Daily announces $15 million Series A
Security & Compliance
Data Processing Addendum
Secure Infrastructure
Security Controls
Secure Calls
Data Protection
GDPR Compliance
Related links
Back to security

Secure Calls

Daily.co video calls are encrypted and secure.

Media encryption and communication security

We built our video call APIs on top of the WebRTC standard, which mandates encryption on all communication channels.

Audio, video, and screen-sharing media

In Daily.co video calls, all audio, video, and screen sharing media are transmitted encrypted using the Secure Real-time Transport Protocol (SRTP). We rely on the SRTP implementation in each web browser for key exchange and encryption of the media streams.

Peer-to-Peer

For calls with four or fewer participants, we establish peer-to-peer connections for all participants in the call. All media is encrypted end-to-end.

In some cases, direct peer-to-peer connections are blocked by network firewalls, and we have to relay peer-to-peer connections through TURN servers. The TURN standard is defined in IETF RFC 5766, and is also part of the WebRTC standard. TURN servers are media relay servers only — there is no processing or storage of media. TURN servers do not and cannot decrypt the media that they relay.

Cloud-connected

For calls with more than four participants, we connect clients to one of our Selective Forwarding Unit (SFU) servers in a star topology. Media is encrypted to and from the SFUs. On the SFU, media must be decrypted and re-encrypted for each client, so these calls are not end-to-end encrypted. However, our server code is written so that this decryption and re-encryption happens in memory, and at the application layer we never have access to unencrypted media.

WebRTC data channels

Some call metadata, and application-level messages generated by the Daily.co sendAppMessage() API call, are transmitted through WebRTC data channels. Data channels are encrypted using Datagram Transport Layer Security (DTLS).

Data channel encryption works the same way as media encryption, described above.

Web application & signaling data

The components of the Daily.co web application are downloaded from our web servers. We allow only encrypted connections to our web servers (we support only HTTPS, not HTTP). Our application web servers all run in the AWS and use Amazon-provided TLS certificates.

To set up and manage video calls, we use a combination of HTTPS and WSS data connections to our signaling servers. Again, these servers support only encrypted connections, run on the AWS cloud, and use TLS certificates that are either generated by Amazon or generated by the letsencrypt.org tools and rotated every 90 days.

Product
Daily APICustom Video UIDaily Prebuilt Daily Live StreamingAudio-only HIPAASecurity & CompliancePricing
Resources
Developer portalGetting startedReference docsChangelogHelp centerZapier appIntercom app
Customers
Meet our customersTandem case studyTeamflow case studyFocusmate case studyPitch case study
Company
About usContact usBlogPrivacy policyTerms of service
hiring!

Built worldwide