SOC2

100ms complies with the highest standards of Service Organizational Control (SOC2) - Type II, the compliance framework established by the American Institute of Certified Public Accountants (AICPA).

With SOC2 Type II compliance, 100ms’ organizational control on customer data is subject to rigorous compliance standards, including thorough on-site audits. These controls are based on the 5 Trust Services Criteria (TSC) of Security, Availability, Confidentiality, Processing Integrity, and Privacy. 100ms complies with Security, Availability and Confidentiality TSCs (Type 2).

Data Confidentiality

• 100ms maintains access-control systems to ensure users can access information based on their role in the system and are restricted from accessing information not needed for their role.
• 100ms maintains processes to control access to production environment and supporting infrastructure.
• 100ms monitors key infrastructure components to generate alerts based on utilization metrics.

Infrastructure Security

• 100ms’ production infrastructure is hosted on multiple secure cloud services platforms, including Google Cloud Platform (GCP), Amazon Web Services (AWS).
• 100ms’ cloud providers’ physical infrastructure is accredited under ISO 27001, SOC 1, SOC 2, PCI Level 1, and Cloud Security Alliance(CSA) Star. This infrastructure is monitored 24x7 and all access is logged and audited. Data centers are protected by locked cabinets, UPS, disaster-proof housing.
• 100ms uses a virtual and secure network environment on top of its cloud-providers’ infrastructure. This is achieved using VPCs and accompanying firewalls on the infrastructure provider. There are only specified authorized points of entry.
• Customers connect to 100ms’ infrastructure through encrypted and secure HTTPS connections.

Data Security

• All 100ms calls or data transmissions are conducted through the WebRTC standard which mandates encryption on all communication channels.
• 100ms never stores, or records audio-video or data streams unless the client explicitly asks 100ms to store recordings. In the most common configuration, recordings are uploaded directly to the customer’s storage bucket.
• 100ms conducts annual Vulnerability Assessment and Penetration Testing (VAPT) tests to help detect malicious attacks.
• 100ms has controls and processes in place to monitor for and mitigate any unauthorized access, removal of data, alteration, destruction, misuse of software, and unapproved disclosure of confidential information.
• 100ms’ accounts are secured with API keys and one-time viewable secret keys.
• Connections to 100ms rooms are secured with JWT tokens and room permissions. Customers can create roles and tokens with access controls to ensure only authorized people can join a call, and support TTLs.

Secure Organizational Design

• All 100ms employees go through background checks and regular security and policy trainings.
• 100ms has assigned Information Security Officer and Compliance Program Manager who ensure policies, and trainings are adhered to.
• 100ms has formal policies over code of business conduct, change management, incident management, access control.

Data Availability

• 100ms’ systems adhere to 99.99% operational uptime and performance standards.
• Disaster recovery, data backup and business continuity controls are maintained.

Privacy

• 100ms minimizes collection of Personally Identifiable Information (PII) and has controls in place to prevent PII breaches and unauthorized access.
• In addition to access-controls, monitoring, data security controls, 100ms also has third-party disclosure policies in place.