Question 1

Is MonkeyThorn Meet HIPAA compliant?

Accepted Answer

MonkeyThorn Meet is designed with HIPAA-adjacent security principles — end-to-end encryption, zero data retention, no recordings, and no AI processing. Our architecture means there is no Protected Health Information (PHI) for us to access, store, or breach. The server never sees call content, participant names, or metadata.

Question 2

Can MonkeyThorn Meet record my calls?

Accepted Answer

No. There is no recording capability — not for us, not for participants, not for anyone. We do not run a recording service, and it is not included in our infrastructure. Calls exist only while they are happening.

Question 3

How does end-to-end encryption work in MonkeyThorn Meet?

Accepted Answer

When you create a room, a passphrase is generated in your browser and included in the invite link's hash fragment — the part after the # symbol, which is never sent to the server. Participants' browsers use this passphrase to encrypt and decrypt all audio and video. The servers relay the encrypted data but cannot read it.

Question 4

Do I need to download anything to use MonkeyThorn Meet?

Accepted Answer

No. MonkeyThorn Meet runs entirely in your browser using WebRTC. No app, no extension, no plugin. Just open the link and join.

Question 5

What happens when my MonkeyThorn Meet hours run out?

Accepted Answer

You won't be able to create new rooms, but any active call will continue uninterrupted. You can buy another hour block at any time — your access code stays the same, and the new hours are added to your balance.

Question 6

Can I self-host MonkeyThorn Meet?

Accepted Answer

Yes. MonkeyThorn Meet is built on LiveKit, which is fully open source. You can run your own LiveKit server and deploy the Meet frontend to your own infrastructure for complete control over your data.

Question 7

What data does MonkeyThorn Meet store?

Accepted Answer

Only what's needed for billing: your email, access code, and how many minutes you've used. We do not store participant names, call times, room names, IP addresses, or any call content. Usage sessions are purged automatically.

Question 8

How is MonkeyThorn Meet different from Zoom or Google Meet?

Accepted Answer

Zoom and Google Meet process calls through their servers, offer AI features like transcription and summarization, retain metadata, and use data for product improvement. MonkeyThorn Meet does none of this. Calls are end-to-end encrypted, there is no AI, no recordings, and no metadata logging. We can't access call content even if compelled to.

Transport encryption	TLS 1.3 for all HTTP/WebSocket connections. DTLS-SRTP for all WebRTC media.
End-to-end encryption	AES-GCM via WebRTC Insertable Streams. Enabled by default using a passphrase in the URL fragment (never sent to server).
Key exchange	Passphrase-based. The passphrase is included in the invite link's hash fragment, which browsers do not transmit over the network.
Server access to media	When E2EE is active, the server relays encrypted frames it cannot decrypt. Without E2EE, the SFU has access to unencrypted media for routing purposes only — it does not store or process it.

Hosting	AWS EC2, US East (N. Virginia). Single-tenant instance — not shared with other customers.
Media server	LiveKit — open-source WebRTC Selective Forwarding Unit (SFU). No proprietary media processing.
TLS certificates	Issued by Let's Encrypt, managed by Caddy with automatic renewal.
Recording capability	Not installed. LiveKit supports recording via its Egress service, but we do not deploy it. There is no mechanism to record calls.
AI/ML processing	None. No transcription, sentiment analysis, or model training services are deployed or connected.

Your IP address	Visible during the connection (required for WebRTC). Not logged beyond standard infrastructure operation.
Room existence	The server knows a room exists while it has active participants. Room names are random 9-character codes.
Participant count	The server knows how many participants are in a room (required for routing media).
Call duration	For paid accounts, connection duration is tracked for billing. For free tier, not tracked server-side.

Security & Architecture

Encryption

Infrastructure

Data Flow

What the Server Knows

What the Server Does Not Know

Third-Party Dependencies

Vulnerability Reporting