// Trust & Security Report
LiveKit Technologies, Inc.
Open-source framework and cloud platform for building, deploying, and scaling real-time voice, video, and physical AI agents. Core products: Agent Platform (orchestration, STT/LLM/TTS inference gateway, observability), Media Server (WebRTC/SIP infrastructure), Cloud Dashboard, SDKs (Python, Node.js, Web).
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on livekit.com“Independently audited against the AICPA's Trust Services Criteria for security, availability, and confidentiality.”
Verify on livekit.com“The platform aligns with EU data protection requirements, with a Data Processing Agreement available and publicly maintained sub-processor list.”
Verify on livekit.com“Business Associate Agreements are provided for Scale and Enterprise plan customers handling protected health information. Six core HIPAA-eligible services identified: realtime transport, recording/export, stream ingestion, agent hosting, agent observability, and conversational models.”
Verify on livekit.com“Compliant with California privacy regulations, including provisions for consumer data access and removal rights.”
Verify on livekit.com“Certified for lawful transfer of personal data between the EU and United States.”
> Show 3 unconfirmed / not-held certifications
source: livekit.comISO 27001 certification is currently in progress and not yet completed.
source: livekit.comISO 27018 certification is currently in progress and not yet completed.
source: livekit.comPCI DSS certification is currently in progress and not yet completed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Configurable region pinning available for Developer Application Data, User Content, and region-matched Inference Data. Observability data processes in US regardless of region selection. Out-of-region inference providers and telephony operational metrics exempt from region pinning.
LiveKit explicitly states: 'LiveKit does not use identifiable personal data, customer content, prompts, transcripts, or audio to train or fine-tune LiveKit's own models.' Limited exceptions: (1) Paid accounts: observability data NOT used for training unless customer opts into Model Improvement Program; (2) Free accounts: observability data may be de-identified and used to improve model accuracy; (3) Voice cloning samples: opt-out on customer's behalf from third-party provider training.
// Security controls
Encryption in Transit
TLS/SSL for all connections; WebRTC native encryption for real-time media streams
livekit.comData Retention - Observability
Retained for up to 60 days by default; encrypted backups retained for an additional 30 days
livekit.comData Retention - Voice Samples
Retained for up to 12 months; deleted if no longer associated with an active voice clone
livekit.comAccess Control & Asset Management
Covered under SOC 2 Type II audit; includes policies for access control, asset management, physical security, and backup security
livekit.comVulnerability Management & Incident Response
Third-party security evaluations including pen test results available via Trust Center
livekit.comThird-Party Integration Security
For inference features (STT, LLM, TTS), LiveKit acts as a conduit; does not retain inference inputs/outputs. Third-party providers follow their own data retention policies.
livekit.com// Products & data scope
data: Agent code, voice/video streams, transcripts, observability data
HIPAA-eligible for 6 core services. Supports inference via third-party providers (OpenAI, Google, Deepseek, AssemblyAI, Deepgram, Cartesia, Rime). Region pinning available.
data: Real-time voice and video streams
Open-source option available. Handles media transport only; does not process or retain media.
data: Account metadata, API usage metrics, logs
Multi-language SDKs (Python, Node.js, Web, Go, Ruby, Rust). Observability module included.
// What to watch
- ISO 27001 not yet completed (in progress) — marketing homepage lists SOC 2 and GDPR as checkmarks, but ISO 27001 is not marketed, avoiding over-claim.
- Observability data processed in US region even when region pinning is enabled — important for GDPR customers requiring strict EU data residency.
- Third-party inference provider data handling is provider-dependent — LiveKit explicitly disclaims responsibility for inference inputs/outputs, noting it 'acts only as a conduit.'
- HIPAA availability restricted to Scale and Enterprise plans with mandatory BAA — free and lower tiers cannot be used for PHI.
- Free-tier observability data may be de-identified and used for AI/ML improvement — clear opt-in exists for paid tiers, but free users should be aware.
// At a glance
Pricing model
Freemium: Free tier (1000 session-minutes/month); Scale and Enterprise tiers with usage-based and reserved pricing
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on LiveKit Technologies, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.livekit.io