At Butter, we're committed to provide fully secure video conferencing. To accomplish this, we use the best-in-class security tools and practices to maintain the highest level of systems security.
- Data storage and hosting
- Call encryption and privacy
- Secure rooms
- Payment details
- Data Processing Agreement (DPA)
Data storage and hosting
We use Amazon Web Services (AWS) as our datacenter, which means we benefit from some of the most comprehensive security practices and compliance certifications that exists.
As a Danish company, we take data security and privacy very seriously, and we therefore keep as much data storage as possible inside the borders of the EU. The data center is therefore located in France and is SOC 1, SOC 2, and ISO 27001 certified with 24/7 operations and enterprise-grade security.
You can read more about AWS security here.
Call encryption and privacy
Butter calls are established using 256-bit TLS encryption and call video, audio, and media are protected by AES-128 encryption. The calls are encrypted to and from our cloud servers, and media that is decrypted and re-encrypted in our cloud always happens in memory and at the application layer, so no one is able to access your calls. Not even us.
Neither do we never store any audio, video, or screen-sharing data from any call other than through our documented recording APIs.
All participants in a Butter call will be able to see video, audio, and chat data between participants. It's impossible for users or systems outside of a Room to listen in or access the call data without being actively in the Room, and thus visible to all other participants.
However, although we are able to apply best-in-class security to the Rooms and the call data therein, there will always be a risk that someone shares the link to a Butter Room outside of your organization or, in theory, guesses the ID in your public Room link:
As an owner of the Room, you can however easily protect yourself against this by keeping the Request to Join functionality in the Waiting Room on, so that participants have to requests access and be approved before entering.
We use Stripe to process and store payment details which means we never directly handle your payment details. Stripe is a PCI Level 1 Certified payment processor which is the most stringent level of certification available in the payments industry.
Data Processing Agreement (DPA)
Our personal data processing relies on the EU Commission Standard Contractual Clauses and is outlined in our DPA. One of the reasons we use this agreement as a standard is that the SCC is well known and approved by the European Data Protection Board. Another reason is that we use some sub-processors outside of the EU and that such transfers are based on the SCC as well given the fact EU/US Privacy Shield arrangement was deemed invalid by the European Court of Justice in the summer 2020.
As of November 2020, we have carried out individual risk assessment of all our data processors and entered into Data Processing Agreements that relies on SCCs for the transfers that goes outside of the EU. You can read more about sub-processors below.
You can read more about our commitment to Data Protection by Design, our use of sub-processors, and GPDR compliance here.