Daily.co video calls are encrypted and secure.
We built our video call APIs on top of the WebRTC standard, which mandates encryption on all communication channels.
In Daily.co video calls, all audio, video, and screen sharing media are transmitted encrypted using the Secure Real-time Transport Protocol (SRTP). We rely on the SRTP implementation in each web browser for key exchange and encryption of the media streams.
For calls with four or fewer participants, we establish peer-to-peer connections for all participants in the call. All media is encrypted end-to-end.
In some cases, direct peer-to-peer connections are blocked by network firewalls, and we have to relay peer-to-peer connections through TURN servers. The TURN standard is defined in IETF RFC 5766, and is also part of the WebRTC standard. TURN servers are media relay servers only — there is no processing or storage of media. TURN servers do not and cannot decrypt the media that they relay.
For calls with more than four participants, we connect clients to one of our Selective Forwarding Unit (SFU) servers in a star topology. Media is encrypted to and from the SFUs. On the SFU, media must be decrypted and re-encrypted for each client, so these calls are not end-to-end encrypted. However, our server code is written so that this decryption and re-encryption happens in memory, and at the application layer we never have access to unencrypted media.
Some call metadata, and application-level messages generated by the Daily.co sendAppMessage() API call, are transmitted through WebRTC data channels. Data channels are encrypted using Datagram Transport Layer Security (DTLS).
Data channel encryption works the same way as media encryption, described above.
The components of the Daily.co web application are downloaded from our web servers. We allow only encrypted connections to our web servers (we support only HTTPS, not HTTP). Our application web servers all run in the AWS and use Amazon-provided TLS certificates.
To set up and manage video calls, we use a combination of HTTPS and WSS data connections to our signaling servers. Again, these servers support only encrypted connections, run on the AWS cloud, and use TLS certificates that are either generated by Amazon or generated by the letsencrypt.org tools and rotated every 90 days.
