Datasheet: OpenTok Security & Compliance

Overview | Use Cases | Benefits | Technical Specifications

Nexmo OpenTok Security

Nexmo recognizes that security is an essential consideration for any business interested in integrating real time communications into its website, app or service. OpenTok is a reliable and secure live video platform on which you can build applications that meet your company, industry and client security needs. We support the latest security capabilities with advanced features to comply with industry requirements and ensure that sensitive user information remains secure.

HIPAA Compliance + BAA

The OpenTok platform allows our customers to build HIPAA-compliant applications for the healthcare market. Nexmo will sign BAAs with companies to support their compliance due diligence.

Benefits

• The OpenTok platform enables secure video interactions between patients, doctors, therapists, care providers and others. • Our platform is designed so that you can build HIPAA compliant applications providing that developers architect their applications in a secure way.

Pricing The core security features of OpenTok, plus the additional security features outlined here, enable compliant applications. For BAAs contact sales. Datasheet: Security & Compliance

Regional Media Zones

Regional Zones gives customers the ability to host media traffic in specific regions, including the US, European Union, Germany and Canada, to meet specific compliance requirements of those regions.

Benefits Technical Specifications

• Media and signalling traffic are hosted in the • The service deploys the OpenTok media and desired region signaling servers to data centers located in the • Complies with stricter data privacy required region. requirements • Redundancy is built in so that the loss of a • Nexmo privacy and security policies apply data center in the region will not bring down the whole service • Clients located outside the region are not Pricing blocked from connecting to sessions hosted in the region Customers can restrict media to the US, EU, • Operational logging data from clients and Germany or Canada. servers are sent encrypted to a logging server in the US with IP addresses stripped out. The This service can be purchased a-la-carte, with OpenTok API server may be located outside pricing according to region, or is included in our the region. feature bundles. See tokbox.com/pricing/plans.

Encrypted Recording

With Encrypted Recording (also called Archiving), video recordings are always encrypted, both at-rest and in transit, providing the highest level of security for recordings. This enables customers to meet the most stringent of compliance and regulatory requirements.

Benefits Technical Specifications

• Data is encrypted both in transit and at rest • A unique 256-bit password is used to encrypt hence ensuring the highest level of security. each recording in memory, which is encrypted • Useful for Healthcare & Finance customers and shared using a public key certificate you to meet their strict data privacy compliance provide to OpenTok. requirements. • Amazon S3 server-side encryption using • Entire workflow can be programmatically S3-managed keys is also available. managed with easy to use APIs • Decrypted archive file format - MPEG-TS • Algorithm used for encryption - AES-256 • Generated password is encrypted using RSA Pricing encryption with OAEP padding

This service can be purchased a-la-carte, • Encrypted Recording can only be used or is included in our feature bundles. with composed archives, not individual See tokbox.com/pricing/plans. stream archives. Datasheet: Security & Compliance

AES-256 Encryption

By default, the media streams passing through the OpenTok platform are encrypted using AES 128-bit encryption. For enhanced security, the OpenTok platform also supports the AES-256 level of encryption on media streams.

When a client is connecting to an OpenTok media server or another client, the cipher to use will be negotiated. If the client supports AES-256 then this will be the cipher negotiated for the media traffic. If the client does not support it, then AES-128 will be used. In the case of Relayed sessions, both clients must support AES-256, otherwise they will fall back to AES-128.

Benefits Technical Specifications

• Have confidence data is secure with the AES-256 is supported (in addition to AES-128) in highest-level of bit encryption apps that use the following OpenTok client SDKs: • Useful for customers who work with highly- • iOS 2.13+, Android 2.13+, JS 2.13+ on Chrome confidential data and restrictive networks 62+ and Firefox 56+. • Firefox has this built-in, but Chrome requires “Negotiation with GCM cipher suites for SRTP in WebRTC” be enabled in chrome://flags. Pricing • We expect to add Edge/Chromium support in This service can be purchased a-la-carte, the future. or is included in our feature bundles. See tokbox.com/pricing/plans. Only AES-128 is supported in apps that use the following OpenTok client SDKs: • Windows, JS on Safari, OpenTok plugin for Internet Explorer, and any older SDK that is earlier than 2.13. Datasheet: Security & Compliance

IP Whitelisting

Nexmo maintains a list of IP address blocks for media and API traffic. These details can be shared with Enterprise customers so that they can limit exposure of their network to trusted endpoints only.

Benefits Technical Specifications

• Gives IT departments peace of mind as they • Nexmo will provide a 90-day advance can now open up their networks to a select notice to customers using the published IP set of IP addresses and not wildcard domain address blocks names. • Customers using this service are expected to • Useful for Telehealth and Finance customers stay up to date with the published IP address who work with restricted networks, and open blocks, otherwise there may be disruption of up their firewalls to trusted endpoints only. service if new addresses cannot be reached. • The list of IP address blocks is made available on the OpenTok Account Portal for enrolled Pricing customers. This includes:

Available to Enterprise customers, either a-la-carte • Media servers • API servers or included in the Enterprise Feature Bundle. • TURN servers • Logging servers See tokbox.com/pricing/plans.

Configurable TURN (flexible media relay)

Benefits Technical Specifications

• Provides client flexibility and control in how A client-side API is available in OpenTok SDK connectivity is provided to the OpenTok 2.13+ for JavaScript, iOS & Android. platform from restrictive networks. The API allows configuration of alternative TURN • Allows customer control on both sizes of servers for video/voice media traffic, either: firewalls by employing trusted TURN servers • Custom TURN servers to override OpenTok in network DMZs. TURN servers • Increases connectivity redundancy from • Custom TURN servers as fallback to OpenTok restrictive networks. TURN servers or direct Media server access The Configurable TURN API changes connectivity Pricing for media traffic only. We are planning future services to proxy API and other non-media traffic. This service can be purchased a-la-carte, or is included in our feature bundles. See tokbox.com/pricing/plans.

www.nexmo.com

©2019 Nexmo, The Vonage API Platform | DS-N-VIDEO_SEC_COMP_0819