Datasheet: OpenTok Security & ComplianceOverview | Use Cases | Benefits | Technical Specifications

Nexmo OpenTok SecurityNexmo recognizes that security is an essential consideration for

any business interested in integrating real time communications

into its website, app or service. OpenTok is a reliable and secure live

video platform on which you can build applications that meet your

company, industry and client security needs. We support the latest

security capabilities with advanced features to comply with industry

requirements and ensure that sensitive user information remains secure.

The OpenTok platform allows our customers to build HIPAA-compliant applications for the healthcare market. Nexmo will sign BAAs with companies to support their compliance due diligence.

Benefits

Pricing

• The OpenTok platform enables secure video interactions between patients, doctors, therapists, care providers and others.

• Our platform is designed so that you can build HIPAA compliant applications providing that developers architect their applications in a secure way.

The core security features of OpenTok, plus the additional security features outlined here, enable compliant applications. For BAAs contact sales.

HIPAA Compliance + BAA

Datasheet: Security & Compliance

Regional Zones gives customers the ability to host media traffic in specific regions, including the US, European Union, Germany and Canada, to meet specific compliance requirements of those regions.

With Encrypted Recording (also called Archiving), video recordings are always encrypted, both at-rest and in transit, providing the highest level of security for recordings. This enables customers to meet the most stringent of compliance and regulatory requirements.

Technical Specifications

Benefits

• Media and signalling traffic are hosted in the desired region

• Complies with stricter data privacy requirements

• Nexmo privacy and security policies apply

Benefits

• Data is encrypted both in transit and at rest hence ensuring the highest level of security.

• Useful for Healthcare & Finance customers to meet their strict data privacy compliance requirements.

• Entire workflow can be programmatically managed with easy to use APIs

Technical Specifications

• The service deploys the OpenTok media and signaling servers to data centers located in the required region.

• Redundancy is built in so that the loss of a data center in the region will not bring down the whole service

• Clients located outside the region are not blocked from connecting to sessions hosted in the region

• Operational logging data from clients and servers are sent encrypted to a logging server in the US with IP addresses stripped out. The OpenTok API server may be located outside the region.

• A unique 256-bit password is used to encrypt each recording in memory, which is encrypted and shared using a public key certificate you provide to OpenTok.

• Amazon S3 server-side encryption using S3-managed keys is also available.

• Decrypted archive file format - MPEG-TS

• Algorithm used for encryption - AES-256

• Generated password is encrypted using RSA encryption with OAEP padding

• Encrypted Recording can only be used with composed archives, not individual stream archives.

Regional Media Zones

Encrypted Recording

Pricing

This service can be purchased a-la-carte, or is included in our feature bundles. See tokbox.com/pricing/plans.

Pricing

This service can be purchased a-la-carte, with pricing according to region, or is included in our feature bundles. See tokbox.com/pricing/plans.

Customers can restrict media to the US, EU, Germany or Canada.

Datasheet: Security & Compliance

By default, the media streams passing through the OpenTok platform are encrypted using AES 128-bit encryption. For enhanced security, the OpenTok platform also supports the AES-256 level of encryption on media streams.

When a client is connecting to an OpenTok media server or another client, the cipher to use will be negotiated. If the client supports AES-256 then this will be the cipher negotiated for the media traffic. If the client does not support it, then AES-128 will be used. In the case of Relayed sessions, both clients must support AES-256, otherwise they will fall back to AES-128.

Benefits

• Have confidence data is secure with the highest-level of bit encryption

• Useful for customers who work with highly-confidential data and restrictive networks

Technical Specifications

AES-256 is supported (in addition to AES-128) in apps that use the following OpenTok client SDKs:

• iOS 2.13+, Android 2.13+, JS 2.13+ on Chrome 62+ and Firefox 56+.

• Firefox has this built-in, but Chrome requires “Negotiation with GCM cipher suites for SRTP in WebRTC” be enabled in chrome://flags.

• We expect to add Edge/Chromium support in the future.

Only AES-128 is supported in apps that use the following OpenTok client SDKs:

• Windows, JS on Safari, OpenTok plugin for Internet Explorer, and any older SDK that is earlier than 2.13.

AES-256 Encryption

Pricing

This service can be purchased a-la-carte, or is included in our feature bundles. See tokbox.com/pricing/plans.

Datasheet: Security & Compliance

Nexmo maintains a list of IP address blocks for media and API traffic. These details can be shared with Enterprise customers so that they can limit exposure of their network to trusted endpoints only.

Benefits

• Gives IT departments peace of mind as they can now open up their networks to a select set of IP addresses and not wildcard domain names.

• Useful for Telehealth and Finance customers who work with restricted networks, and open up their firewalls to trusted endpoints only.

IP Whitelisting

Pricing

Available to Enterprise customers, either a-la-carte or included in the Enterprise Feature Bundle. See tokbox.com/pricing/plans.

Technical Specifications

• Nexmo will provide a 90-day advance notice to customers using the published IP address blocks

• Customers using this service are expected to stay up to date with the published IP address blocks, otherwise there may be disruption of service if new addresses cannot be reached.

• The list of IP address blocks is made available on the OpenTok Account Portal for enrolled customers. This includes:

• Media servers• TURN servers

• API servers• Logging servers

www.nexmo.com©2019 Nexmo, The Vonage API Platform | DS-N-VIDEO_SEC_COMP_0819

Configurable TURN (flexible media relay)

Benefits

• Provides client flexibility and control in how connectivity is provided to the OpenTok platform from restrictive networks.

• Allows customer control on both sizes of firewalls by employing trusted TURN servers in network DMZs.

• Increases connectivity redundancy from restrictive networks.

Pricing

This service can be purchased a-la-carte, or is included in our feature bundles. See tokbox.com/pricing/plans.

Technical Specifications

A client-side API is available in OpenTok SDK 2.13+ for JavaScript, iOS & Android.

The API allows configuration of alternative TURN servers for video/voice media traffic, either:

• Custom TURN servers to override OpenTok TURN servers

• Custom TURN servers as fallback to OpenTok TURN servers or direct Media server access

The Configurable TURN API changes connectivity for media traffic only. We are planning future services to proxy API and other non-media traffic.