Personally Identifiable Information (PII) is any data related to a specific person that uniquely defines their online identity. Common examples of PII are first name and last name, social security number (SSN), phone number or email address.
Fields which can contain PII are marked in the documentation as "PII/PHI". These fields are considered by Kaleyra as though they contain personal data, therefore Kaleyra performs security controls depending on the risk which is related to that information. An example of such behaviors is that this data is not visible to Kaleyra's employees if not strictly necessary, for example for debugging purposes.
Kaleyra Video as a platform doesn't require any personal information to work. Personal data like name or email cannot be attached to users - every object is anonymised by default.
However, the customization capabilities of Kaleyra Video allow for some PII to be present on parts of the content stored by customers, since sometimes it is needed for specific use cases.
Below you can find a list of items that are considered and treated as PII by Kaleyra, with some advices on how you can control the amount of personal data stored on Kaleyra's servers.
- User IDs: by default the user id is an automatically-generated string, but it can be customized. We advise not to use direct identifiers like social security numbers, phone numbers, concatenations of first name and last name, or other strings that include publicly recognizable information. In order to display names of participants during calls, please consider using a server-side user details provider so that this information is retrieved online without it being stored.
- User avatars: avatars are images representing users. If they include photographs they are considered sensitive PII because they can reveal a person's physical features, like gender, race or ethnic origin. As with user display names, it is preferable to adopt a a server-side user details provider.
- Shared files: there are no restrictions on the content of files that can be shared between participants in a video call. Files can contain personal information, handwritten signatures, photos and other data that are considered PII. You can manage the lifecycle of shared files via APIs: get all uploaded files, get or delete a single file.
- Recording files: recordings are video and audio reports of conversations which can include PII. Recording files can be retrieved by generating a temporary download link, or deleted via API. They are also automatically removed when the configured retention period expires. Optionally files can be encrypted by setting an encryption key (both symmetric and asymmetric encryption are supported).
- Chat messages: since messages contain free text, customers could use them to share personal information during a video call. REST APIs are available to get chat messages and delete conversations.