Infrastructure you can trust
From the very first lines of code, we designed and built LiveKit with security in mind. Protecting your application's realtime and customer data is our highest priority.
Industry-standard Compliance
Our team and technical security measures are regularly and rigorously vetted by reputable third-party auditors.
SOC2 Type II
We comply with the Service Organization Controls Trust Services Criteria set by the AICPA.
GDPR
Our practices fully align with the data protection and privacy laws mandated by the European Union.
HIPAA
We protect patient data in strict adherence with HIPAA and sign BAAs with our customers.
Cloud Defense in Depth
Here are some of the measures we take to ensure LiveKit is secure for you, your team, and end-users.
Secure Hardware
LiveKit Cloud operates as ultra-resilient, multi-cloud infrastructure. Underlying providers were selected for industry-leading security and data protection policies.
Encryption
Connections are established using 256-bit TLS encryption and media streams are encrypted with AES-128. All data at rest is encrypted with AES-256.
Data Storage & Retention
We never record or store audio, video or data streams. Recordings created via API are uploaded directly to a developer-specified storage bucket. Analytics data is retained (encrypted) for a maximum of 14 days.
Strict Security Policies
All LiveKit staff undergo background checks, have minimum-level access to systems required for job duties, and partake in annual security and incident response trainings.
Identity & Access Management
LiveKit Cloud supports SSO and role-based access control over your project's data and analytics. Projects are secured with API keys and one-time-viewable secret keys.
Platform-level Protection
We've embedded security features directly in our software, so your data belongs to you and your customers' data, to them.
JWT Tokens and Room Permissions
Access tokens ensure only your users can access your application. Tokens enforce role-based rules, support TTLs, and are automatically refreshed when used with LiveKit SDKs.
End-to-end Encryption
End-to-end encryption will make it impossible for anyone to access your customers' realtime streams except those they intend. Available to both LiveKit Cloud and self-hosted users.
Security Through Community
Fortune 500s, large private companies, and tens of thousands of developers have downloaded, read, used, customized and deployed our code.
Explore Our Repos
LiveKit's core server, services, client SDKs and components are free, Apache 2.0-licensed open source.
View on GitHubSecurity Disclosures
Learn about how to report vulnerabilities, privacy issues, exposed data, or other security issues pertaining to LiveKit assets.
Read the PolicyHall of Fame
See who's made the LiveKit Responsible Disclosure Hall of Fame for independently researching and reporting vulnerabilities.
Visit the Hall