Name: MonkeyThorn Meet
Author: MonkeyThorn

Question 1

Is MonkeyThorn Meet HIPAA compliant?

Accepted Answer

MonkeyThorn Meet is designed with strong security principles — end-to-end encryption, zero data retention, no recordings, and no server-side AI processing. We do not sign Business Associate Agreements (BAAs) at this time. Our architecture means there is no Protected Health Information (PHI) for us to access, store, or breach. The server never sees call content, participant names, or metadata.

Question 2

Can MonkeyThorn Meet record my calls?

Accepted Answer

No. We do not deploy any recording service. LiveKit supports recording via its Egress service, but we do not install or configure it. There is no server-side mechanism to record calls. Participants can still use their own screen-recording software, but MonkeyThorn Meet itself has no recording functionality.

Question 3

How does end-to-end encryption work in MonkeyThorn Meet?

Accepted Answer

When you create a room, a passphrase is generated in your browser and included in the invite link's hash fragment — the part after the # symbol, which is never sent to the server per the HTTP specification. Participants' browsers use this passphrase to derive AES-GCM encryption keys via the Web Crypto API. All audio and video frames are encrypted before leaving the browser. The servers relay the encrypted data but cannot decrypt it.

Question 4

Do I need to download anything to use MonkeyThorn Meet?

Accepted Answer

No. MonkeyThorn Meet runs entirely in your browser using WebRTC. No app, no extension, no plugin. Just open the link and join. Supported browsers: Chrome/Edge 90+, Firefox 117+, Safari 15.4+.

Question 5

What happens when my MonkeyThorn Meet hours run out?

Accepted Answer

You won't be able to create new rooms, but any active call will continue uninterrupted. You can buy another hour block at any time — your access code stays the same, and the new hours are added to your balance.

Question 6

Can I self-host MonkeyThorn Meet?

Accepted Answer

Yes. MonkeyThorn Meet is built on LiveKit, which is fully open source (Apache 2.0 license). You can run your own LiveKit server and deploy the Meet frontend to your own infrastructure for complete control over your data.

Question 7

What data does MonkeyThorn Meet store?

Accepted Answer

Only what's needed for billing: your email, access code, and aggregate usage totals. Individual session durations are temporarily recorded for billing accuracy and automatically purged after 30 days. We do not store participant names, room names, IP addresses, or any call content.

Question 8

How is MonkeyThorn Meet different from Zoom or Google Meet?

Accepted Answer

Zoom and Google Meet process calls through their servers, offer AI features like transcription and summarization, retain metadata, and use data for product improvement. MonkeyThorn Meet does none of this. Calls are end-to-end encrypted, there is no server-side AI, no recordings, and no metadata logging. We can't access call content even if compelled to.

Transport encryption	TLS 1.3 for all HTTP/WebSocket connections. DTLS-SRTP for all WebRTC media.
End-to-end encryption	AES-GCM via WebRTC Encoded Transform (Insertable Streams). Enabled by default using a passphrase in the URL fragment (never sent to server). Requires Chrome/Edge 90+, Firefox 117+, or Safari 15.4+.
Key exchange	Passphrase-based. The passphrase is included in the invite link's hash fragment, which browsers do not transmit over the network.
Server access to media	When E2EE is active, the server relays encrypted frames it cannot decrypt. Without E2EE, the SFU has access to unencrypted media for routing purposes only — it does not store or process it.

Hosting	AWS EC2, US East (N. Virginia). Dedicated instance — not shared with other services or tenants.
Media server	LiveKit — open-source WebRTC Selective Forwarding Unit (SFU). No proprietary media processing.
TLS certificates	Issued by Let's Encrypt, managed by Nginx with automatic renewal via Certbot.
Recording capability	Not installed. LiveKit supports recording via its Egress service, but we do not deploy it. There is no mechanism to record calls.
AI/ML processing	No server-side AI/ML processing. No transcription, sentiment analysis, or model training services are deployed or connected. Client-side noise suppression (Krisp) runs locally in the browser via WebAssembly and does not send audio data to any external service.

Your IP address	Visible during the connection (required for WebRTC). Not logged beyond standard infrastructure operation.
Room existence	The server knows a room exists while it has active participants. Room names are random 9-character codes.
Participant count	The server knows how many participants are in a room (required for routing media).
Call duration	For paid accounts, connection duration is tracked for billing. For free tier, not tracked server-side.

Security & Architecture

Encryption

Infrastructure

Data Flow

What the Server Knows

What the Server Does Not Know

Third-Party Dependencies

Vulnerability Reporting