Security at Whereby
Whereby aims to provide 1 billion meaningful conversations by 2030. The experience of a meaningful conversation cannot exist without privacy and security. It's at our core as a low Total Cost of Ownership service to make sure privacy and security is handled while you and your users enjoy your meaningful conversations.
Good security requires a good foundation of policies, processes and procedures. Information Security Risk Management is at the core of Security in Whereby and the ISO27001 is the framework used to certify that we are doing it the right way. The ISO27001 certification for Whereby was secured in February 2022 can be downloaded here.
Whereby is hosted on world-class globally-distributed IT infrastructure. Most infrastructure is hosted on AWS and data centers are, amongst others, SOC2 audited, ISO27001 certified and are held to the highest standards of security and uptime.
Whereby uses only TLS 1.2 with a limited set of ciphers to protect data in transit. Servers have disk encryption enabled and backup data is stored in an encrypted offsite manner.
For small rooms, End2End Encryption is in effect, ensuring that nobody except the call participants, can access the video calls. For big rooms, encrypted media in transit is decrypted only in the server memory, ensuring that the exposure of the decrypted stream is as minimal as possible.
Data Storage and Protection
Whereby does not store your video and audio data. Period. Recordings are only stored on individual devices as the user wants to. Chat data is only stored during the meeting after which it is deleted.
Frequently Asked Questions on Security
How do I report a security vulnerability ?
We welcome input from the community when it comes to the security posture of our platform. Make sure to check our Vulnerability Disclosure Policy to understand how to best engage us for such reports. We also maintain a security.txt entry highlighting our commitment to have a standardized and transparent approach to Vulnerability Disclosure. There’s also a PGP key available should you want to encrypt the report.
How does Whereby handle security vulnerabilities within the service?
Whereby performs regular penetration tests by contracting a specialized 3rd party. The penetration tests are conducted based on the OWASP methodology. The executive summary of the penetration test report is available for current or potential customers upon request and after signing an NDA. For vulnerabilities reported according to our Vulnerability Disclosure Policy the handling is detailed within the policy.
How does Whereby inform customers of security issues or changes ?
Any kind of issues that affect Whereby's operational stance will be published in the Whereby Status Page. Any upcoming changes to security measures, stance with regards to major vulnerabilities in the industry or any kind of security relevant details will be published in the Security advisory section of the Support portal.
Where is data stored ?
Whereby relies mostly on AWS for its core infrastructure, using the Dublin, Ireland availability zone, ensuring data remains within the EU and in world-renowed data centers.
What will Whereby do in the event a breach ?
In the unlikely scenario of a data breach, Whereby will take action to rightfully and properly inform all relevant parties. As an obligation to our customers, we commit to report breaches to the affected parties as soon as there is a reasonable belief that a breach has occured. As a legislative and ethical requirement, we commit to report personal data breaches to the personal data supervisory authority within Norway.