Agora Privacy Policy, Processor

Agora Processor Privacy Statement

Last updated: Dec 27, 2023

Introduction

Agora Lab, Inc. (together with our parent companies, subsidiaries and affiliates, “Agora,” “we,” or “us”) values the privacy of everyone who uses our communication services, networks, mobile applications, downloadable tools, client libraries, software development kits, including, without limitation, our beta products, aPaaS, whiteboard, cloud player, SDKs (e.g. Voice SDK, Video SDK, Signaling, Chat, Live Interactive Streaming, Recording, Analytics, etc.), and any APIs, API keys that uniquely identify a particular Customer Application (as defined below), and the associated services (collectively, our “Service”) which enable our customers (“Enterprise Customers”) to integrate and deploy live voice, video, messaging engagement capabilities and other interaction features and functionalities into their web and mobile applications (“Customer Applications”) for a variety of use cases.

This Privacy Statement (“Statement”) describes how we process and use Personal Information of or about you when you use our Service via Customer Applications, your rights and choices with respect to your Personal Information, and how you can contact us if you have any questions or concerns. We process your Personal Information as a processor on behalf of our Enterprise Customers for the purpose of providing the Service to our Enterprise Customers pursuant to our applicable data processing terms, and as otherwise stated in this Statement. This Statement lists the types of data that Agora may process when providing the Service to you via Customer Applications. If you want to know what data an Enterprise Customer collects from you when it deploys the Service, please refer to the privacy policy of such Enterprise Customer.

Please read this Statement carefully. If you do not agree with this Statement or any part thereof, you should not access or use any part of the Service, or otherwise provide us with your Personal Information. If you change your mind in the future, you should stop using the Service and should provide us with no further Personal Information.

Contents of this Statement

This Statement outlines the following topics:

Personal Information We Collect and How We Use It
How We Disclose or Share Your Personal Information
Your Rights and Choices
Data Security
Data Transfers
Data Retention
Changes and Updates to this Policy
Contact Us

1. Personal Information We Collect and How We Use It

Data Collected by Us	How We Use It
Operation Data When you use the Service, we may collect information such as: – Dynamic IP Addresses – Device Type – OS Version – CPU Version and CPU Rate – Use Configuration Data This is information about the deployment of the Agora SDK and related configuration. – Real-Time Engagement Metadata This includes metrics about when and how the Service is used. – Feature Usage This includes data about Service preferences. – Performance Data This includes metrics about the Service performance and quality. – Service Logs This is data we generate about system-related events, such as errors and systems/servers’ reports. – Usage Data This is data we generate about when, how, and how long our Service is used. – End User – User Content Data This includes user metadata, users’ key & value in a chatroom, users’ tags assigned by developers, user created content on Whiteboard, and user uploaded attachments.	– On our Enterprise Customers’ instructions (which may include to provide you with our Service, operate, maintain, enhance and provide the features of the Service, monitor, diagnose and analyze the performance and effectiveness of our Service, analyze user patterns and conduct aggregated analytics, provide our service in a secure manner, prepare billings and usage reports, and to provide other services and information that you or our Enterprise Customers request). – As required by applicable law.

Data Collected by Us

How We Use It

Operation Data

When you use the Service, we may collect information such as:

– Dynamic IP Addresses

– Device Type

– OS Version

– CPU Version and CPU Rate

– Use Configuration Data
This is information about the deployment of the Agora SDK and related configuration.

– Real-Time Engagement Metadata
This includes metrics about when and how the Service is used.

– Feature Usage
This includes data about Service preferences.

– Performance Data
This includes metrics about the Service performance and quality.

– Service Logs
This is data we generate about system-related events, such as errors and systems/servers’ reports.

– Usage Data
This is data we generate about when, how, and how long our Service is used.

– End User – User Content Data
This includes user metadata, users’ key & value in a chatroom, users’ tags assigned by developers, user created content on Whiteboard, and user uploaded attachments.

– On our Enterprise Customers’ instructions (which may include to provide you with our Service, operate, maintain, enhance and provide the features of the Service, monitor, diagnose and analyze the performance and effectiveness of our Service, analyze user patterns and conduct aggregated analytics, provide our service in a secure manner, prepare billings and usage reports, and to provide other services and information that you or our Enterprise Customers request).

– As required by applicable law.

Data Collected by Our Customers	How We Use It
User Content – Voice Data When you use our real-time voice engagement services. – Video Data When you use our real-time video engagement services. – Messaging and Images Data When you use our messaging services. – Other Data Depending on what service you use, our Enterprise Customers and Agora may collect additional information from products like Chat such as: Client logs \| Device Type/Device Model \| Device random value num. \| Username, password, Username(id) \| App Key \| User messages \| User message \| User push messages \| User push message attachments \| Push Token \| User nicknames \| avatars \| email addresses\| and custom information [ from message body] \| Usage data including but not limited to total number of users, daily active suers, daily new registrations, number of messages Other Information Shared by our Customers Our enterprise customers may ask us to process additional information in accordance with our data processing terms, applicable statement of works and customer agreements.	– On our Enterprise Customers’ instructions (which may include to provide you with our Service, operate, maintain, enhance and provide the features of Service, monitor, diagnose and analyze the performance, debug the services, analyze the effectiveness of our Service, analyze user patterns and conduct aggregated analytics, provide our Service in a secure manner, prepare billings and usage reports, and to provide other services and information that you or our Enterprise Customers request). – Other Data collected is used to deliver the functions of the service. – As required by applicable law.

Data Collected by Our Customers

How We Use It

User Content

– Voice Data
When you use our real-time voice engagement services.

– Video Data
When you use our real-time video engagement services.

– Messaging and Images Data
When you use our messaging services.

– Other Data
Depending on what service you use, our Enterprise Customers and Agora may collect additional information from products like Chat such as:

Client logs | Device Type/Device Model | Device random value num. | Username, password, Username(id) | App Key | User messages | User message | User push messages | User push message attachments | Push Token | User nicknames | avatars | email addresses| and custom information [ from message body] | Usage data including but not limited to total number of users, daily active suers, daily new registrations, number of messages

Other Information Shared by our Customers
Our enterprise customers may ask us to process additional information in accordance with our data processing terms, applicable statement of works and customer agreements.

– On our Enterprise Customers’ instructions (which may include to provide you with our Service, operate, maintain, enhance and provide the features of Service, monitor, diagnose and analyze the performance, debug the services, analyze the effectiveness of our Service, analyze user patterns and conduct aggregated analytics, provide our Service in a secure manner, prepare billings and usage reports, and to provide other services and information that you or our Enterprise Customers request).

– Other Data collected is used to deliver the functions of the service.
– As required by applicable law.

When processing User Content, we will only process Personal Information our Enterprise Customers transmit to us via the Service (including data you upload, post, or interact with via the Customer Applications). In no event will Agora access, share, or disclose any such User Content. Agora will only store User Content as explained in the Data Retention section below.

2. How We Disclose or Share Your Personal Information

We disclose and share your Personal Information pursuant to our data processing terms with our Enterprise Customers. This includes:

Agora Affiliates and Subsidiaries

We will typically disclose Personal Information about you within Agora’s affiliates and subsidiaries.

Agora’s Partners, Vendors and Service Providers

We work with third party service providers to provide website or application development, hosting, maintenance, and other services for us. These third parties may have access to or process your Personal Information as part of providing those services for us. We limit the information provided to these service providers to that which is necessary for them to perform their functions, and we require them to agree to maintain the confidentiality of such information. This typically includes storage vendors, internet carriers and payment processing partners.

We will disclose your Personal Information if we are required to do so by law within United States’ jurisdiction, or in the good-faith belief that such action is necessary to comply with the United States’ state and federal laws), in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement.

Should this be the case, we will notify our Enterprise Customers in advance (if legally allowed), and we will only disclose such information that is legally requested and that is consented to be released (if applicable).

Other Third Parties

We may disclose and transfer information about our users, including Personal Information, to an acquirer, successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.

3. Your Rights and Choices

Your Privacy

Depending on your jurisdiction and applicable data protection legislation, you have the right to exercise a number of privacy rights under certain circumstances.

Such privacy rights depend on your jurisdiction and the jurisdiction of our Enterprise Customer’s (Controller) privacy policy. You can obtain information about the applicable privacy rights, and how to exercise them, from the relevant Enterprise Customer’s privacy policy. If we receive any privacy right request directly from you, we will forward it to the relevant Enterprise Customer, that is the data controller.

Children’s Privacy

Our Service is not directed to children under the age of 16, and we do not knowingly collect Personal Information from children under the age of 16 without obtaining parental consent. If you are under 16 years of age, then please do not use or access the Service at any time or in any manner. Our Enterprise Customers may incorporate our Service into their products to provide services to children under the age of 16. In that case, it is our Enterprise Customers’ obligation and responsibility to obtain parental consent. If you are a parent or guardian and discover that your child under 16 years of age deploys the Service within a Customer Application, then you may contact such Customer Application provider to delete your child’s Personal Information.

4. Data Security

We use certain physical, managerial, and technical safeguards that are designed to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession.

Additionally, Agora Voice, Video, Signaling and Chat SDKs provide built-in encryption algorithms as well as support for other encryptions that our Enterprise Customers prefer. The communication between you and the Agora network (i.e., SD-RTN^TM) is protected by encrypted transmission protocols such as the Agora Private Transmission Protocol, Transport Layer Security (TLS) and WebSocket Secure (WSS). In the case of Chat, the communication between you and our leased servers is protected by Transport Layer Security (TLS), and stored data is protected by AWS S3 storage encryption and/or AES 256 file encryption. Chat also supports end-to-end encryption via third-party extensions, at our Enterprise Customers’ choice and control.

We strongly recommend our Enterprise Customers to follow the guidance in our Security Best Practices and to encrypt the User Content where necessary. As your content is encrypted, Agora is not able to read the encrypted content, nor are we able to relate it to you.

For more information about our encryption options, and other steps Agora takes to secure your Personal Information, please visit our Security Best Practices.

5. Data Transfers

Agora will transfer data across borders as follows:

If You Are Located in Territories Other than the United States

While Agora provides its Service globally, the Service is hosted in the United States. If you choose to use the Service from the European Economic Area, the United Kingdom or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your Personal Information outside of those regions to the United States for storage and processing, where local U.S. state and federal data protection regulations apply.

Streaming Data Routing

We will typically transfer your data from the U.S. or from the region it is collected or generated to other countries or regions in connection with processing of streaming data. This may be to fulfill Enterprise Customers’ requests, or allow us to operate the Service, in accordance with the customer agreement, or the terms of service, user agreement or similar agreements of our Enterprise Customers, as applicable.

Streaming data will typically be routed through several regions across the world, in an encrypted manner, to reach its intended recipient. Agora provides several options and levels of encryption which can be enabled by our Enterprise Customers.

Additionally, Agora provides our Enterprise Customers with Geofencing features that they can enable in order to route the streaming data within the specified regions, excluding others, as set up by our Enterprise Customers. For more information about the Geofencing options, please refer to our Security Best Practices.

Transfers Outside the European Economic Area and the United Kingdom

Agora offers Standard Contractual Clauses to its Enterprise Customers that operate in the European Economic Area and the United Kingdom. You may contact us as specified below to obtain a copy of the safeguards we use to transfer Personal Information outside of the European Economic Area or the United Kingdom.

6. Data Retention

We take measures to delete your Personal Information or keep it in a form that does not permit identifying you in accordance with our data processing terms with our Enterprise Customers and their choices, unless we are required by law to keep this information for a longer period.

By default, and unless otherwise agreed with our Enterprise Customers, we only retain the following data for these specified periods:

Type of Data	Retention Period
Real-time Streaming Data/User Content	Not stored
Chat message history	Depending upon the level of service ordered or the size of the data stored: Free version- up to 7 days; Starter version-up to 90 days; Pro version – up to 180 days; Enterprise version – up to 180 days or longer, as requested by the Enterprise Customer
Signaling (previously named RTM) History	Enterprise Customer decides how long to retain, e.g., not to store, delete within 7 days, 30 days or otherwise
Cloud Recording	Deleted immediately after each session; if delivery fails, recording is deleted within 7 days
Service/Operation-Related Metadata	Deleted from the server every 30 days. Notwithstanding the foregoing, Agora may retain Service/Operation-Related Data or portion of it for as long as permitted by applicable laws, provided that such data remains protected in accordance with applicable data protection laws and the Agora Information Security Management System.

7. Changes and Updates to This Statement

Please revisit this page periodically to stay aware of any changes to this Statement which we may update from time to time. If we modify it, the current Privacy Statement will be available on our website and indicate the date of the latest revision. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify our affected Enterprise Customers of the change for them to take appropriate measures to inform you.

8. Contact Us

If you have any questions or comments about this Statement, our use and disclosure practices, please contact us by email at privacy@agora.io or write to us at:

Agora Lab, Inc.
2804 Mission College Blvd, Suite 110
Santa Clara, CA 95054
United States

Please kindly note that Agora respects your privacy rights and takes commercially reasonable efforts to protect your Personal Information. Nonetheless, it’s our Enterprise Customer’s obligation and responsibility to honor each of your privacy rights, and Agora assists our Enterprise Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of our Enterprise Customer’s obligation to respond to requests for exercising your privacy rights. If you’d like to exercise your privacy rights, please kindly contact our Enterprise Customer whose products you’re using.