Architecture, Security, and Privacy

Last updated on June 20th, 2025

Our Systems

Our systems primarily reside in Digitalocean & AWS, and are architected as follows:

1. Tablet displays operate via a native web app, which securely authenticates and accesses

third party calendar services, such as Office 365 and G Suite. Your login information is

transmitted directly to servers operated by Microsoft and Google, and is neither stored, or

passed through our servers. Once authenticated, a security token issued by Google or

Microsoft is stored on our servers or your device, which can later be used to access a limited range of calendar data.

2. Our servers store a minimal configuration file, which describes the options you have

configured in the Meeting Room 365 Admin portal. This is loaded to your device each time

it is accessed.

3. All network traffic is encrypted (HTTPS / SSL). We avoid storing any PII (personally-

identifiable information) directly on our server when possible, with the exception of your account

administration email address, which is part of your account. Billing is handled by a third

party, in a PCI-compliant data-center.

Amazon AWS

ec2-13-56-48-87.us-west-1.compute.amazonaws.com

Continent: North America
Country: United States
State/Region: California
City: San Jose
Latitude: 37.3388 (37° 20′ 19.68′′ N)
Longitude: -121.8914 (121° 53′ 29.04′′ W)
Postal Code: 95141

AWS carries the following certifications, programs, reports, and third-party attestations:

CJIS, CSA, Cyber Essentials Plus, DoD SRG Levels 2 and 4, FedRAMP, FERPA, FIPS 140-2, FISMA &

DIACAP, GxP, HIPAA, IRAP, ISO 9001, ISO 27001, ISO 27017, ISO 27018, ITAR, MPAA, MTCS Tier 3,

NIST, PCI DSS Level 1, SOC 1, ISAE 3402, SOC 2, and SOC 3.

See

(https://d1.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf)

for more details.

AWS Security Whitepapers:

https://maturitymodel.security.aws.dev/en/whitepapers-faq/whitepapers/

Digitalocean

inetnum:        178.128.0.0 - 178.128.15.255
netname:        DIGITALOCEAN
country:        US
admin-c:        PT7353-RIPE
tech-c:         PT7353-RIPE
status:         ASSIGNED PA
mnt-by:         digitalocean
created:        2019-04-17T13:47:21Z
last-modified:  2019-04-17T13:47:21Z
source:         RIPE

Digital Ocean is a cloud datacenter provider, with data storage locations globally. We primarily store data in the SFO region, although we may expand to European and Asian (Singapore) data-centers in the future to improve performance for customers in those regions.

Digital Ocean is certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognized information security controls framework, audited by a third-party, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework, but is necessary baseline for security.

DigitalOcean has also received EU-U.S. and Swiss-U.S. Privacy Shield Certification, as well as SOC 2 Type II, and PCI-DSS certification.

You can read more here: https://www.digitalocean.com/legal/compliance/

OVH (Datacenter)

OVHcloud emphasizes robust security and compliance measures, ensuring that its Infrastructure as a Service (IaaS) offerings meet stringent industry standards. The company's U.S. data centers, located in Vint Hill, Virginia, and Hillsboro, Oregon, are central to these efforts.

Key Certifications & Attestations

• ISO/IEC 27001:2022: Establishes a framework for an Information Security Management System (ISMS), ensuring the confidentiality, integrity, and availability of information.
• ISO/IEC 27017:2015: Provides guidelines for information security controls applicable to cloud services, enhancing cloud-specific security measures.
• ISO/IEC 27018:2019: Focuses on the protection of personally identifiable information (PII) in public cloud environments, ensuring data privacy.
• ISO/IEC 27701:2019: Extends ISO/IEC 27001 and ISO/IEC 27002 to include privacy management, supporting compliance with data protection regulations like GDPR and CCPA.
• SSAE 18 Type 2 SOC Reports:
• • SOC 1: Addresses controls relevant to financial reporting.
  • SOC 2: Evaluates controls related to security, availability, and confidentiality.
  • SOC 3: Provides a general-use report summarizing SOC 2 findings.
• HIPAA & HITECH Compliance: Ensures that OVHcloud's services meet the requirements for handling protected health information (PHI) in the U.S.
• PCI DSS Level 1 Certification: Validates that OVHcloud's infrastructure meets the highest standards for processing, storing, and transmitting credit card information.
• CSA STAR Self-Assessment: Demonstrates OVHcloud's commitment to cloud security transparency and adherence to industry best practices.

You can read more here: https://us.ovhcloud.com/compliance/

OVH Europe Region

In Europe, OVHcloud operates under the same rigorous international standards while also aligning closely with EU regulations, most notably the General Data Protection Regulation (GDPR). European data centers are ISO 27001, 27017, 27018, and 27701 certified, and they undergo regular audits to ensure compliance with EU-specific privacy and data sovereignty requirements. OVHcloud also participates in industry initiatives such as CISPE (Cloud Infrastructure Services Providers in Europe), committing to ethical cloud practices, transparency, and European data protection standards.

OVH Global Coverage Note

Beyond the U.S. and Europe, OVHcloud maintains data centers worldwide, including Singapore, ensuring that customers in Asia benefit from the same level of security, compliance, and performance.

Cloudflare (DNS)

DDOS Protection, Content Distribution Network, and DNS Redundancy

Customer data does not pass through Cloudflare

Bunny.net DNS & CDN

Bunny.net provides GEO DNS services for the meetingroom365.net domain, allowing traffic to be routed seamlessly to the closest datacenter. This does not override services which opt-into an EU server lock.

Stripe (Payment Processing)

Third-party, PCI-compliant, GDPR-compliant billing providers.

Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

You can read more here: https://stripe.com/docs/security/stripe

Office 365 and Google Workspace API Access

Your Office 365 and Google Workspace data is accessed via a delegated token, which is stored on either our server or your device.

No end-user data is stored, including meeting times, subjects, and participants, from the events which are accessed.

To facilitate Room Finder and Analytics features, the following information is stored, on a 15

minute interval, ephemerally:

Name of the Display
Whether the display is online, or offline
Whether the display is currently occupied, or available

Optionally, for displaying meetings on status boards:

Meeting Subjects
Meeting Organizers
Meeting start/end times

Additionally, to facilitate the storage of your display configuration, your meeting room email

address is stored, along with your display configuration.

Redundancy

We have no dependence on a single data-center or provider for operations. Our servers are tested to operate with and can be deployed within minutes to three common service providers, and these changes can be reflected with a very low TTL in the event of a major outage or disaster. Additionally, each of our providers operate across multiple data-centers in multiple countries, giving us many options in the event of a large-scale system failure.

Backup systems

We store some data (display configurations) redundantly across data-centers and providers to eliminate the possibility of data loss due to a single point of failure. Additionally, backups are available to each user via their dashboard, at any time.

Our databases are backed up on a daily basis, and tested for integrity on a quarterly basis. These exist both on-site, and offsite (less frequent). "On-site" backups are on a separate physical server.

Our application is stored in a Private Git repository (offsite) ensuring that any system can be rebuilt in the event of data loss. Additionally, our service providers provide reliable onsite backup systems which can be used to resolve any issues quickly and efficiently.

Privacy

We take privacy very seriously, and believe that the best way to protect your sensitive data is to eliminate the need to collect and/or store personal data (PII) when possible.

Because of this, we limit the amount of tracking and analytics data which is collected and stored, and limit their access to PII in all cases. In most cases, the only PII routinely stored or handled by our systems is your local IP address, and account email address. The primary exception to this is data processing (without storage) of meeting event data, and the tokens which are used to access that data.

PCI Compliance

Here is our PCI / DSS SAQ-321 asserting our level of PCI compliance as a "Card-not-present Merchant",

All Cardholder Data Functions Fully Outsourced.

GDPR Compliance

As part of our ongoing efforts to protect the security and privacy of our users, we are working to meet or exceed the GDPR (General Data Protection Regulation). This site contains information on what steps we are taking, their progress, and who to contact for any security concerns. Please see our FAQ for more information.

You can read more about our GDPR compliance here: https://meetingroom365.com/gdpr

CCPA Compliance

We do not sell any personal data to third parties. Additionally, we do not meet the requirements for CCPA compliance law to apply:

• Have $25 million or more in annual revenue; or
• Possess the personal data of more than 50,000 “consumers, households, or devices” or
• Earn more than half of its annual revenue selling consumers’ personal data.

Updated on: 14/09/2025