Trust Center
Meeting Room 365 is built on a security-first architecture. We collect only the minimum data necessary, all sensitive data is encrypted at rest, and all communication is encrypted in transit.
Security by Design
Our architecture minimizes risk by design — we store less, handle less, and encrypt everything.
Minimal Data Collection
We store only room configuration settings and admin email addresses. No calendar content, meeting details, attendee lists, or user passwords are ever stored on our servers.
Encrypted Credential Storage
Login information for Microsoft or Google is never stored. For OAuth customers, we store only the access and refresh tokens needed to read calendar data. All stored credentials and tokens are encrypted at rest with AES-256.
Encryption Everywhere
All data in transit is protected with TLS/SSL (HTTPS enforced). Data at rest is encrypted with AES-256. Security headers are enforced via strict Content Security Policy.
Connects to MR365 over HTTPS
Proxies calendar requests using OAuth tokens
Calendar data rendered in real-time, not persisted
How Your Data Flows
Meeting Room 365 acts as a secure intermediary between your display tablets and your calendar provider. Here's what happens:
- Display tablets connect to Meeting Room 365 over HTTPS to retrieve room status and calendar data.
- Meeting Room 365 proxies calendar requests to Microsoft Graph API or Google Calendar API using OAuth tokens granted by your organization.
- Calendar data is rendered in real-time on the display and is not persisted on our servers.
- Only room configuration settings (display preferences, admin contact) are stored server-side.
- For Room Finder and Analytics features, ephemeral occupancy snapshots are captured at 15-minute intervals (display name, online/offline status, occupancy).
Infrastructure & Hosting
Our systems are distributed across multiple cloud providers with no single points of failure.
OVHcloud
US & European Datacenters
Primary cloud infrastructure for application services.
DigitalOcean
AMS Region
Managed databases and SSD VPS hosting.
Amazon Web Services
US-West-1 (San Jose)
Additional cloud infrastructure.
Cloudflare WAF
Multi-provider architecture
Quarterly integrity testing
US & EU regions
Our infrastructure providers maintain their own compliance certifications including ISO 27001, SOC 2, and PCI DSS. These are provider-level certifications. For details, see AWS Compliance, DigitalOcean Trust, and OVHcloud Compliance.
Data Protection & Encryption
Data in Transit
- TLS 1.2+ enforced on all connections (minimum version policy)
- End-to-end encryption: Cloudflare Full (Strict) SSL to origin servers
- Outbound API calls to Microsoft Graph and Google Calendar APIs are TLS-encrypted
- Database connections secured over private VNet
- Email authenticated with DMARC, DKIM, and SPF
- Strict Content Security Policy enforced via Helmet
Data at Rest
- AES-256 encryption for sensitive data at rest
- Encrypted daily backups on separate physical servers
- Minimal data footprint — only room configuration and admin contact info
- No calendar event content, meeting attendee data, or credentials stored
- Databases hosted on DigitalOcean managed databases
Access Control & Authentication
End-User Authentication
OAuth 2.0 delegated authentication with Microsoft (Azure AD / Entra ID) and Google Workspace. Meeting Room 365 never handles or stores passwords. Users authenticate directly with their identity provider, providing single sign-on through existing organizational accounts.
Internal Access Controls
Admin panel secured via HTTPS with session management. Restricted access to production systems following the principle of least privilege. API access secured via tokens. SDK available at sdk.meetingroom365.com.
Product Security Features
SSO by Default
All customers authenticate through their existing Microsoft or Google identity provider via OAuth 2.0. There is no separate Meeting Room 365 password to manage — SSO is the default authentication method.
Domain Verification
Organizations can verify domain ownership to ensure only authorized users within their tenant can manage room displays and configurations.
Data Access Policy
Meeting Room 365 employees will only access your data for the purposes of troubleshooting problems or recovering content on your behalf. Customer data is never accessed for any other purpose.
Application Security
Software Development Lifecycle
Code changes go through review before deployment. We maintain separate development, testing, and production environments. Application code is stored in a private Git repository with access restricted to authorized personnel.
Patch Management
Dependencies are regularly reviewed and updated. Security patches are prioritized and applied promptly. Infrastructure providers manage OS-level patching for managed services.
Vulnerability Scanning
Automated dependency scanning identifies known vulnerabilities in third-party packages. Cloudflare Web Application Firewall provides continuous protection against common web application attacks (OWASP Top 10).
Environment Separation
Development, testing, and production environments are separated. Production credentials and data are not used in development or testing environments.
Corporate Security
Credential Management
Internal credentials are managed using a password manager. Multi-factor authentication (MFA) is required for access to all production systems, cloud provider consoles, and internal tools.
Incident Response
We maintain an incident response plan covering detection, containment, eradication, and recovery. Customers are notified of security incidents that affect their data. System status is published at status.meetingroom365.com.
Logging & Monitoring
Application and infrastructure logs are collected and monitored. Access to production systems is logged. Anomalous activity triggers alerts for investigation.
Network & Endpoint Security
DDoS Protection
All traffic is proxied through Cloudflare, which provides automatic DDoS mitigation, rate limiting, and bot management. This protects against volumetric, protocol, and application-layer attacks.
Network Security
Production servers are firewalled with only necessary ports exposed. SSH access is key-based only. Infrastructure providers manage physical network security, intrusion detection, and facility access controls.
Endpoint Security
Employee devices use full-disk encryption. Operating systems and software are kept up to date. Access to production systems requires MFA.
Web Application Firewall
Cloudflare WAF is enabled and configured to block common attack patterns including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats.
Compliance & Privacy
GDPR
We are actively working to meet or exceed GDPR requirements. Our databases are hosted in the EU region. We have established data request processes and documented all data processing partners.
View our GDPR Compliance page →Payment Security
Meeting Room 365 never processes, stores, or has access to credit card numbers. All payment processing is handled entirely by Stripe, a PCI Level 1 Service Provider — the highest level of certification in the payment industry.
Privacy
We minimize personally identifiable information collection, storing primarily admin email addresses and local IP addresses. We do not sell or share user data with third parties for marketing purposes.
Business Continuity & Disaster Recovery
Automated daily backups of all configuration data with quarterly integrity testing.
Multi-cloud architecture across AWS, DigitalOcean, and OVHcloud.
Multi-provider deployment capability within minutes. Code stored in private Git repository.
Minimal data footprint enables rapid recovery. Backups on separate physical servers.
Subprocessors
We rely on a number of trusted third parties to operate our service. Each is carefully evaluated for security and privacy practices.
| Partner | Region | Purpose |
|---|---|---|
| OVHcloud |   |
Primary cloud infrastructure (US & European datacenters) |
| DigitalOcean | |
Managed databases (AMS region) |
| Cloudflare | |
CDN, DDoS protection, and Web Application Firewall |
| Stripe | |
Payment processing (PCI Level 1 Service Provider) |
| PostHog | |
Product analytics (EU-hosted) |
| Crisp | |
Customer support chat |
View full data processing partner details on our GDPR page →
Frequently Asked Questions
Common questions from enterprise security reviews and vendor assessments.
Login information for Microsoft or Google is never stored. For OAuth customers (Office 365, Google Workspace), authentication is delegated directly to Microsoft or Google — we store only the access and refresh tokens needed to read calendar data on your behalf. For EWS (Exchange on-premises) customers, service account credentials are stored on our servers. In all cases, stored credentials and tokens are encrypted at rest with AES-256.
We store only the minimum data required to operate the service:
- Configuration files describing admin portal settings
- Account administration email addresses
- Meeting room email addresses paired with display configurations
For Room Finder and Analytics features, ephemeral data captured at 15-minute intervals may include display name, online/offline status, occupancy status, and optionally meeting subjects and organizer information. No calendar event content, attendee lists, or user passwords are stored.
Our systems are distributed across multiple cloud providers: OVHcloud (US & European datacenters, primary infrastructure), DigitalOcean (AMS region, managed databases), and Amazon Web Services (US-West-1). Databases are hosted on DigitalOcean. This multi-cloud architecture ensures no single points of failure and enables rapid failover.
Yes. All network traffic is encrypted using TLS/SSL (HTTPS enforced across all endpoints). Data at rest is encrypted with AES-256, including all stored credentials and tokens. Daily backups are stored on encrypted, separate physical servers.
All payment processing is handled entirely by Stripe, a PCI Level 1 Service Provider — the highest level of certification in the payment industry. Meeting Room 365 never processes, stores, or has access to credit card numbers. We are classified as a card-not-present merchant.
Yes. We are actively working to meet or exceed GDPR requirements. Our databases are hosted in the EU region, we have established data request processes, and all data processing partners are documented. See our GDPR Compliance page for full details including compliance tasks, data processing partners, and how to make a data request.
Room configuration data is retained while your account is active. Upon account deletion, all associated configuration data is removed. Daily backups are rotated on a regular schedule. Calendar data is never persisted — it is fetched in real-time from your calendar provider and displayed on your room tablets.
Meeting Room 365 integrates with Microsoft (Azure AD / Entra ID) and Google Workspace for authentication via OAuth 2.0. This provides single sign-on through your existing organizational identity provider — no separate account or password is needed.
We are happy to discuss your specific data processing requirements. Please contact us at [email protected] to request a DPA or discuss your organization's needs.
Our infrastructure providers maintain the following certifications (these are provider-level, not Meeting Room 365 certifications):
- OVHcloud: ISO 27001, 27017, 27018, 27701, HIPAA/HITECH, PCI DSS Level 1
- DigitalOcean: ISO 27001, SOC 2 Type II, PCI-DSS
- Amazon Web Services: HIPAA, FedRAMP, SOC 2, PCI DSS Level 1, ISO 27001, FISMA
We take all security reports seriously. Please email [email protected] with details of the vulnerability. We commit to acknowledging all reports within 48 hours. You can also check our system status at status.meetingroom365.com.