// Trust & Security Report

    Daily logo

    Daily

    Daily Infrastructure, Pipecat, Pipecat Cloud

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Daily is SOC 2 Type 2 certified, covering the Security and Confidentiality Trust Service Criteria.

    Verify on daily.co
    HIPAA
    HELD

    HIPAA-compliant video chat for customers who have added our Healthcare Add-on. We will sign a BAA.

    Verify on daily.co
    GDPR
    HELD

    With GDPR-compliant data policies, we only collect and store data needed to deliver high-quality video calls.

    Verify on daily.co
    CCPA
    HELD

    CCPA: COMPLIANT (listed in trust center compliance section)

    Verify on trust.daily.co
    EU-US Data Privacy Framework
    HELD

    Daily is certified under the EU-US and Swiss-US Data Privacy Framework Program.

    Verify on daily.co
    Swiss-US Data Privacy Framework
    HELD

    Daily is certified under the EU-US and Swiss-US Data Privacy Framework Program.

    Verify on daily.co
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Security page states 'Data centers are SOC 1, SOC 2, and ISO 27001 certified' - this refers to Daily's AWS data center infrastructure, not Daily itself holding ISO 27001. No Daily-entity ISO 27001 certificate found.

    source: daily.co

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily USA (AWS and Oracle Cloud). EU-US and Swiss-US Data Privacy Framework certification covers international data transfers.

    Daily explicitly states 'We never store any audio, video, or screen-sharing data from any call other than through our documented recording APIs.' Pipecat Cloud states 'We don't store your data.' No policy found permitting AI model training on customer call content. Data collected is limited to what is required to deliver service quality.

    // Security controls

    Encryption in transit

    TLS/HTTPS for signaling; DTLS-SRTP with AES-256 for media (audio, video, screen share)

    daily.co

    End-to-end encryption

    Available for P2P calls. SFU (cloud) calls decrypt and re-encrypt at server in memory only; no persistent storage of unencrypted media.

    daily.co

    Infrastructure

    AWS (global) and Oracle Cloud (USA). 75+ global points of presence. 13ms median first-hop latency.

    daily.co

    Access controls

    Two-factor authentication required for all production access. AWS IAM with role-based access and periodic reviews.

    daily.co

    Penetration testing

    Performed (listed in trust center as a downloadable report resource). Third-party firm and cadence not publicly disclosed.

    trust.daily.co

    Responsible disclosure

    Dedicated Responsible Disclosure Policy at https://www.daily.co/legal/disclosure/. No evidence of HackerOne or Bugcrowd platform; appears self-managed.

    daily.co

    Business Continuity and Disaster Recovery

    BCP and DR plans established and tested. AWS Aurora MySQL with daily backup snapshots. Redundant UPS. 99.99% uptime SLA.

    trust.daily.co

    Cybersecurity insurance

    Maintained (listed in trust center internal security procedures controls)

    trust.daily.co

    Data deletion

    Customer data deleted upon customer departure. Dedicated Data Deletion Policy documented in trust center.

    trust.daily.co

    Subprocessors

    Amazon Web Services (cloud hosting, USA), Oracle Cloud (compute/Kubernetes, USA), Stripe (payments, USA), Sentry (error monitoring, USA)

    trust.daily.co

    // Products & data scope

    Daily Infrastructure (WebRTC API)Real-time video and audio infrastructure

    data: Minimal: IP addresses, developer-supplied user names/IDs if provided, access/error logs. No call media stored unless recording API is explicitly enabled by the developer.

    Core API product for developers building video/audio experiences. SOC 2 Type II and HIPAA (with Healthcare Add-on and BAA). GDPR-compliant DPA available. Enterprise SLAs.

    Pipecat (open source)Conversational AI agent framework

    data: Self-hosted: data stays entirely within the operator's own environment. Daily processes no data for Pipecat open-source deployments.

    Vendor-neutral, 100% open source (Apache 2.0 licensed). Published at pipecat-ai/pipecat on GitHub (13,000+ stars). No vendor data processing. W3C WebRTC Working Group contributor.

    Pipecat CloudManaged AI voice agent deployment

    data: Session transcriptions stored if recording is enabled. 'We don't store your data' per product page. HIPAA and GDPR compliant.

    Managed hosting for Pipecat-built agents. Includes multi-region autoscaling, built-in observability, PSTN/SIP telephony, and Krisp noise cancellation. Separate pricing from Daily Infrastructure.

    // What to watch

    • ISO 27001 claim on security page refers to AWS data centers, not Daily entity itself. Do not surface as Daily's own ISO 27001 cert.
    • Pipecat Cloud stores session transcriptions if recording is enabled - operators should review this against their own HIPAA/GDPR obligations.
    • Responsible disclosure policy exists but no third-party bug bounty platform (HackerOne/Bugcrowd) confirmed; program appears self-managed.
    • E2E encryption for SFU/cloud calls is NOT true end-to-end; media is decrypted server-side in memory. P2P calls are fully E2E encrypted.

    // At a glance

    Pricing model

    Pay-as-you-go by usage (participant-minutes, recording minutes) for Daily Infrastructure. Separate pricing tiers for Pipecat Cloud. Free tier available.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Daily's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.daily.co

    > Browse all vendor trust reports