Infrastructure you can trust
Security is built into LiveKit from the first line of code. The voice, video, and AI agent data that flows through your application is protected by encryption, isolation, and a zero-retention posture for inference.
Industry-standard compliance
LiveKit's security measures are vetted by reputable third-party auditors. ISO 27001, ISO 27018, and PCI DSS are in progress. Audit artifacts are available under NDA via the Trust Center.
SOC 2 Type II
Independently audited against the AICPA's Trust Services Criteria for security, availability, and confidentiality.
GDPR
Aligned with EU data protection and privacy law. DPA available; sub-processor list maintained publicly.
HIPAA
BAAs available for Scale and Enterprise customers handling protected health information.
CCPA / CPRA
Compliant with California consumer privacy law, including data access and deletion rights.
EU–US Data Privacy Framework
Certified for the lawful transfer of personal data from the EU to the United States.
How LiveKit protects your data
Defense in depth across encryption, isolation, infrastructure, and AI — the controls behind LiveKit Cloud.
Encryption everywhere
WebRTC media is encrypted with SRTP using DTLS-SRTP key exchange. SIP supports TLS for signaling and SRTP for media. Data at rest is encrypted with AES-256.
Customer-owned recordings
LiveKit Egress writes recordings directly to your S3, GCS, or Azure bucket. Encryption-at-rest and lifecycle policies stay on your side. LiveKit only buffers transiently during the recording.
Zero retention for AI inference
LiveKit Inference and every model provider it uses are bound to zero retention. Prompts, audio, and completions pass through and aren't logged or kept.
Logical isolation and data residency
Every tenant is tagged with a unique identifier and separated end-to-end. Pin media, recordings, agents, and observability to specific regions.
Auditable open source
LiveKit's media server, SIP service, Egress, Ingress, and SDKs are Apache 2.0. Security teams at large companies audit the same code that runs on LiveKit Cloud.
Resilient infrastructure
A multi-cloud production environment runs across GCP and Oracle with redundancy at every layer. Agents execute in sandboxed, per-instance environments.
Platform-level protection
Security features embedded directly in LiveKit, so your data belongs to you and your customers' data belongs to them.
JWT tokens and room permissions
Signed access tokens minted by your application gate every connection to LiveKit. Tokens carry granular grants — room membership, publish and subscribe rights, recording permissions — with a TTL your application sets. Short TTLs are recommended.
End-to-end encryption
With E2EE enabled, media is encrypted by the LiveKit SDK before it leaves the client. LiveKit servers see only opaque bytes. Hosted agents that need to operate on encrypted media decrypt it only with keys you choose to provide.
Security through community
Fortune 500s, large private companies, and tens of thousands of developers have read, used, customized, and deployed LiveKit's open source code.
Explore the repos
LiveKit's core server, services, client SDKs, and components are free, Apache 2.0-licensed open source.
View on GitHubSecurity disclosures
Report vulnerabilities, privacy issues, exposed data, or other security issues pertaining to LiveKit assets.
Read the policyHall of fame
See who's made the LiveKit Responsible Disclosure Hall of Fame for independently researching and reporting vulnerabilities.
Visit the hallTry LiveKit Cloud for free
LiveKit Cloud is a cloud realtime platform and the fastest way to prototype and ship to production.