Security — LIQAA

End-to-end encryption

All real-time media is encrypted in transit using DTLS-SRTP — the same protocol securing every WebRTC call in the world. Within meetings, peer-to-peer messages are end-to-end encrypted between participants and never readable by LIQAA infrastructure.

Video / audio — DTLS 1.2+, AES-128-GCM
In-meeting chat — end-to-end encrypted between participants
Persistent chat — encrypted at rest with AES-256
API traffic — TLS 1.3, HSTS preload, certificate pinning available for enterprise

Infrastructure

Multi-region SFU — media routes to the closest region for <150 ms latency.
Isolated tenancy — every customer's media rooms are isolated at the SFU layer.
Zero-trust internals — service-to-service auth via short-lived JWTs, network policies enforce least privilege.
Encrypted backups — daily snapshots, AES-256 at rest, geo-redundant.
DDoS protection — upstream filtering, per-key rate limits, automatic anomaly throttling.

API key handling

API secret keys (sk_live_…) are hashed with bcrypt on creation. We never store them in plaintext, never log them, and never display them after the first reveal.

Public keys (pk_live_…) are safe to expose in browser code.
Secret keys must remain server-side. They sign SDK token exchanges via HMAC-SHA256.
SDK tokens (browser-bound) are short-lived (1 hour) and scoped to one identity.
Webhooks are signed with HMAC-SHA256 using a per-subscription signing secret.

Authentication

Passwords are hashed with bcrypt at cost 12 — never stored in plaintext.
Sessions use HttpOnly + Secure + SameSite=Lax cookies, rotated on login.
Reset and verification tokens are SHA-256 hashed in storage and expire automatically.
Rate limits on login (20/min), signup (10/min), password operations (5/min).

Compliance & data residency

We follow industry best practices for SaaS data handling. We do not sell, share, or use customer meeting content for AI training.

Aligned with GDPR, CCPA, and standard data-protection principles.
Data residency options for enterprise customers (contact sales).
Sub-processor list available on request.
SOC 2 Type II — in progress.

Responsible disclosure

We welcome reports from security researchers. If you find a vulnerability, please email security@tkawen.com.

We respond within 48 hours.
We will not pursue legal action against good-faith researchers.
Hall of fame published quarterly. Bounties available for high-impact findings (case-by-case).
Please give us reasonable time to fix before public disclosure.

PGP key fingerprint and additional contact channels available on request.

Status & uptime

We target 99.9% uptime. Real-time status, incidents, and historical reliability: status.liqaa.io.

Questions

For security questionnaires, audit requests, or enterprise security reviews, contact security@tkawen.com.

For billing or general inquiries, see liqaa.io/contact.

End-to-end encryption

Video / audio — DTLS 1.2+, AES-128-GCM
In-meeting chat — end-to-end encrypted between participants
Persistent chat — encrypted at rest with AES-256
API traffic — TLS 1.3, HSTS preload, certificate pinning available for enterprise

Infrastructure

Multi-region SFU — media routes to the closest region for <150 ms latency.
Isolated tenancy — every customer's media rooms are isolated at the SFU layer.
Zero-trust internals — service-to-service auth via short-lived JWTs, network policies enforce least privilege.
Encrypted backups — daily snapshots, AES-256 at rest, geo-redundant.
DDoS protection — upstream filtering, per-key rate limits, automatic anomaly throttling.

API key handling

API secret keys (sk_live_…) are hashed with bcrypt on creation. We never store them in plaintext, never log them, and never display them after the first reveal.

Public keys (pk_live_…) are safe to expose in browser code.
Secret keys must remain server-side. They sign SDK token exchanges via HMAC-SHA256.
SDK tokens (browser-bound) are short-lived (1 hour) and scoped to one identity.
Webhooks are signed with HMAC-SHA256 using a per-subscription signing secret.

Authentication

Passwords are hashed with bcrypt at cost 12 — never stored in plaintext.
Sessions use HttpOnly + Secure + SameSite=Lax cookies, rotated on login.
Reset and verification tokens are SHA-256 hashed in storage and expire automatically.
Rate limits on login (20/min), signup (10/min), password operations (5/min).

Compliance & data residency

We follow industry best practices for SaaS data handling. We do not sell, share, or use customer meeting content for AI training.

Aligned with GDPR, CCPA, and standard data-protection principles.
Data residency options for enterprise customers (contact sales).
Sub-processor list available on request.
SOC 2 Type II — in progress.

Responsible disclosure

We welcome reports from security researchers. If you find a vulnerability, please email security@tkawen.com.

We respond within 48 hours.
We will not pursue legal action against good-faith researchers.
Hall of fame published quarterly. Bounties available for high-impact findings (case-by-case).
Please give us reasonable time to fix before public disclosure.

PGP key fingerprint and additional contact channels available on request.

Security you can audit.

End-to-end encryption

Infrastructure

API key handling

Authentication

Compliance & data residency

Responsible disclosure

Status & uptime

Questions

Security you can audit.

End-to-end encryption

Infrastructure

API key handling

Authentication

Compliance & data residency

Responsible disclosure

Status & uptime

Questions