Privacy and Security
      Back to home
      1. Help Center | Knowledge Base
      2. Privacy and Security

      Privacy and Security of Your Data

      Organisations that work with Coviu might have questions about how we handle data. This article aims to address these questions at a high level.

      Last Updated: March 2024

      Note:

      On this page:

      1. Does Coviu have a privacy policy and terms of service?
      2. Where are the Coviu servers located?
      3. What data security does Coviu provide?
        1. For standard video calls (peer-to-peer)
        2. For group calls
      4. What user data is stored and where?
      5. What client or patient data is stored and where?
      6. Is data exchanged in a call stored?
      7. Does data in calls between peers in the same country ever leave that country?
      8. How is data in the chat feature handled?
      9. Australian Standards, ISO 27001 and HIPAA
      10. What other services does Coviu use?
      11. More support options

      Does Coviu have a privacy policy and terms of service?

      Yes.

      Where are the Coviu servers located?

      Our application servers are hosted by Amazon Web Services (AWS) in Sydney (for AU) and Virginia (for US) and the application is distributed via Cloudfront to edge servers across the planet closer to our users.

      Our signalling and TURN servers are in several data centres around the world. As you are setting up a video call, your browser will know to use the signalling and TURN servers that are located closest to you.

      What data security does Coviu provide?

      For standard video calls (peer-to-peer)

      For example, video calls made in your Waiting Area, User Rooms, Meeting Rooms and Scheduled Sessions workflows:

      The security model is as follows:

      • In a peer-to-peer call:
        • Communication between Coviu servers and Coviu users is encrypted and authenticated using a strong protocol (TLS 1.2 is supported, while TLS 1.3 is preferred), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher 128-bit encryption (AES_128_GCM).
        • This includes any signalling data.
        • All data, video and audio that are exchanged are encrypted using DTLS-SRTP between the participants.
        • At rest, data is encrypted using the AES-256 encryption algorithm.

      For group calls

      For example, video calls made in the Groups Rooms workflow:

      The security model is as follows:

      • For audio and video media:

        • All communications between a participant and the media server are encrypted.

        • Each participant establishes a unique connection to the media server using a unique private key exchanged with the media server using DTLS 1.2/SRTP.

        • End-to-end encryption is not supported as the media server is required to decode the audio or video in order to forward the media to other participants.

        • Coviu has a HIPAA agreement signed with Twilio to ensure that all media run through our Twilio accounts is run through approved security processes by Twilio.

      What user data is stored and where?

      Coviu only stores user signup information; none of the data that is exchanged in a video call is saved. User data is stored in our servers in AWS, Sydney for the Australian site and Virginia for the US site.

      What client or patient data is stored and where?

      Clients or patients (i.e. guests) of a clinic do not need to sign up with us to join calls and appointments. Contact information such as name, email address and phone numbers for a client or patient can optionally be stored for use in appointment invitations. This data is stored in our servers in AWS, Sydney for the Australian site and Virginia for the US site. No other client or patient information is captured by us unless you need it, in which case it is encrypted and stored with a user-specific key.

      Is data exchanged in a call stored?

      None of the audio, video or data exchanged in a Coviu call is stored by Coviu.

      Specifically, Coviu does not store any clinical information that is exchanged in a call. All of the video, audio or shared documents in a call are transmitted peer-to-peer only, are fully encrypted and cannot be listened to by anyone except for the call participants. That data does not even reach Coviu storage servers.

      Some of our Apps do require data storage, so if you add an App with storage capabilities, such as local call recording, we store that data with an encryption key specific to you. We do not share that data with anybody else. Call recordings can only be done with the consent of all participants. The consent gathering is built into the App.

      Does data in calls between peers in the same country ever leave that country?

      Coviu calls are peer-to-peer calls and fully encrypted. The endpoints of a Coviu call find the shortest connection to each other that works when setting up a call. Peer-to-peer calls of participants that are within a country will not be routed through a different country.

      How is data in the chat feature handled?

      1. Are the contents of the call chat feature kept by Coviu?
        1. No. The chat content exists only as a temporary data structure on each of the peers in the call and does not persist beyond the lifetime of the browser tab in which the call took place. The chat contents are shared directly between participants over an encrypted peer-to-peer (P2P) connection. If a participant loses their copy of the chat contents (such as closing a tab or refreshing the page), the chat history is re-synchronised from another authorised participant in the call. Any chat content that is not available from another participant is lost permanently. No call chat information is kept beyond the end of the call, and the content is not saved to any Coviu servers.
      2. Would client or patient data or identification be associated with the chat feature data?
        1. Coviu does not capture any data from the chat feature. As it is a feature that accepts free-form text input, a client or patient can use this to send client or patient data using the chat feature to other participants in the call, but Coviu will never be the recipient of this information.
      3. If the contents are kept, how long is that data kept for?
        1. The content is not kept therefore there is no data retention requirement. Coviu does offer a chat download option as part of the chat feature which creates a downloadable transcript of the chat, but this is a purely local download feature and is not generated or stored on Coviu’s servers.

      Australian Standards, ISO 27001 and HIPAA

      There is no current Standard in Australia for the provision of services via telehealth or for the provision of a telehealth platform however, we apply the requirements of the Australian Privacy Principles to our platform.

      Note: The creation of an Australian Telehealth Standard is underway by the Australian government.

      We take pride in our ISO 27001 certification and HIPAA compliance, demonstrating our unwavering commitment to the highest standards of data security and privacy.

      Our ISO 27001 certification verifies that we have implemented a comprehensive information security management system, ensuring the protection of our customers' information.

      By being HIPAA compliant, we adhere to strict guidelines for safeguarding protected health information (PHI), enabling healthcare providers to trust our platform with sensitive client or patient data. These certifications highlight our dedication to maintaining a secure, reliable, and compliant environment for all users, providing you with the confidence and trust you need when using Coviu. Click here to learn more.

      What other services does Coviu use?

      We do partner with some US-based services for administrative and web activities. We partner with Google Analytics and Hubspot and the information we share with them is limited.

      We partner with Twilio to deliver SMS and phone calls:
      • Twilio stores SMS message content in encrypted form.
      • The potential client or patient information that may be stored in Twilio is the phone number and message content of any SMS messages sent.
      • Our settings with Twilio have them retaining this information for 7 days only before it is permanently deleted (with 30 days of it existing, but not accessible in their backup systems).
      • At present, we use the US region infrastructure for all Twilio services.

      More support options

      You have completed another Coviu help article. You now know more about the privacy and security aspects of Coviu.

      If this is not what you were looking for, explore our knowledge base and search for another article from here.

      If you still require any assistance, please do not hesitate to get in touch with our friendly Customer Success team using any of the contact methods available here.