Policy Overview

100ms complies with the highest standards of security, privacy and compliance. This includes adherence to Service Organizational Control (SOC2) - Type II, the compliance framework established by the American Institute of Certified Public Accountants (AICPA), HIPAA (Health Insurance Portability and Accountability Act) compliant policies and also APIs and policies to help adhere to COPPA (Children's Online Privacy Protection Act) and CERT-IN (Computer Emergency Response Team).

100ms’ organizational control on customer data is subject to rigorous compliance standards, including thorough on-site audits.

Data Confidentiality

• 100ms maintains access-control systems to ensure users can access information based on their role in the system and are restricted from accessing information not needed for their role.
• 100ms maintains processes to control access to production environment and supporting infrastructure.
• 100ms monitors key infrastructure components to generate alerts based on utilization metrics.

Infrastructure Security

• 100ms’ production infrastructure is hosted on multiple secure cloud services platforms, including Google Cloud Platform (GCP), Amazon Web Services (AWS).
• 100ms’ cloud providers’ physical infrastructure is accredited under ISO 27001, SOC1, SOC2, PCI Level 1, and CSA Star. This infrastructure is monitored 24x7 and all access is logged and audited. Data centers are protected by locked cabinets, UPS, disaster-proof housing.
• 100ms uses a virtual and secure network environment on top of its cloud-providers’ infrastructure. This is achieved using VPCs and accompanying firewalls on the infrastructure provider. There are only specified authorized points of entry.
• Customers connect to 100ms’ infrastructure through encrypted and secure HTTPS connections.

Data Security

• All 100ms calls or data transmissions are conducted through the WebRTC standard which mandates encryption on all communication channels.
• 100ms never stores, or records audio-video or data streams unless the client explicitly asks 100ms to store recordings. In the most common configuration, recordings are uploaded directly to the customer’s storage bucket.
• 100ms conducts annual Vulnerability Assessment and Penetration Testing (VAPT) tests to help detect malicious attacks.
• 100ms has controls and processes to monitor and removes any unauthorized access/removal of data, alteration/destruction/misuse of software and unapproved disclosure of confidential information.
• Connections to 100ms rooms are secured with JWT tokens and room permissions. Customers can create roles and tokens with access controls to ensure only authorized people can join a call, and support TTLs.

Secure Organizational Design

• All 100ms employees go through background checks and regular security and policy trainings.
• 100ms has assigned Information Security Officer and Compliance Program Manager who ensure policies and trainings are adhered to.
• 100ms has formal policies over code of business conduct, change management, incident management, and access control.

Data Availability

• 100ms’ systems adhere to 99.99% operational uptime and performance standards.
• Disaster recovery, data backup and business continuity controls are maintained.

Privacy

• 100ms minimizes collection of Personally Identifiable Information (PII) and has controls in place to prevent PII breaches and unauthorized access.
• In addition to access-controls, monitoring, data security controls, 100ms also has third-party disclosure policies in place.
• 100ms can provide COPPA (Children's Online Privacy Protection Act) compliant recordings even in multi-student classrooms by implementing custom recording workflows.

Special Requests - IP whitelists, Data Residency

• 100ms can provide IP whitelists for developers to ensure that requests originating from 100ms are from secure addresses.
• 100ms can implement data residency in United States, Europe and India for enterprise customers. Please contact sales to know more.
• 100ms can provide data architecture diagrams, security information checklists, audited SOC2 reports, Vulnerability Assessment and Penetration Testing (VAPT) reports on demand.