Security Policy

Placeholder Text
We use Google Cloud Platform, including Firebase, to manage user authentication, store user data, distribute our application, and run server-side functions for our applications. Google provides a highly secure network and computing environment. All data is encrypted in transit via HTTPS TLS 1.2 and stored on our servers under AES-256.

We aim to retain a minimum amount of customer data. For example, for each user we only retain data that is required to render that user to other users on the same team, such as name, availability, and profile picture.

Audio, Video, and Screen Share
We use Zoom as our sole vendor for audio, video, and data transmission for call data streams including screen share and text chat. Zoom uses 256-bit AES-GCM encryption for streams in transit between Zoom applications, clients, and connectors. Streams flowing between users’ Multi apps are not decrypted until they reach the recipients’ devices. The encryption keys for each meeting are generated and managed by Zoom’s servers.

These call data streams are not recorded unless a user turns on call recording for a specific call. When call recording is enabled, a video file is retained on Zoom’s servers for seven days.

Access to your call metadata is limited to a few Multi operations engineers, for whom access is essential. Access to this sensitive data is protected by two-factor authentication and is audited.

Shared Control
We use WebRTC for shared control: Data channels for data passing, and ICE for session creation. We use Twilio for STUN/TURN, and all streams are end-to-end encrypted and are not stored in Multi servers.
Shared control is only possible while in a call and actively screen sharing. Shared control is optional and requires two-way consent. The sharer always has the option to override shared control by clicking the mouse and selecting the "stop" button on the screen share controls.
Analytics

We use the following analytics tools to better understand customer needs, troubleshoot, and inform our product roadmap:
Segment
Sentry
BigQuery
Google Analytics
Userlist

None of these services receive access to the audio, video, or other streaming data.
Backup and Recovery

We maintain daily backups of server data and can recover in under an hour.

Reporting Issues
Companies are able to report issues directly to security@multi.app and we will troubleshoot as soon as possible.

If you have any questions about our security policy, please reach out to alex@swiftsign.io