With real-time interaction widely used in online education, social streaming, corporate collaboration, online healthcare, finance and insurance, many app developers are turning to RTE PaaS to help them quickly build feature-rich applications. But before choosing an RTE PaaS provider, you need to know exactly what your provider offers in terms of data privacy, security, and standards compliance.

Why is safety compliance important?

Developers are required to specify in the Terms of Service how to store, use, and share personal data for developing applications, and to strictly abide by the terms of service. In addition, when developing an app for a global market, developers need to know if they are complying with data privacy regulations such as the GDPR and CCPA, as well as other local and regional policies and regulations. To ensure that applications can manage user data more securely, developers need to know exactly how PaaS partners handle any data they have involved.

Security is an attribute of business. It controls internal and external risks through effective management and technical measures, and ensures the confidentiality, integrity, and availability of business services in compliance with relevant laws and regulations.

02 Sonnet’s advice to developers

Secure and compliant handling of users’ private data is a top priority for developers. Agora designs, develops and deploits SD-RTN™, SDKS and other products and services. The company strictly implements internal Secure Software Development Lifecycle (SDLC) controls and complies with relevant policies and regulations to help developers build application scenarios that comply with various privacy policies and regulations.

Developers need to be clear about their business scenarios and the boundaries of their security responsibilities.

The boundaries of Agora RTE service and customer security responsibilities are as follows:

Agora is committed to providing customers with real-time interactive services anytime, anywhere and everywhere. We always take data security and user privacy protection as the primary security principle and integrate it into the security capacity building as a concept. We are responsible for the security of RTE PaaS platform and the SDK output to customers.

Secure and compliant handling of users’ private data is a primary concern for developers, with clear boundaries of security responsibilities. Developers should fully read the relevant documents in the Developer manual, understand the technical specifications of their services in terms of security, and develop the best Settings to strengthen the security of their audio and video interactive services.

We provide a “Best Security Practice Guide” (see “Read the article”) to help developers improve the security of audio and video interactions in their development configurations.

At the same time, we recommend developers to pay attention to the release of our SDK and update to the latest version of the SDK in time. This ensures that developers’ apps have access to the latest features and services as soon as possible, and that security-related bugs and vulnerabilities are fixed in a timely manner.

What should developers consider?

Whether a developer is working with Agora or another PaaS service, the following questions should be asked before signing up:

Does the service provider enforce strict data security and privacy standards?

The reliability of data security depends on whether the service provider strictly controls and manages data in accordance with industry standards.

Agora follows the industry standard ISO 27001/27017/27018 for information and privacy security. Our network architecture and infrastructure conform to SOC2 standards, ensuring that all physical and virtual access is effectively managed, monitored and controlled.

Agora does not access or store users’ personally identifiable information (PII), Only operational information is collected that is necessary to provide the service — this includes IP addresses (which identify users’ location to comply with regional regulations and network connections), metering data (since soundnet is charged by time of use) and quality of experience data (which helps customers monitor the quality of their experience through a crystal ball). Sonnet does not touch end user data, nor does it process or store end user data, such as passwords and user identities (such as name, email address, phone number, etc.). This information is managed by the customer in the application.

Can an authoritative third party certify or monitor the security compliance of the service provider?

PaaS providers are more reliable if their implementation of security standards has been verified by authorities.

Soundnet works with Ernst&Young LLP, which oversees our compliance with standards such as ISO 27001/27017/27018. Our ISO audit process and certification is provided by DNV GL, a European certification body. Our SOC 2 compliance was audited by Deloitte LLP. In addition, we have worked with global security experts, including Trustwave Holdings, to complete network penetration, application vulnerabilities and compliance assessments.

Does the service provide capabilities and options to protect media streams?

When choosing whether or not to encrypt a media stream, it is important for developers to balance performance against data security. Securing data will have some, if small, impact on latency and performance.

As a developer-centric API platform, Soundnet provides application developers with a number of default and configurable security options such as authentication, data encryption, and network geo-fencing to protect their audio and video streaming data. You can make trade-offs and choices based on specific application scenarios.

If you choose to encrypt your media content, the Agora SDK provides a built-in AES encryption algorithm for customers to use directly. The encryption key is managed by the customer’s application and transmitted between end-user devices outside the Agora network.

Does the service provider have a record of responding quickly to security breaches?

Any complex software will have vulnerabilities, so PaaS providers must be vigilant to prevent them from being exploited. Developers need to pay attention to the ability of PaaS service providers to find and deal with bugs in a timely manner.

Sonnet works with a number of trusted security organizations around the world to ensure that vulnerabilities are discovered and informed to help customers quickly carry out necessary fixes.

Does the service provider comply with national or regional laws?

Any global company must understand the laws and regulations of the countries and regions in which it operates. Many people have a common misconception that laws and regulations only apply to local companies in a country or region, when in fact they apply to all companies operating in that country or region. Whether it’s the EU’s GDPR or China’s cyber security laws, any company that wants to operate in these regions is subject to the same laws and regulations.

Agora complies with GDPR in Europe, CCPA in California and other international regulations. We also provide HIPAA compliance options to our clients in the healthcare industry according to BAA.

Can the service provider provide advanced and configurable geographic routing?

Geo-routing (sometimes referred to as geo-fencing) allows developers to define a geographical area within which developer data will be restricted.

Agora implements location-based routing in six different regions, allowing application developers and security teams to make their own choices. Customers of soundnet can set up a zone to limit the flow and processing of their end users’ audio and video media streams within the specified zone. For example, if a developer decides to limit a particular area in their territory of operation, media content will only be transported through that area.

Can the service providers ensure that the audio and video streams provided will not be wiretapped or leaked?

If audio and video data leakage occurs in developers’ applications, it may be caused by multiple reasons, such as the security of the application itself or the security vulnerability of the service provider. Therefore, developers need to pay attention to how the third-party service provider ensures that the audio and video streams provided by the third-party service provider will not be leaked.

Agora uses its own developed protocol AUT for transmission protection, which includes key exchange, identity authentication, and SSL/TLS for encrypted transmission, so as to protect audio and video data from eavesdropping or disclosure.

From what has been discussed above

As a global real-time interactive cloud service provider, our role will be critical to the urgent need for data security from application developers. We are committed to providing superior data security so that developers can focus on innovation and building new applications without having to worry about security.

If you have any further questions or suggestions regarding security, please feel free to contact our security team by email ([email protected]) or our PR team by email ([email protected]).