Security & Trust

Built private by default.

Petal is a call, not a database. Media is encrypted, calls go peer-to-peer when they can, and we keep almost nothing — because the safest data is the data we never store.

Encryption in transit

Your audio and video are encrypted end-to-end in transit with DTLS-SRTP — the WebRTC standard. It's mandatory in the protocol, not an optional toggle you can forget to switch on.

The signaling that sets up a call runs over TLS / WSS, so the messages that connect participants are encrypted too.

Peer-to-peer by default

For small calls, audio and video flow directly between participants — the stream never touches a Petal server.

When a direct path is blocked by a firewall or restrictive network, we fall back to an encrypted TURN relay only to keep the connection alive. It relays; it doesn't decrypt.

Data minimization

By default Petal stores no recordings and no call content. Room names are ephemeral and disappear when the call ends.

When you deliberately turn on cloud recording, the resulting video is stored on Cloudflare Stream — nowhere else — and you control when it's deleted.

Recording consent

Nobody is recorded quietly. When a recording starts, everyone in the call is notified so consent is visible and in the moment — not buried in a settings page.

Subprocessors

Who we rely on

Petal runs on Cloudflare. We keep the list of infrastructure subprocessors short on purpose — fewer vendors means fewer places your data can go.

Cloudflare Workers Cloudflare Durable Objects Cloudflare Realtime (TURN) Cloudflare Stream

Workers and Durable Objects handle signaling and room state, Realtime provides the TURN relay when a direct path is blocked, and Stream stores cloud recordings only when you turn them on. We'll keep this list current as our stack evolves.

Compliance posture

Honest about where we are.

We'd rather tell you exactly what's done and what's in progress than paste badges we haven't earned. Petal is working toward the frameworks below — nothing here is a claim of completed certification.

HIPAA Working toward
We're building toward HIPAA alignment. HIPAA requires a signed Business Associate Agreement (BAA) — one is available on request for eligible plans. Don't use Petal for protected health information until a BAA is in place.
GDPR Working toward
We support GDPR obligations through a Data Processing Agreement (DPA), available on request. EU data residency options are described on our Privacy page.
PHIPA / PIPEDA Working toward
We're aligning with Canadian privacy law (PHIPA and PIPEDA). Data-minimization by default and our DPA are the foundation; reach out to discuss your specific requirements.
HITECH Working toward
HITECH alignment is part of the same roadmap as HIPAA and travels with the BAA and our data-handling commitments.
ISO 27001 In progress
ISO 27001 certification is on the roadmap and in progress — not complete. We'll publish the certificate here once it's issued rather than before.

This section describes commitments and a roadmap, not attestations. If your organization needs specific contractual or documentary assurances, contact us and we'll tell you honestly what we can provide today.

Report a vulnerability

Found a security issue? Tell us and we'll act fast. Email security@petal.link.

Request a BAA or DPA

Need a signed BAA (eligible plans) or a DPA for GDPR? Email security@petal.link and we'll get started.

Questions

Talk to us about security.

We're happy to go deep on how any of this works. Email security@petal.link and a real person will answer.

Start a call