Petal is a call, not a database. Media is encrypted, calls go peer-to-peer when they can, and we keep almost nothing — because the safest data is the data we never store.
Your audio and video are encrypted end-to-end in transit with DTLS-SRTP — the WebRTC standard. It's mandatory in the protocol, not an optional toggle you can forget to switch on.
The signaling that sets up a call runs over TLS / WSS, so the messages that connect participants are encrypted too.
For small calls, audio and video flow directly between participants — the stream never touches a Petal server.
When a direct path is blocked by a firewall or restrictive network, we fall back to an encrypted TURN relay only to keep the connection alive. It relays; it doesn't decrypt.
By default Petal stores no recordings and no call content. Room names are ephemeral and disappear when the call ends.
When you deliberately turn on cloud recording, the resulting video is stored on Cloudflare Stream — nowhere else — and you control when it's deleted.
Nobody is recorded quietly. When a recording starts, everyone in the call is notified so consent is visible and in the moment — not buried in a settings page.
Petal runs on Cloudflare. We keep the list of infrastructure subprocessors short on purpose — fewer vendors means fewer places your data can go.
Workers and Durable Objects handle signaling and room state, Realtime provides the TURN relay when a direct path is blocked, and Stream stores cloud recordings only when you turn them on. We'll keep this list current as our stack evolves.
We'd rather tell you exactly what's done and what's in progress than paste badges we haven't earned. Petal is working toward the frameworks below — nothing here is a claim of completed certification.
This section describes commitments and a roadmap, not attestations. If your organization needs specific contractual or documentary assurances, contact us and we'll tell you honestly what we can provide today.
Found a security issue? Tell us and we'll act fast. Email security@petal.link.
Need a signed BAA (eligible plans) or a DPA for GDPR? Email security@petal.link and we'll get started.
We're happy to go deep on how any of this works. Email security@petal.link and a real person will answer.
Start a call