How secure is Sinch?
Sinch is compliant to the PCI DSS which is the Payment Card Industry Data Security Standard controlled by Visa, MC, Amex, Diners & JCB. Sinch is also are using www.trustwave.com as a Qualified Security Assessor to help us with annual Report On Compliance
All data centres hosting Sinch production have been awarded the ISO27001:2005 standard for security management. In addition to this we are using SpiderLabs for external network penetration tests to help us understand our risk level.
How secure is the Sinch SDK?
The media stream (the call) is encrypted. Also, when calling, encryption is used during signaling (the call setup) by performing encrypted SSL/HTTPS requests towards our servers.
For Instant Messaging, all communications are encrypted using SSL/HTTPS requests. Thus, the body of each message is encrypted at all times.
Which information is sent to Sinch’s servers from the SDK?
The Sinch SDK sends information to Sinch’s servers so we can connect calls and for quality and reporting purposes. The information includes date/time, from/to information, setup time and call duration. Information is uploaded by the client in the background at the end of a call, a call failure or a similar event. While some of this information may be associated with the user ids of the call participants, it’s important to know that as a developer, you do not need to provide meaningful user ids to the SDK (you could provide hashed user ids, for example).
Why do I need to get an export license in order to use the Sinch SDK?
This is a legal issue so be aware that the following is not legal advice: According to U.S. law, all applications that contain encryption and are distributed from US stores (App Store, Google Play, et cetera) require an export license. Our experience is that the registration process usually takes a couple of hours.