Karepsych

Coviu – a technical deep dive for our security conscious clients

Ev Williams

Share
Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

In April 2020, in light of the Covid-19 driven increase in telehealth services being offered, the Australian Psychological Society conducted a review of the main video teleconferencing platforms available to practitioners. The full report can be found here.

The Coviu relevant results can be found below. Note, those coloured blue are deemed the most secure.

aps telehealth video platform assessment
Australian Psychology Society assessment of telehealth video platforms - April 2020

What video technology is Coviu based upon?

Coviu leverages the WebRTC video conferencing protocol. WebRTC video technology is the jewel in the HTML5 video conferencing crown. Sessions are fully encrypted, run entirely within the browser and can be accessed by any modern device including desktops, laptops, tablets and smartphones.

WebRTC is the most secure video technology available today.

Where are the Coviu application servers located?

The Coviu application servers are in AWS Sydney and the application is distributed via cloudfront to edge servers across the planet closer to our users.
The signalling and TURN servers are in several data centres around the world. As you are setting up a video call, your browser will know to use the signalling and TURN servers that are most closest located to you.

What data security does Coviu provide?

All communication between Coviu servers and Coviu users are encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher 128-bit encryption (AES_128_GCM). This includes any signalling data.

Within a Coviu call, all data, video and audio that is exchanged is encrypted using DTLS-SRTP between the participants.

What user data is stored and where?

Coviu only stores user signup information – none of the data that is exchanged in a video call is saved. User signup data is stored in AWS in Sydney.

Coviu does not store the identities of a guest user – the snapshot and name is only taken to identify a clilent to the Karepsych psychologist so they can more easily decide to allow a client into the call.

Is data exchanged in a call stored?

None of the audio, video or data exchanged in a Coviu call is stored by Coviu. Specifically, Coviu does not store any clinical information that is exchanged in a call. All of the video, audio or shared documents in a call are transmitted peer-to-peer only, are fully encrypted and cannot be listened into by anyone except for the call participants. That data does not even reach Coviu storage servers.

Does data in calls between peers inside a country ever leave that country?

Coviu calls are peer-to-peer calls and fully encrypted. The endpoints of a Coviu call find the shortest connection to each other that works when setting up a call. Peer-to-peer calls of participants that are within a country will not be routed via a different country.

Further details can be found on the Coviu website