// Trust & Security Report

    Whereby AS logo

    Whereby AS

    Video Conferencing / Video API

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    The ISO27001 certification for Whereby was secured in February 2022 and the re-certification was obtained in 2025, which can be downloaded here.

    Verify on whereby.com
    HIPAA BAA
    HELD

    Whereby has prepared and will sign a standard Business Associate Agreement that is adequate for all of our HIPAA-compliant customers, at no extra charge.

    Verify on docs.whereby.com
    GDPR
    HELD

    Our business model is to provide a paid service to users who need additional features on top of the Free version, and does not rely on widespread collection of general user data.

    Verify on whereby.com
    PCI DSS SAQ-A
    HELD

    We are PCI DSS SAQ-A compliant, and we are performing external vulnerability scans every quarter with an external approved scanning vendor (ASV).

    Verify on whereby.helpscoutdocs.com
    > Show 1 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    The data centres are, amongst others, SOC2 audited, ISO27001 certified and are held to the highest standards of security and uptime.

    source: whereby.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU (AWS Dublin, Ireland). Account data stored in Ireland. Usage data may also reside in Ireland and the US per the privacy policy. No customer-selectable residency options documented.

    Whereby explicitly states it does not process media for its own purposes: 'We only process media to enable participants to use our Service; we do not process media for our own purposes.' No AI/ML training policy is separately disclosed, but video and audio are not stored beyond transit. Privacy policy last updated July 4, 2022 and may not address newer AI features.

    // Security controls

    Encryption in Transit

    TLS 1.2 with restricted cipher suite. DTLS-SRTP for all media streams.

    whereby.com

    Encryption at Rest

    AES-256; disk encryption enabled on servers; backup data stored encrypted offsite.

    whereby.com

    End-to-End Encryption

    Available for small rooms (peer-to-peer, DTLS-SRTP with client-generated keys). Large rooms: encrypted media decrypted only in server memory, not persisted.

    whereby.com

    Media Storage

    Whereby does not store video or audio data. Transient only during transmission. No cloud storage of meeting content by default.

    whereby.com

    Penetration Testing

    Regular third-party pen tests using OWASP methodology. Executive summary available under NDA on request.

    whereby.com

    Vulnerability Disclosure

    Self-hosted VDP (not HackerOne or Bugcrowd). Contact: security@whereby.com. PGP key available. Hall of Fame for valid reporters at whereby.com/information/security/vdp/hof/.

    whereby.com

    Bug Bounty

    No formal paid bug bounty program on HackerOne or Bugcrowd. VDP states researchers 'will be added to our private Bug Bounty Program in the future' depending on criticality and budget.

    whereby.com

    Infrastructure

    Hosted on AWS Dublin, Ireland (EU data residency). AWS itself holds SOC 2 and ISO 27001 certifications for its data centers.

    whereby.com

    PCI DSS

    SAQ-A compliant for payment handling. Quarterly external vulnerability scans via approved scanning vendor (ASV). Payment processing via Stripe.

    whereby.helpscoutdocs.com

    // Products & data scope

    Whereby MeetingsVideo Conferencing (Consumer and Team SaaS)

    data: No audio or video stored. Chat data local-browser only for meeting duration. Local recording only (saved to user device). Account info in Ireland. HIPAA compliance requires BAA; not enabled by default on free plan.

    Free plan available. Pro ($10.99/mo), Business ($13.99/host/mo), Enterprise (custom). HIPAA compliance with BAA available at no extra cost on annual plans.

    Whereby EmbeddedVideo API / SDK (Developer / B2B)

    data: API-driven programmatic room creation. Cloud recording supported only with customer-owned S3 bucket for HIPAA compliance. Chat local only. DPA included for Business and Enterprise customers.

    Programmable rooms, custom branding, SDK tooling. HIPAA-compliant with BAA on Enterprise plan. Build plan offers HIPAA as paid add-on. Usage-based API pricing.

    // What to watch

    • SOC 2 is NOT held by Whereby itself. Only its data center provider (AWS) is SOC2 audited. Homepage and security page language about SOC2 refers solely to infrastructure, not Whereby's own operations.
    • No formal bug bounty platform (HackerOne or Bugcrowd). Self-hosted VDP only, with a possible future private bug bounty hinted at in the policy.
    • HIPAA compliance is operationally available via BAA, not a formal third-party certification. Customer must configure rooms correctly (locked rooms, UUID names, own S3 for recordings) for full HIPAA posture.
    • Privacy policy last updated July 4, 2022. May not reflect newer AI features (transcriptions, captions) added since then. No AI training terms found.
    • No explicit AI training policy page, but media is explicitly not stored or processed for Whereby's own purposes. Low risk but warrants monitoring as product adds AI-powered features.

    // At a glance

    Pricing model

    Freemium and SaaS subscription tiers. Meetings: Free, Pro ($10.99/mo), Business ($13.99/host/mo), Enterprise (custom). Embedded: usage-based API pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Whereby AS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    whereby.com

    > Browse all vendor trust reports