Trust Center
Meeting Room 365 is built on a security-first architecture. We collect only the minimum data necessary, all sensitive data is encrypted at rest, and all communication is encrypted in transit.
Security by Design
Our architecture minimizes risk by design — we store less, handle less, and encrypt everything.
Minimal Data Collection
We store only room configuration settings and admin email addresses. No calendar content, meeting details, attendee lists, or user passwords are ever stored on our servers.
Encrypted Credential Storage
Login information for Microsoft or Google is never stored. For OAuth customers, we store only the access and refresh tokens needed to read calendar data. All stored credentials and tokens are encrypted at rest with AES-256.
Encryption Everywhere
All data in transit is protected with TLS/SSL (HTTPS enforced). Data at rest is encrypted with AES-256. Security headers are enforced via strict Content Security Policy.
Connects to MR365 over HTTPS
Proxies calendar requests using OAuth tokens
Calendar data rendered in real-time, not persisted
How Your Data Flows
Meeting Room 365 acts as a secure intermediary between your display tablets and your calendar provider. Here's what happens:
- Display tablets connect to Meeting Room 365 over HTTPS to retrieve room status and calendar data.
- Meeting Room 365 proxies calendar requests to Microsoft Graph API or Google Calendar API using OAuth tokens granted by your organization.
- Calendar data is rendered in real-time on the display and is not persisted on our servers.
- Only room configuration settings (display preferences, admin contact) are stored server-side.
- For Room Finder and Analytics features, ephemeral occupancy snapshots are captured at 15-minute intervals (display name, online/offline status, occupancy).
Infrastructure & Hosting
Our systems are distributed across multiple cloud providers with no single points of failure.
OVHcloud
US & European Datacenters
Primary cloud infrastructure for application services.
DigitalOcean
AMS Region
Managed databases and SSD VPS hosting.
Cloudflare WAF
Multi-provider architecture
Cloud Identity & Firestore
Quarterly integrity testing
US, EU & APAC regions
Our infrastructure providers maintain their own compliance certifications including ISO 27001, SOC 2, and PCI DSS. These are provider-level certifications. For details, see DigitalOcean Trust, OVHcloud Compliance, and Google Cloud Compliance.
Data Protection & Encryption
Data in Transit
- TLS 1.2+ enforced on all connections (minimum version policy)
- End-to-end encryption: Cloudflare Full (Strict) SSL to origin servers
- Outbound API calls to Microsoft Graph and Google Calendar APIs are TLS-encrypted
- Database connections secured over private VNet
- Email authenticated with DMARC, DKIM, and SPF
- Strict Content Security Policy enforced via Helmet
Data at Rest
- AES-256 encryption for sensitive data at rest
- Encrypted daily backups on separate physical servers
- Minimal data footprint — only room configuration and admin contact info
- No calendar event content, meeting attendee data, or credentials stored
- Databases hosted on DigitalOcean managed databases
Access Control & Authentication
For most customers, the security question is not “does this product have SSO?” — it is “does this product force us outside the identity controls we already operate in Microsoft 365 or Google Workspace?” Meeting Room 365 is designed to stay inside those controls.
Delegated identity (off-site IAM)
Meeting Room 365 does not maintain a proprietary users table or custom password-hashing system for staff access. We do not ask IT to add another vendor vault entry for every employee.
- Default: OAuth 2.0 through Microsoft Entra ID (Azure AD) or Google Workspace. Users authenticate with their existing organizational account. Meeting Room 365 never receives or stores employee passwords for SSO flows.
- Surfaces: the same identity works across the admin portal, Visitors portal, and native apps where staff sign-in is required. Organizations are matched by SSO tenant identifier or verified company email domain.
- Email sign-in (limited): verified work-email and password is available for legacy accounts and Exchange (EWS)–only deployments. Free email domains are prohibited. Addresses must pass inbox verification and occasional re-verification. This path is backed by Google Cloud identity infrastructure, not home-grown auth code.
- Included: SSO is part of standard pricing — not a paid enterprise add-on.
End-User Authentication
OAuth 2.0 delegated authentication with Microsoft (Azure AD / Entra ID) and Google Workspace. Meeting Room 365 never handles or stores passwords for SSO users. Staff authenticate directly with their identity provider, inheriting the MFA and Conditional Access policies your organization already enforces.
Internal Access Controls
Admin panel secured via HTTPS with session management. Restricted access to production systems following the principle of least privilege. API access secured via tokens. SDK available at sdk.meetingroom365.com.
Product Security Features
SSO by Default
Staff authenticate through Microsoft Entra ID or Google Workspace via OAuth 2.0. There is no separate Meeting Room 365 password for typical Microsoft 365 or Google deployments — extend existing IdP controls instead of adding parallel logins.
Domain Verification
Organizations can verify domain ownership to ensure only authorized users within their tenant can manage room displays and configurations.
Data Access Policy
Meeting Room 365 employees will only access your data for the purposes of troubleshooting problems or recovering content on your behalf. Customer data is never accessed for any other purpose.
Native Apps, Less Surface
Native iOS and Android kiosk apps are part of our defense-in-depth story: optional calendar on the device (service user signed in on the tablet, OS calendar sync) for teams that want meeting content to stay off the cloud path entirely — while Admin still manages config and fleet operations. Standard Admin connections already use minimal OAuth with no calendar storage. Product guide
IP Filtering
Optional per-display IP filtering restricts access to all web-based resources — including calendar and display APIs — to your office public IP address or range expression. Layer with display lock for defense in depth.
Location & Diagnostics
We never request fine-grained device geolocation. Rough IP-based location routes traffic for performance and applies EU data protections when not explicitly configured. Remote in-app screenshots (Meeting Room 365 UI only) speed support with tight, automatic retention — opt out per display.
Application Security
Software Development Lifecycle
Code changes go through review before deployment. We maintain separate development, testing, and production environments. Application code is stored in a private Git repository with access restricted to authorized personnel.
Patch Management
Dependencies are regularly reviewed and updated. Security patches are prioritized and applied promptly. Infrastructure providers manage OS-level patching for managed services.
Vulnerability Scanning
Automated dependency scanning identifies known vulnerabilities in third-party packages. Cloudflare Web Application Firewall provides continuous protection against common web application attacks (OWASP Top 10).
Environment Separation
Development, testing, and production environments are separated. Production credentials and data are not used in development or testing environments.
Corporate Security
Credential Management
Internal credentials are managed using a password manager. Multi-factor authentication (MFA) is required for access to all production systems, cloud provider consoles, and internal tools.
Incident Response
We maintain an incident response plan covering detection, containment, eradication, and recovery. Customers are notified of security incidents that affect their data. System status is published at status.meetingroom365.com.
Logging & Monitoring
Application and infrastructure logs are collected and monitored. Access to production systems is logged. Anomalous activity triggers alerts for investigation.
Network & Endpoint Security
DDoS Protection
All traffic is proxied through Cloudflare, which provides automatic DDoS mitigation, rate limiting, and bot management. This protects against volumetric, protocol, and application-layer attacks.
Network Security
Production servers are firewalled with only necessary ports exposed. SSH access is key-based only. Infrastructure providers manage physical network security, intrusion detection, and facility access controls.
Endpoint Security
Employee devices use full-disk encryption. Operating systems and software are kept up to date. Access to production systems requires MFA.
Web Application Firewall
Cloudflare WAF is enabled and configured to block common attack patterns including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats.
Compliance & Privacy
GDPR
We are actively working to meet or exceed GDPR requirements. Our databases are hosted in the EU region. We have established data request processes and documented all data processing partners.
View our GDPR Compliance page →Payment Security
Meeting Room 365 never processes, stores, or has access to credit card numbers. All payment processing is handled entirely by Stripe, a PCI Level 1 Service Provider — the highest level of certification in the payment industry.
Privacy
We minimize personally identifiable information collection, storing primarily admin email addresses and local IP addresses. We do not sell or share user data with third parties for marketing purposes.
Business Continuity & Disaster Recovery
Automated daily backups of all configuration data with quarterly integrity testing.
Multi-cloud architecture across OVHcloud, DigitalOcean, and Google Cloud.
Multi-provider deployment capability within minutes. Code stored in private Git repository.
Minimal data footprint enables rapid recovery. Backups on separate physical servers.
Subprocessors
We rely on a number of trusted third parties to operate our service. Each is carefully evaluated for security and privacy practices.
| Partner | Region | Purpose |
|---|---|---|
| OVHcloud |   |
Primary cloud infrastructure (US & European datacenters) |
| DigitalOcean | |
Managed databases (AMS region) |
| Cloudflare | |
CDN, DDoS protection, and Web Application Firewall |
| Stripe | |
Payment processing (PCI Level 1 Service Provider) |
| PostHog | |
Product analytics (EU-hosted) |
| Crisp | |
Customer support chat |
| Postmark | |
Transactional email delivery |
| Sentry | |
Error tracking and monitoring |
| Google Cloud | |
Authentication (Cloud Identity) and database (Firestore) |
| Bunny.net | |
CDN and EU-based object storage |
| Backblaze B2 | |
Object storage (supplemental) |
View full data processing partner details on our GDPR page →
Frequently Asked Questions
Common questions from enterprise security reviews and vendor assessments.
Login information for Microsoft or Google is never stored. For OAuth customers (Office 365, Google Workspace), authentication is delegated directly to Microsoft or Google — we store only the access and refresh tokens needed to read calendar data on your behalf. For EWS (Exchange on-premises) customers, service account credentials are stored on our servers. In all cases, stored credentials and tokens are encrypted at rest with AES-256.
We store only the minimum data required to operate the service:
- Configuration files describing admin portal settings
- Account administration email addresses
- Meeting room email addresses paired with display configurations
For Room Finder and Analytics features, ephemeral data captured at 15-minute intervals may include display name, online/offline status, occupancy status, and optionally meeting subjects and organizer information. No calendar event content, attendee lists, or user passwords are stored.
Our systems are distributed across multiple cloud providers: OVHcloud (US & European datacenters, primary infrastructure), DigitalOcean (AMS region, managed databases), and Google Cloud (Cloud Identity & Firestore). Databases are hosted on DigitalOcean. This multi-cloud architecture ensures no single points of failure and enables rapid failover.
Yes. All network traffic is encrypted using TLS/SSL (HTTPS enforced across all endpoints). Data at rest is encrypted with AES-256, including all stored credentials and tokens. Daily backups are stored on encrypted, separate physical servers.
All payment processing is handled entirely by Stripe, a PCI Level 1 Service Provider — the highest level of certification in the payment industry. Meeting Room 365 never processes, stores, or has access to credit card numbers. We are classified as a card-not-present merchant.
Yes. We are actively working to meet or exceed GDPR requirements. Our databases are hosted in the EU region, we have established data request processes, and all data processing partners are documented. See our GDPR Compliance page for full details including compliance tasks, data processing partners, and how to make a data request.
Room configuration data is retained while your account is active. Upon account deletion, all associated configuration data is removed. Daily backups are rotated on a regular schedule. Calendar data is never persisted — it is fetched in real-time from your calendar provider and displayed on your room tablets.
Yes. Meeting Room 365 integrates with Microsoft (Azure AD / Entra ID) and Google Workspace via OAuth 2.0. SSO is included at standard pricing — not an enterprise add-on. Staff use the same work account in Admin, the Visitors portal, and native apps where sign-in is required.
For Microsoft 365 and Google Workspace customers, no — authentication is delegated through OAuth 2.0 and Meeting Room 365 never stores employee passwords. We do not operate a proprietary users table or custom password-hashing stack for staff SSO.
A verified work-email and password path exists for legacy accounts and Exchange (EWS)–only deployments where SSO is unavailable. Free email domains are not permitted; addresses must pass inbox verification. That path is backed by Google Cloud identity infrastructure.
Third-party SaaS often creates a second login universe — another database to breach, another password reset flow, another entry in the company password manager. Meeting Room 365 is designed so Microsoft Entra ID or Google Workspace remains the control plane: MFA, Conditional Access, and offboarding stay where IT already manages them.
We are happy to discuss your specific data processing requirements. Please contact us at [email protected] to request a DPA or discuss your organization's needs.
Our infrastructure providers maintain the following certifications (these are provider-level, not Meeting Room 365 certifications):
- OVHcloud: ISO 27001, 27017, 27018, 27701, HIPAA/HITECH, PCI DSS Level 1
- DigitalOcean: ISO 27001, SOC 2 Type II, PCI-DSS
- Google Cloud: ISO 27001, 27017, 27018, SOC 1/2/3, PCI DSS, FedRAMP, HIPAA
We take all security reports seriously. Please email [email protected] with details of the vulnerability. We commit to acknowledging all reports within 48 hours. You can also check our system status at status.meetingroom365.com.