// Trust & Security Report
Whereby AS
Video Conferencing / Video API
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on whereby.com“The ISO27001 certification for Whereby was secured in February 2022 and the re-certification was obtained in 2025, which can be downloaded here.”
Verify on docs.whereby.com“Whereby has prepared and will sign a standard Business Associate Agreement that is adequate for all of our HIPAA-compliant customers, at no extra charge.”
Verify on whereby.com“Our business model is to provide a paid service to users who need additional features on top of the Free version, and does not rely on widespread collection of general user data.”
Verify on whereby.helpscoutdocs.com“We are PCI DSS SAQ-A compliant, and we are performing external vulnerability scans every quarter with an external approved scanning vendor (ASV).”
> Show 1 unconfirmed / not-held certifications
source: whereby.comThe data centres are, amongst others, SOC2 audited, ISO27001 certified and are held to the highest standards of security and uptime.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU (AWS Dublin, Ireland). Account data stored in Ireland. Usage data may also reside in Ireland and the US per the privacy policy. No customer-selectable residency options documented.
Whereby explicitly states it does not process media for its own purposes: 'We only process media to enable participants to use our Service; we do not process media for our own purposes.' No AI/ML training policy is separately disclosed, but video and audio are not stored beyond transit. Privacy policy last updated July 4, 2022 and may not address newer AI features.
// Security controls
Encryption in Transit
TLS 1.2 with restricted cipher suite. DTLS-SRTP for all media streams.
whereby.comEncryption at Rest
AES-256; disk encryption enabled on servers; backup data stored encrypted offsite.
whereby.comEnd-to-End Encryption
Available for small rooms (peer-to-peer, DTLS-SRTP with client-generated keys). Large rooms: encrypted media decrypted only in server memory, not persisted.
whereby.comMedia Storage
Whereby does not store video or audio data. Transient only during transmission. No cloud storage of meeting content by default.
whereby.comPenetration Testing
Regular third-party pen tests using OWASP methodology. Executive summary available under NDA on request.
whereby.comVulnerability Disclosure
Self-hosted VDP (not HackerOne or Bugcrowd). Contact: security@whereby.com. PGP key available. Hall of Fame for valid reporters at whereby.com/information/security/vdp/hof/.
whereby.comBug Bounty
No formal paid bug bounty program on HackerOne or Bugcrowd. VDP states researchers 'will be added to our private Bug Bounty Program in the future' depending on criticality and budget.
whereby.comInfrastructure
Hosted on AWS Dublin, Ireland (EU data residency). AWS itself holds SOC 2 and ISO 27001 certifications for its data centers.
whereby.comPCI DSS
SAQ-A compliant for payment handling. Quarterly external vulnerability scans via approved scanning vendor (ASV). Payment processing via Stripe.
whereby.helpscoutdocs.com// Products & data scope
data: No audio or video stored. Chat data local-browser only for meeting duration. Local recording only (saved to user device). Account info in Ireland. HIPAA compliance requires BAA; not enabled by default on free plan.
Free plan available. Pro ($10.99/mo), Business ($13.99/host/mo), Enterprise (custom). HIPAA compliance with BAA available at no extra cost on annual plans.
data: API-driven programmatic room creation. Cloud recording supported only with customer-owned S3 bucket for HIPAA compliance. Chat local only. DPA included for Business and Enterprise customers.
Programmable rooms, custom branding, SDK tooling. HIPAA-compliant with BAA on Enterprise plan. Build plan offers HIPAA as paid add-on. Usage-based API pricing.
// What to watch
- SOC 2 is NOT held by Whereby itself. Only its data center provider (AWS) is SOC2 audited. Homepage and security page language about SOC2 refers solely to infrastructure, not Whereby's own operations.
- No formal bug bounty platform (HackerOne or Bugcrowd). Self-hosted VDP only, with a possible future private bug bounty hinted at in the policy.
- HIPAA compliance is operationally available via BAA, not a formal third-party certification. Customer must configure rooms correctly (locked rooms, UUID names, own S3 for recordings) for full HIPAA posture.
- Privacy policy last updated July 4, 2022. May not reflect newer AI features (transcriptions, captions) added since then. No AI training terms found.
- No explicit AI training policy page, but media is explicitly not stored or processed for Whereby's own purposes. Low risk but warrants monitoring as product adds AI-powered features.
// At a glance
Pricing model
Freemium and SaaS subscription tiers. Meetings: Free, Pro ($10.99/mo), Business ($13.99/host/mo), Enterprise (custom). Embedded: usage-based API pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Whereby AS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
whereby.com