// Trust & Security Report
Daily
Daily Infrastructure, Pipecat, Pipecat Cloud
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on daily.co“Daily is SOC 2 Type 2 certified, covering the Security and Confidentiality Trust Service Criteria.”
Verify on daily.co“HIPAA-compliant video chat for customers who have added our Healthcare Add-on. We will sign a BAA.”
Verify on daily.co“With GDPR-compliant data policies, we only collect and store data needed to deliver high-quality video calls.”
Verify on daily.co“Daily is certified under the EU-US and Swiss-US Data Privacy Framework Program.”
Verify on daily.co“Daily is certified under the EU-US and Swiss-US Data Privacy Framework Program.”
> Show 1 unconfirmed / not-held certifications
source: daily.coSecurity page states 'Data centers are SOC 1, SOC 2, and ISO 27001 certified' - this refers to Daily's AWS data center infrastructure, not Daily itself holding ISO 27001. No Daily-entity ISO 27001 certificate found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily USA (AWS and Oracle Cloud). EU-US and Swiss-US Data Privacy Framework certification covers international data transfers.
Daily explicitly states 'We never store any audio, video, or screen-sharing data from any call other than through our documented recording APIs.' Pipecat Cloud states 'We don't store your data.' No policy found permitting AI model training on customer call content. Data collected is limited to what is required to deliver service quality.
// Security controls
Encryption in transit
TLS/HTTPS for signaling; DTLS-SRTP with AES-256 for media (audio, video, screen share)
daily.coEnd-to-end encryption
Available for P2P calls. SFU (cloud) calls decrypt and re-encrypt at server in memory only; no persistent storage of unencrypted media.
daily.coInfrastructure
AWS (global) and Oracle Cloud (USA). 75+ global points of presence. 13ms median first-hop latency.
daily.coAccess controls
Two-factor authentication required for all production access. AWS IAM with role-based access and periodic reviews.
daily.coPenetration testing
Performed (listed in trust center as a downloadable report resource). Third-party firm and cadence not publicly disclosed.
trust.daily.coResponsible disclosure
Dedicated Responsible Disclosure Policy at https://www.daily.co/legal/disclosure/. No evidence of HackerOne or Bugcrowd platform; appears self-managed.
daily.coBusiness Continuity and Disaster Recovery
BCP and DR plans established and tested. AWS Aurora MySQL with daily backup snapshots. Redundant UPS. 99.99% uptime SLA.
trust.daily.coCybersecurity insurance
Maintained (listed in trust center internal security procedures controls)
trust.daily.coData deletion
Customer data deleted upon customer departure. Dedicated Data Deletion Policy documented in trust center.
trust.daily.coSubprocessors
Amazon Web Services (cloud hosting, USA), Oracle Cloud (compute/Kubernetes, USA), Stripe (payments, USA), Sentry (error monitoring, USA)
trust.daily.co// Products & data scope
data: Minimal: IP addresses, developer-supplied user names/IDs if provided, access/error logs. No call media stored unless recording API is explicitly enabled by the developer.
Core API product for developers building video/audio experiences. SOC 2 Type II and HIPAA (with Healthcare Add-on and BAA). GDPR-compliant DPA available. Enterprise SLAs.
data: Self-hosted: data stays entirely within the operator's own environment. Daily processes no data for Pipecat open-source deployments.
Vendor-neutral, 100% open source (Apache 2.0 licensed). Published at pipecat-ai/pipecat on GitHub (13,000+ stars). No vendor data processing. W3C WebRTC Working Group contributor.
data: Session transcriptions stored if recording is enabled. 'We don't store your data' per product page. HIPAA and GDPR compliant.
Managed hosting for Pipecat-built agents. Includes multi-region autoscaling, built-in observability, PSTN/SIP telephony, and Krisp noise cancellation. Separate pricing from Daily Infrastructure.
// What to watch
- ISO 27001 claim on security page refers to AWS data centers, not Daily entity itself. Do not surface as Daily's own ISO 27001 cert.
- Pipecat Cloud stores session transcriptions if recording is enabled - operators should review this against their own HIPAA/GDPR obligations.
- Responsible disclosure policy exists but no third-party bug bounty platform (HackerOne/Bugcrowd) confirmed; program appears self-managed.
- E2E encryption for SFU/cloud calls is NOT true end-to-end; media is decrypted server-side in memory. P2P calls are fully E2E encrypted.
// At a glance
Pricing model
Pay-as-you-go by usage (participant-minutes, recording minutes) for Daily Infrastructure. Separate pricing tiers for Pipecat Cloud. Free tier available.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Daily's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.daily.co