Organisations that work with Coviu might have questions about how we handle data. This article aims to address these questions at a high level.
Last Updated: April 2023
Note:
- Click here for our Privacy Policy.
- Click here for our Terms of Service.
On this page:
- Does Coviu have a privacy policy and terms of service?
- Where are the Coviu servers located?
- What data security does Coviu provide?
- What user data is stored and where?
- What client or patient data is stored and where?
- Is data exchanged in a call stored?
- Does data in calls between peers in the same country ever leave that country?
- Australian Standards, ISO 27001 and HIPAA
- What other services does Coviu use?
- More support options
Does Coviu have a privacy policy and terms of service?
Yes.
- Click here for our Privacy Policy.
- Click here for our Terms of Service.
Where are the Coviu servers located?
Our application servers are hosted by Amazon Web Services (AWS) in Sydney and the application is distributed via Cloudfront to edge servers across the planet closer to our users.
Our signalling and TURN servers are in several data centres around the world. As you are setting up a video call, your browser will know to use the signalling and TURN servers that are located closest to you.
What data security does Coviu provide?
For standard video calls (peer-to-peer)
For example, video calls made in your Waiting Area, User Rooms, Meeting Rooms and Scheduled Sessions workflows:
The security model is as follows:
- In a peer-to-peer call:
- Communication between Coviu servers and Coviu users is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher 128-bit encryption (AES_128_GCM).
- This includes any signalling data.
- All data, video and audio that are exchanged are encrypted using DTLS-SRTP between the participants.
- At rest, data is encrypted using the AES-256 encryption algorithm.
For group calls
For example, video calls made in the Groups Rooms workflow:
The security model is as follows:
-
For audio and video media:
-
All communications between a participant and the media server are encrypted.
-
Each participant establishes a unique connection to the media server using a unique private key exchanged with the media server using DTLS 1.2/SRTP.
-
End-to-end encryption is not supported as the media server is required to decode the audio or video in order to forward the media to other participants.
-
Coviu has a HIPAA agreement signed with Twilio to ensure that all media run through our Twilio accounts is run through approved security processes by Twilio.
-
What user data is stored and where?
Coviu only stores user signup information; none of the data that is exchanged in a video call is saved. User data is stored in our servers in AWS, Sydney for the Australian site and Virginia for the US site.
What client or patient data is stored and where?
Clients or patients (i.e. guests) of a clinic do not need to sign up with us to join calls and appointments. Contact information such as name, email address and phone numbers for a client or patient can optionally be stored for use in appointment invitations. This data is stored in our servers in AWS, Sydney for the Australian site and Virginia for the US site. No other client or patient information is captured by us unless you have a need for it, in which case it is encrypted and stored with a user-specific key.
Is data exchanged in a call stored?
None of the audio, video or data exchanged in a Coviu call is stored by Coviu.
Specifically, Coviu does not store any clinical information that is exchanged in a call. All of the video, audio or shared documents in a call are transmitted peer-to-peer only, are fully encrypted and cannot be listened to by anyone except for the call participants. That data does not even reach Coviu storage servers.
Some of our Apps do require data storage, so if you add an App with storage capabilities, such as local call recording, we store that data with an encryption key specific to you. We do not share that data with anybody else. Call recordings can only be done with the consent of all participants. The consent gathering is built into the App.
Does data in calls between peers in the same country ever leave that country?
Coviu calls are peer-to-peer calls and fully encrypted. The endpoints of a Coviu call find the shortest connection to each other that works when setting up a call. Peer-to-peer calls of participants that are within a country will not be routed through a different country.
Australian Standards, ISO 27001 and HIPAA
There is no current Standard in Australia for the provision of services via telehealth or for the provision of a telehealth platform however, we apply the requirements of the Australian Privacy Principles to our platform.
Note: The creation of an Australian Telehealth Standard is underway by the Australian government.
Coviu takes pride in our ISO 27001 certification and HIPAA compliance, demonstrating our unwavering commitment to the highest standards of data security and privacy.
Our ISO 27001 certification verifies that we have implemented a comprehensive information security management system, ensuring the protection of our customers' information.
By being HIPAA compliant, we adhere to strict guidelines for safeguarding protected health information (PHI), enabling healthcare providers to trust our platform with sensitive patient data. These certifications highlight our dedication to maintaining a secure, reliable, and compliant environment for all users, providing you with the confidence and trust you need when using Coviu. Click here to learn more.
What other services does Coviu use?
We do partner with some US-based services for administrative and web activities. We partner with Google Analytics and Hubspot and the information we share with them is limited.
We partner with Twilio to deliver SMS and phone calls:- Twilio store SMS message content in encrypted form.
- The potential patient information that may be stored in Twilio is the phone number and message content of any SMS messages sent.
- Our settings with Twilio have them retaining this information for the minimum 7 days only before it is permanently deleted (with a 30 days of it existing, but not accessible in their backup systems).
- At present, we use the US region infrastructure for all Twilio services.
More support options
You have completed another Coviu help article. You now know more about the privacy and security aspects of Coviu.
If this is not what you were looking for, explore our knowledge base and search for another article from here.
If you still require any assistance, please do not hesitate to get in touch with our friendly Customer Success team using any of the contact methods available here.