As real-time interaction is widely used in various industries such as online education, social live broadcast, corporate collaboration, online healthcare, finance and insurance, many application developers will choose real-time interactive cloud (RTE PaaS) service providers to help them quickly build feature-rich applications. But before choosing an RTE PaaS service provider, you need to know exactly what the service provider provides in terms of data privacy, security, and standard compliance.
01 Why is safety compliance important?
Developers need to clearly state in the terms of service how to store, use, and share personal data for developing applications, and strictly abide by the relevant terms of service. In addition, when developing applications for the global market, developers need to know whether they comply with data privacy regulations such as GDPR, CCPA, and other local or regional policies and regulations. To ensure that applications can manage user data more securely, developers need to understand the specific ways that PaaS partners handle any data they involve.
Security is an attribute of the business, and its role is to control internal and external risks through effective management and technical measures, and to provide reliable guarantees for the confidentiality, integrity and availability of business services under the premise of complying with relevant laws and regulations.
02 Soundnet's advice to developers
For developers, the safe and compliant handling of user personal privacy data is the top priority of the application. Agora will strictly implement SD-RTN™, SDK and other products and services when designing, developing and deploying SD-RTN™, SDK and other products and services. Internal SDLC (Secure Software Development Lifecycle) control and strict compliance with relevant policies and regulations help developers build application scenarios that comply with various privacy policies and regulations.
Developers need to clarify their business scenarios and related security responsibility boundaries.
The security responsibility boundary between Agora RTE service and customers is shown as follows:
Agora is committed to providing customers with real-time interactive services anytime, anywhere and ubiquitous. We always regard data security and user privacy protection as the primary security principles and integrate them as concepts into security capability building. We are responsible for the RTE PaaS platform and output to The security of the client SDK.
Under the premise of clarifying the boundaries of security responsibilities, for developers, the safe and compliant handling of users' private data is the primary concern of applications. Developers should thoroughly read the relevant documents of the developer manual, understand the technical specifications of their services in terms of security, and develop the best settings to strengthen the security of their audio and video interactive services.
We provide a "Best Security Practice Guide" (see "Read the original text") to help developers improve the security of audio and video interactions during the development and configuration process.
At the same time, we recommend that developers pay attention to the release of our SDK and update to the latest version of the SDK in time. This not only ensures that the developer's APP can get the latest functions and services in the first time, but also ensures that security-related defects and vulnerabilities are repaired in time.
03 What should developers consider?
Regardless of whether the developer is cooperating with Agora or other PaaS service providers, the following issues should be consulted and clarified before signing the contract:
service provider strictly implement data security and privacy protection standards?
The reliability of data security depends on whether the service provider implements data control and management in strict accordance with industry standards.
Agora follows the industry standard ISO 27001/27017/27018 in terms of information and privacy security. Our network architecture and infrastructure comply with SOC2 standards, ensuring that all physical and virtual accesses are effectively managed, monitored and controlled.
Agora will not access or store the user’s personally identifiable information (PII), and will only collect the necessary operational information for the provision of services-these data include IP addresses (identifying the user’s geographic location to comply with regional regulations and network connections), metering Data (because the sound network is charged according to the length of use) and experience quality data (help customers to monitor the quality of experience through the crystal ball). Soundnet does not touch end user data, nor does it process and store end user data, such as passwords and user identities (such as name, email address, phone number, etc.). This information is managed by the customer in the application.
authoritative third-party organizations prove or monitor the security compliance of service providers?
If the PaaS service provider's implementation of security standards has been verified by an authority, it is relatively more credible.
Soundnet cooperates with Ernst & Young LLP, which oversees our implementation of standards such as ISO 27001/27017/27018. Our ISO audit process and certification are provided by the European certification body DNV GL. Our SOC 2 compliance is audited by Deloitte LLP. In addition, we have worked with global security experts including Trustwave Holdings to complete network penetration, application vulnerabilities, and compliance assessments.
service providers provide the ability and options to protect media streams?
When developers choose whether to encrypt media streams, it is important to balance performance and data security. Data security protection will have a certain impact on latency and performance, even if the impact is small.
As a developer-centric API platform, Soundnet provides application developers with many default and configurable security options such as identity verification, data encryption, and network geofencing to protect developers' audio and video media streaming data. You can make trade-offs and choices for specific application scenarios.
If you choose to encrypt media content, Agora SDK provides a built-in AES encryption algorithm for customers to directly choose to use. The encryption key is managed by the customer's application and transmitted between end-user devices outside the Agora network.
service provider have a record of quickly responding to security breaches?
Any complex software will have vulnerabilities, so PaaS service providers must remain vigilant to prevent vulnerabilities from being exploited. Developers need to pay attention to the ability of PaaS service providers to discover and deal with vulnerabilities in a timely manner.
Soundnet cooperates with a number of trusted security organizations around the world to ensure timely detection of vulnerabilities and inform customers, and help customers quickly carry out necessary repairs.
service provider comply with the laws of the country or region?
Any global company must understand the laws and regulations of the country and region where it does business. Many people will have a common-sense misunderstanding that relevant laws and regulations only apply to local companies in the country and region. In fact, these laws and regulations apply to all companies operating in that country or region. Whether it is the EU's GDPR or China's cyber security laws, any company that wants to conduct business in these areas must be subject to the same laws and regulations.
Acoustic Network Agora complies with European GDPR, California's CCPA and other international regulations. At the same time, we can also provide HIPAA compliance options to relevant customers in the medical industry based on BAA.
service providers provide advanced and configurable geographic routing?
Geographic routing (sometimes called geofencing) allows developers to define a geographic area within which the developer’s data will be restricted.
Acoustic Network Agora has implemented geographic location-based routing in six different regions, and application developers and security teams can choose according to their specific conditions. The customers of Soundnet can restrict the circulation and processing of the audio and video media streams of their end users in the designated area by setting the area. For example, if a developer decides to limit a specific area in its operating area, then media content will only be transmitted through this area.
service provider ensure that the audio and video streams provided will not cause eavesdropping or leakage?
If audio and video data leaks in a developer’s application, the cause may be the application’s own security or the service provider’s security vulnerabilities, etc., so developers need to pay attention to how third-party service providers can ensure that the provided audio and video streams will not be leaked ?
Acoustic Network Agora uses self-developed protocol AUT for transmission protection. The self-developed protocol includes key exchange, identity authentication, and uses SSL/TLS for encrypted transmission, so as to protect audio and video data from eavesdropping or leakage.
In summary
As a global real-time interactive cloud service provider, facing the urgent needs of application developers for data security, our role will be very critical. We are committed to providing excellent data security, so that developers can focus on innovation and creating new applications, with no worries about security.
If you have any other questions or suggestions on security, you can always contact our security team via email (security@agora.io), or contact our PR team via email (pr@agora.io) at any time .
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。