Security at Whereby
Security is at the heart of Whereby’s video platform. From infrastructure to implementation, we follow strict security practices to protect your users’ data and safeguard every call. As a European provider, we offer robust compliance and full data control, ensuring your video solution meets the highest standards for security and privacy. The experience of a meaningful conversation cannot exist without privacy and security. It's at our core as a low Total Cost of Ownership service to make sure privacy and security is handled while you and your users enjoy your meaningful conversations.
ISO27001 Compliant
Good security requires a good foundation of policies, processes and procedures. Information Security Risk Management is at the core of Security in Whereby and the ISO27001 is the framework used to certify that we are doing it the right way. The ISO27001 certification for Whereby was secured in February 2022 and the re-certification was obtained in 2025, which can be downloaded here.
Secure Infrastructure
Whereby is hosted on world-class globally-distributed IT infrastructure, operated by globally renowned infrastructure providers. The data centres are, amongst others, SOC2 audited, ISO27001 certified and are held to the highest standards of security and uptime.
Encryption
Whereby uses only TLS 1.2 with a limited set of ciphers to protect data in transit. Servers have disk encryption enabled and backup data is stored in an encrypted offsite manner. For data encrypted at rest, Whereby relies on AES256 based encryption.
For small rooms, End2End Encryption is in effect, ensuring that nobody except the call participants, can access the video calls. For large rooms, encrypted media in transit is decrypted only in the server memory, ensuring that the exposure of the decrypted stream is as minimal as possible.
Data Storage and Protection
Whereby does not store your video and audio data. Period. Whether this applies to Meetings or Embedded products.
Meetings Product
For the Meetings product, only Local Recording is available. Data from Local Recording is only saved locally, in the user's browser until download. Chat data is only stored in the local browser for the duration of the meeting.
Embedded Product
Recordings are only stored on individual devices as the user wants to, if using Local Recordings. If using Cloud Recording, you can choose to either store it in your own S3 bucket or use Whereby-provided storage. We do not store any recording when you opt-in for your own S3 bucket storage. We do store a recording on your behalf when you opt-in to use and pay for Whereby-provided storage. Chat data is only stored in the local browser for the duration of the meeting.
Frequently Asked Questions on Security
How do I report a security vulnerability ?
We welcome input from the community when it comes to the security posture of our platform. Make sure to check our Vulnerability Disclosure Policy to understand how to best engage us for such reports. We also maintain a security.txt entry highlighting our commitment to have a standardized and transparent approach to Vulnerability Disclosure. There’s also a PGP key available should you want to encrypt the report.
How does Whereby handle security vulnerabilities within the service?
Whereby performs regular penetration tests by contracting a specialized 3rd party. The penetration tests are conducted based on the OWASP methodology. The executive summary of the penetration test report is available for current or potential customers upon request and after signing an NDA. For vulnerabilities reported according to our Vulnerability Disclosure Policy the handling is detailed within the policy.
How does Whereby inform customers of security issues or changes ?
Any kind of issues that affect Whereby's operational stance will be published in the Whereby Status Page.
Where is data stored ?
Whereby relies mostly on AWS for its core infrastructure, using the Dublin, Ireland availability zone, ensuring data remains within the EU and in the world-renowned data centers.
What will Whereby do in the event a breach ?
In the unlikely scenario of a data breach, Whereby will take action to rightfully and properly inform all relevant parties. As an obligation to our customers, we commit to report breaches to the affected parties as soon as there is a reasonable belief that a breach has occurred. As a legislative and ethical requirement, we commit to report personal data breaches to the personal data supervisory authority within Norway.