Statement of Policies Regarding Data Security & Confidentiality

Every person and organization using Walkie expects that their information and data will be handled prudently and that it remains both confidential and secure. We understand this need and are working to ensure that we meet the security standards and expectations of our customers. Please review the below, which explain our current policies and procedures for security, privacy, and confidentiality. This is a living document and will be updated over time as we continue to enhance and improve our policies.


Privacy

By default, any streaming audio transmitted through Walkie is private. That means that the only recipients of any streaming audio will be the authenticated person(s) on your team that you are speaking to, when they are available and online. 


Your audio may be recorded and stored for up to 24 hours (the default functionality of Walkie), whether the recipient is available or unavailable. Access to the recording will be provided only to the authenticated recipient(s) on your team, but these recipient(s) will be able to replay the audio an unlimited number of times, at any time, within the 24 hours. Other team members will not be able to access this recording, nor will any stored audio be made publicly available. After 24 hours, access to the audio recordings will be revoked and the recordings themselves will be deleted.


In the future, we intend to introduce a feature that allows conversations to happen between multiple team members simultaneously. In this case, streaming audio and stored messages will be made available to all recipients in that group and may be replayed (for themselves, not for the group or others) by any member of the group. The same restrictions regarding storage time, access to audio recordings and streams, and handling of deletion explained above will also be applicable to these group messages.


When someone leaves your team, team administrators can revoke access to the team swiftly and easily. The account will be deleted and the user will no longer have access to the team or any recordings that they may have had available to them at the time of account termination. Any current connections they have to Walkie will be closed and they will be signed out from all locations.


Security

At Walkie, security is of the utmost importance to our team and we know it is vital to your team as well. With this in mind, we take several security precautions to protect your data the way we would expect anyone else to protect ours. Below, we’ve detailed some of our security practices.


End-to-End Encryption

All communications between your computer and the Walkie servers are encrypted. Based on the guidance of Mozilla Corporation’s recommended security practices, we are using TLS v1.3 to secure the connection and rely on the following cipher suites: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256. Our certificates are issued by LetsEncrypt and are renewed regularly per their requirements. When and if any changes to recommended encryption protocols, cipher suites, or security practices are provided by the security community, we may enhance or alter the tools in use to improve security.


Encryption-at-Rest

All audio recordings, user data, organization data, or analytics are encrypted-at-rest. We do this to ensure that all of the data is protected even when not actively in-use. We use Amazon S3 to store the audio recordings and they are encrypted using the 256-bit Advanced Encryption Standard (AES-256). All other user and organization data is stored with Amazon and encrypted using hardware security modules (HSMs) that have been or are in the process of being validated under FIPS 140-2.


Secure Data Centers

All of our data is stored within Amazon’s AWS data centers, which uses a wide array of security practices, both technical and physical to keep the data stored within secure.


Security Controls for Administrators

Walkie provides a number of security controls for administrators to manage their workspaces and the users within the workspaces. At any time, administrators are able to remove user accounts and terminate any open connections to the Walkie service within their team. Administrators can also reset passwords for user accounts as is deemed appropriate.


Confidentiality

The data you send through Walkie is confidential without exception. We have strict rules enforcing the access of internal data by employees and are fully committed to ensuring that your data remains confidential at all times.


In order to run Walkie, a limited number of employees are required to have access to the servers and services containing the data you send within your Walkie workspace. However, these employees are strictly prohibited from accessing the data without first obtaining permission from an administrator of your workspace. In the event that they do need to access your data for any reason, they will first contact you or an administrator of your workspace in order to obtain permission, and any access will be logged for auditing.


We understand that confidentiality and security are important to your team, just like it is to ours. So it is important to us that you understand just how seriously we take security and we strive to make it clear the variety of precautions and controls we have in place to protect your information.


If you have any questions about our security procedures or feedback about our security and confidentiality processes, we would be more than glad to answer them. You can reach our team at feedback@walkie.chat and we will respond as quickly as possible.