Privacy and Security of Your Data

Organisations that work with Coviu might have questions about how we handle data. This article aims to address these questions at a high level.

Last Updated: May 2022

NOTE:

On This Page:

  1. Does Coviu have a privacy policy and terms of use document?
  2. Where are the Coviu servers located?
  3. What data security does Coviu provide?
    1. For Peer-to-Peer calls
    2. For Group Calls
  4. What data is stored and where?
  5. Is data exchanged in a call?
  6. Peer to peer calling in-country.
  7. Australian Standards and HIPAA.
  8. Coviu partner companies and services.
  9. More support options.

Does Coviu have a Privacy policy and Terms of Use?

Yes.


Where are the Coviu application servers located?

Our application servers are hosted by Amazon Web Services (AWS) in Sydney and the application is distributed via Cloudfront to edge servers across the planet closer to our users.

Our signalling and TURN servers are in several data centres around the world. As you are setting up a video call, your browser will know to use the signalling and TURN servers that are located closest to you.


What data security does Coviu provide?

For Standard Video Calls (Peer-to-Peer)

E.g. video calls made in your Waiting Area, User Rooms, Meeting Rooms and Scheduled Sessions workflows:

The security model is as follows:

  • In a peer-to-peer call:
    • communication between Coviu servers and Coviu users is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher 128-bit encryption (AES_128_GCM).
    • This includes any signalling data.
    • All data, video and audio that is exchanged is encrypted using DTLS-SRTP between the participants.
    • At rest, data is encrypted using the AES-256 encryption algorithm.

For Group Calls

E.g. video calls made in the Groups Rooms workflow:

The security model is as follows:

  • For audio and video media

    • All communication between a participant and the media server encrypted

    • Each participant establishes a unique connection to the media server using a unique private key exchanged with the media server using DTLS 1.2/SRTP.

    • End-to-end encryption is not supported as the media server is required to decode the audio/video in order to be forward the media to other participants.

    • Coviu has a HIPAA agreement signed with Twilio to ensure that all media run through our Twilio accounts is run through approved security processes by Twilio. 


What user data is stored and where?

Coviu only stores user signup information - none of the data that is exchanged in a video call is saved. User data is stored in our servers in AWS, Sydney for the Australian site and Virginia for the US site.

Coviu does not store the identities of a guest user - the snapshot and name is only taken to identify the guests to you in your call so you can more easily identify them. Specifically, if the guest is a patient, patients don't need to sign up with us and no patient information is captured by us unless you have a need for it, in which case it is encrypted and stored with a user-specific key.


Is data exchanged in a call stored?

None of the audio, video or data exchanged in a Coviu call is stored by Coviu.

Specifically, Coviu does not store any clinical information that is exchanged in a call. All of the video, audio or shared documents in a call are transmitted peer-to-peer only, are fully encrypted and cannot be listened into by anyone except for the call participants. That data does not even reach Coviu storage servers.

Some of our apps do require data storage, so if you add an app with storage capabilities, such as local call recording, we store that your data with an encryption key specific to you. We do not share that data with anybody else. Recording can only be done with the consent of all participants. The consent gathering is built into the app.


Does data in calls between peers in the same country ever leave that country?

Coviu calls are peer-to-peer calls and fully encrypted. The endpoints of a Coviu call find the shortest connection to each other that works when setting up a call. Peer-to-peer calls of participants that are within a country will not be routed via a different country.


Australian Standards and HIPAA

There is no current Standard in Australia for a provision of services via telehealth or for the provision of a telehealth platform however, we apply the requirements of the Australian Privacy Principles to our platform. (Note: The creation of an Australian Telehealth Standard is underway by the Australian Govt.)

There is an International Standard (ISO 27001) for the management of information security which Coviu is currently working towards accreditation.

Coviu is HIPAA compliant. Click here to learn more.


What other services does Coviu use?

We do partner with some US based services for administrative and web activities. We partner with Google Analytics and Hubspot and the information we share with them is limited.


More Support Options

You have completed another Coviu help article. You now know a little more about the privacy and security aspects of Coviu.

If this is not what you were looking for, explore our knowledge base and search for another article from here.

If you still require any assistance, please do not hesitate to get in touch with our friendly Customer Success team using any of the contact methods available here.

For more information, see our;