Security Policy

Security Policy

AI Summaries

AI Summaries are strictly opt-in and user-configurable. When summarization is enabled during a call, audio is transcribed, encrypted, and stored in Google Cloud Storage. Only users that participated in the call can access summaries, both during and after calls.

Transcriptions can't be accessed without a secure key, which has limited and audited access. Transcriptions are generated by Zoom Cloud Transcriptions, and are not saved in Zoom's servers. Raw transcription data is only sent to OpenAI APIs, and is never sent to analytics services or client devices.

We use OpenAI for AI processing. OpenAI doesn't use customer data from Multi to train or enhance their models and adheres to a 30-day retention policy. You can learn more about OpenAI's privacy policy here: https://openai.com/enterprise-privacy.

Cloud Services and Storage

We use Google Cloud Platform, including Firebase, to manage user authentication, store user data, distribute our application, and run server-side functions for our applications. Google provides a highly secure network and computing environment. All data is encrypted in transit via HTTPS TLS 1.2 and stored on our servers under AES-256.

We aim to retain a minimum amount of customer data. For example, for each user we only retain data that is required to render that user to other users on the same team, such as name, availability, and profile picture.

Audio, Video, and Screen Share

We use Zoom as our sole vendor for audio, video, data transmission, and recording for call data streams including screen share and text chat. Zoom uses 256-bit AES-GCM encryption for streams in transit between Zoom applications, clients, and connectors. Streams flowing between users’ Multi apps are not decrypted until they reach the recipients’ devices. The encryption keys for each meeting are generated and managed by Zoom’s servers.

These call data streams are not recorded unless a user turns on call recording for a specific call. Call recordings utilize Zoom's cloud call recording, which are transferred to Google Cloud Storage on call completion. Zoom deletes all calls within 30 days.

Access to your call metadata is limited to a few Multi operations engineers, for whom access is essential. Access to this sensitive data is protected by two-factor authentication and is audited.

Shared Control

We use WebRTC for shared control: Data channels for data passing, and ICE for session creation. We use Twilio for STUN/TURN, and all streams are end-to-end encrypted and are not stored in Multi servers.

Shared control is only possible while in a call and actively screen sharing. Shared control is optional and requires two-way consent. The sharer always has the option to override shared control by clicking the mouse and selecting the "stop" button on the screen share controls.

Analytics

We use the following analytics tools to better understand customer needs, troubleshoot, and inform our product roadmap:

  • Segment

  • Sentry

  • BigQuery

  • Google Analytics

  • Userlist

  • June.so

None of these services receive access to the audio, video, transcriptions, recordings, or other streaming data.

Backup and Recovery

We maintain daily backups of server data and can recover in under an hour.

Reporting Issues

Companies are able to report issues directly to security@multi.app and we will troubleshoot as soon as possible.

If you have any questions about our security policy, please reach out to alexander@multi.app.

© Multi Software Co. 2023

© Multi Software Co. 2023