protected by security and environmental controls. The production environment within Cloud Providers where the Services and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC) and containerized with Docker. Customer Data stored within Cloud Providers is encrypted at all times. Cloud Providers do not have access to unencrypted Customer Data.
8.2 Storage. Customer Account Data and Customer Usage Data is hosted on Cockroach Cloud ("Cockroach") and Timescale Cloud ("Timescale") ("Storage Providers"). As stated in 6.2, LiveKit has entered into written agreements with Storage Providers ensuring appropriate safeguards are in place to protect Customer Data. All Customer Data stored within Storage Providers is encrypted at rest using AES-256 encryption.
8.3 Services. For the Services, all network access between production hosts is restricted, using access control lists to allow only authorized services to interact in the production network. Access control lists are in use to manage network segregation between different security zones in the production and corporate environments. Access control lists are reviewed regularly. LiveKit separates Customer Data using logical identifiers. Customer Data is tagged with a unique customer identifier that is assigned to segregate Customer Data ownership. The LiveKit APIs are designed and built to identify and allow authorized access only to and from Customer Data identified with customer specific tags. These controls prevent other customers from having access to Customer Data.
9. Physical Security. Cloud Providers' data centers are strictly controlled by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. LiveKit is a fully-remote company without physical headquarters. All LiveKit-owned employee and contractor devices must be locked when not in use, use strong passwords, and hard drive encryption.
10. Security by Design. LiveKit follows security by design principles when it designs the Services. LiveKit also applies the LiveKit Software Development Lifecycle (SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before deploying new Services or code; (b) penetration tests of significantly new Services by independent third parties; and (c) threat models for new Services to detect potential security threats and vulnerabilities.
11. Access Controls
11.1 Provisioning Access. To minimize the risk of data exposure, LiveKit follows the principles of least privilege through a team-based-access-control model when provisioning system access. LiveKit personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments that are not time-based are reviewed at least semi-annually. An employee's access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access including training on the relevant team's systems. LiveKit leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
11.2 Password Controls. LiveKit's current policy for employee password management requires the use of a company-approved password manager and when possible multi-factor authentication. Password requirements include an eight (8) character minimum, with at least one upper case letter, one lower case letter, and one non-alphanumeric character. When a customer logs into their LiveKit account, they do so using SSO via Google or GitHub ("Auth Providers"). A customer may also add another layer of security to their Auth Provider by using two-factor authentication (2FA). LiveKit does not store authentication credentials.
12. Change Management. LiveKit has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. Significant production system changes are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.
13. Encryption. For the LiveKit Services, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard and (b) Customer Data is encrypted when in transit between Customer's software application and the Services using TLS v1.2.
14. Vulnerability Management. LiveKit maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. LiveKit uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in LiveKit's cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the LiveKit cluster over a predefined schedule.
15. Penetration Testing. LiveKit performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. LiveKit maintains a Bug Bounty Program located at https://docs.livekit.io/security/policy, which allows independent security researchers to report security threats and vulnerabilities on an ongoing basis.
16. Security Incident Management. LiveKit maintains security incident management policies. LiveKit's Security Incident Response Team assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. LiveKit utilizes third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.
17. Discovery, Investigation, and Notification of a Security Incident. LiveKit will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, LiveKit will notify Customer of a Security Incident in accordance with the Data Processing Addendum. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.
18. Resilience and Service Continuity
18.1 Resilience. The hosting infrastructure for the Services (a) spans multiple fault-independent availability zones in geographic regions physically separated from one another and (b) is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup.
18.2 Service Continuity. LiveKit also leverages specialized tools available within the hosting infrastructure for the Services to monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. LiveKit is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
19. Customer Data Backups. LiveKit performs regular backups of Customer Data, which is hosted on Cockroach and Timescale. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using the Advanced Encryption Standard (AES).