// Trust & Security Report

    LiveKit Technologies, Inc. logo

    LiveKit Technologies, Inc.

    Open-source framework and cloud platform for building, deploying, and scaling real-time voice, video, and physical AI agents. Core products: Agent Platform (orchestration, STT/LLM/TTS inference gateway, observability), Media Server (WebRTC/SIP infrastructure), Cloud Dashboard, SDKs (Python, Node.js, Web).

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Independently audited against the AICPA's Trust Services Criteria for security, availability, and confidentiality.

    Verify on livekit.com
    GDPR
    HELD

    The platform aligns with EU data protection requirements, with a Data Processing Agreement available and publicly maintained sub-processor list.

    Verify on livekit.com
    HIPAA
    HELD

    Business Associate Agreements are provided for Scale and Enterprise plan customers handling protected health information. Six core HIPAA-eligible services identified: realtime transport, recording/export, stream ingestion, agent hosting, agent observability, and conversational models.

    Verify on livekit.com
    CCPA/CPRA
    HELD

    Compliant with California privacy regulations, including provisions for consumer data access and removal rights.

    Verify on livekit.com
    EU-US Data Privacy Framework
    HELD

    Certified for lawful transfer of personal data between the EU and United States.

    Verify on livekit.com
    > Show 3 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    ISO 27001 certification is currently in progress and not yet completed.

    source: livekit.com
    ISO 27018
    NOT CONFIRMED

    ISO 27018 certification is currently in progress and not yet completed.

    source: livekit.com
    PCI DSS
    NOT CONFIRMED

    PCI DSS certification is currently in progress and not yet completed.

    source: livekit.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Configurable region pinning available for Developer Application Data, User Content, and region-matched Inference Data. Observability data processes in US regardless of region selection. Out-of-region inference providers and telephony operational metrics exempt from region pinning.

    LiveKit explicitly states: 'LiveKit does not use identifiable personal data, customer content, prompts, transcripts, or audio to train or fine-tune LiveKit's own models.' Limited exceptions: (1) Paid accounts: observability data NOT used for training unless customer opts into Model Improvement Program; (2) Free accounts: observability data may be de-identified and used to improve model accuracy; (3) Voice cloning samples: opt-out on customer's behalf from third-party provider training.

    // Security controls

    Encryption in Transit

    TLS/SSL for all connections; WebRTC native encryption for real-time media streams

    livekit.com

    Data Retention - Observability

    Retained for up to 60 days by default; encrypted backups retained for an additional 30 days

    livekit.com

    Data Retention - Voice Samples

    Retained for up to 12 months; deleted if no longer associated with an active voice clone

    livekit.com

    Access Control & Asset Management

    Covered under SOC 2 Type II audit; includes policies for access control, asset management, physical security, and backup security

    livekit.com

    Vulnerability Management & Incident Response

    Third-party security evaluations including pen test results available via Trust Center

    livekit.com

    Third-Party Integration Security

    For inference features (STT, LLM, TTS), LiveKit acts as a conduit; does not retain inference inputs/outputs. Third-party providers follow their own data retention policies.

    livekit.com

    // Products & data scope

    Agent PlatformVoice/Video AI Agent Orchestration

    data: Agent code, voice/video streams, transcripts, observability data

    HIPAA-eligible for 6 core services. Supports inference via third-party providers (OpenAI, Google, Deepseek, AssemblyAI, Deepgram, Cartesia, Rime). Region pinning available.

    Media ServerWebRTC/SIP Infrastructure

    data: Real-time voice and video streams

    Open-source option available. Handles media transport only; does not process or retain media.

    Cloud Dashboard & SDKsDeveloper Tools

    data: Account metadata, API usage metrics, logs

    Multi-language SDKs (Python, Node.js, Web, Go, Ruby, Rust). Observability module included.

    // What to watch

    • ISO 27001 not yet completed (in progress) — marketing homepage lists SOC 2 and GDPR as checkmarks, but ISO 27001 is not marketed, avoiding over-claim.
    • Observability data processed in US region even when region pinning is enabled — important for GDPR customers requiring strict EU data residency.
    • Third-party inference provider data handling is provider-dependent — LiveKit explicitly disclaims responsibility for inference inputs/outputs, noting it 'acts only as a conduit.'
    • HIPAA availability restricted to Scale and Enterprise plans with mandatory BAA — free and lower tiers cannot be used for PHI.
    • Free-tier observability data may be de-identified and used for AI/ML improvement — clear opt-in exists for paid tiers, but free users should be aware.

    // At a glance

    Pricing model

    Freemium: Free tier (1000 session-minutes/month); Scale and Enterprise tiers with usage-based and reserved pricing

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on LiveKit Technologies, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.livekit.io

    > Browse all vendor trust reports