Many real-time engagement (RTE) app developers make use of PaaS providers as an easy way to build and scale up their apps with high quality and reliability. But, before choosing your PaaS partner, you need to know exactly what they offer in terms of data privacy, security, and standards compliance. Here are some considerations.
Why It Matters
How Agora Thinks About It
Agora designed, developed, and deployed our network, our SDKs, and our products and services with exactly these considerations in mind. We know data privacy protection, security, and compliance are vital to your applications, so we’ve built our software and systems to support whatever specific privacy requirements you need for your particular use case.
What You Should Consider
Whether you work with Agora or any other PaaS provider, consider asking these questions before signing on the dotted line:
Does the provider implement a robust set of data security standards?
The reliability of data security is dependent on the provider’s implementation of well-established industry standards for data control and management.
Agora applies information and security privacy per ISO 27001 / 27017 / 27018 industry standards. Our network and infrastructure are SOC 2 compliant, ensuring physical and virtual access are controlled, managed, and monitored.
Agora does not access or store personally identifiable information (PII), and only collects operational information that is absolutely necessary for providing our services—this data includes IP address (necessary to identify users’ geolocation for regional compliance and network connection), install ID (a pseudonymize identifier for troubleshooting purposes), and metering data (since we operate on a pay-per-use basis). Agora doesn’t store or process end-user data such as passwords and user identities (e.g. name, email address, phone number, etc.). That information is managed by our customers, within their own applications.
Do reputable 3rd parties certify and/or monitor the provider’s security compliance?
A provider’s implementation of security standards can be trusted if they have been verified by leading agencies.
Agora partners with Ernst & Young LLP to monitor our ISO 27001 / 27018 compliance and our ISO review process and certification are conducted by DNV GL, a European accreditation entity. Our SOC 2 compliance is monitored by Deloitte LLP. Additionally, we work with global security experts, including Trustwave Holdings, to conduct network penetration, application vulnerability and compliance assessments.
Does the provider offer the ability and options to secure media streams?
When it comes to encrypting the media stream, it’s important to consider the tradeoff between performance and security; adding a layer of security will have some impact—even if it’s extremely small—on latency and performance.
As a developer-centric API platform, Agora provides app developers with a number of default and configurable options for securing your media stream—ranging from authentication, encryption, to network geofencing. This allows you to make well-informed decisions and trade-offs necessary for your specific use case.
If you choose to implement encryption for your media content, Agora provides built-in end-to-end encryption engines for our native SDK utilizing AES 128-bit and AES 256-bit encryption. The encryption keys are managed by your application and are transferred between your end-user devices outside of Agora’s network.
Does the provider have a strong track record of rapid action in response to security vulnerabilities?
Since vulnerabilities have proven to be an inevitable characteristic of any complex software, it is critical that PaaS providers are vigilant in the mitigation of any exploit potential. Consider how your provider responds to the discovery of vulnerabilities.
At Agora, we work in collaboration with the world’s most respected security oversight organizations to identify vulnerabilities, communicate them to our customers, and help them make any necessary fixes as quickly as possible.
Is the provider compliant with regional laws and regulations?
Global companies must be aware of country-specific and regional laws and regulations. It is a common misperception that these laws only apply to businesses that reside in that country or region. In reality these laws and regulations apply to all companies operating within that country or region. Whether it’s GDPR in the EU or cybersecurity laws in China, any company doing business there—whether a startup or a multinational company like Microsoft or Amazon—is subject to the same laws and regulations.
Agora meets international standards with GDPR compliance in Europe and CCPA compliance in California. We also offer HIPAA compliance as an option to relevant customers in the healthcare industry under BAA. Learn more about Agora’s Compliance and Privacy.
Does the provider offer advanced and configurable georouting?
Georouting (also sometimes referred to as geofencing) allows developers to define a geographic domain to which their data will be constrained, both in transit and at rest.
Agora has more than 200 co-located data centers around the world. By default, users on the Agora network are connected to their closest data centers, using directional DNS policies (aka, “GEO DNS”). This means that our customers’ voice and video traffic is optimized for the best latency performance, regardless of national boundaries.
There are, however, use cases that require all voice and video traffic to be kept inside specific national or regional boundaries. To address this need, Agora implements geography-based routing for six different regions, allowing our customers to have their data routed and processed exclusively by nodes within the specified regions. For instance, if you decided to exclude Europe or mainland China from your operation region, no media content would be routed through those regions.