Roam
Virtual OfficeDrop-InsTheaterAInboxLobbyMagicastMagic MinutesOn-ItOn-Air
Book Demo

Roam Support

Administrators

Security overview

We take the security of your data seriously. Roam is built with security and compliance in mind, leveraging industry-standard best practices and AWS-native tools to ensure the confidentiality, integrity, and availability of customer data.

Compliance & Certifications

SOC 2 Type II Report

Roam has successfully completed a SOC 2 Type II audit for the period of March 17 - September 16, 2025, covering the security, availability, and confidentiality trust principles. This independent audit affirms that our systems and controls are designed to meet the highest standards of data protection and operational integrity.

To request a copy of our SOC 2 report, please email us at security@ro.am. We will provide our mutual NDA and, once signed, promptly share the report.

AICPA SOC

General Data Protection Regulation (GDPR)

Roam supports compliance with the GDPR for customers operating in the European Economic Area (EEA). See Compliance with GDPR for more information.

Health Insurance Portability and Accountability Act (HIPAA)

Roam supports HIPAA compliance for customers handling protected health information (PHI). See Compliance with HIPAA for more information.

Data Protection

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Data at rest is encrypted using AWS Key Management Service (KMS) with customer and AWS-managed keys, depending on the use case.
  • Customer data is logically isolated per tenant using a combination of service-layer authorization, scoped data access, and network-level controls.

Secure Coding Practices

  • Our engineering teams follow secure software development lifecycle (SDLC) practices with security requirements considered at each phase of development.
  • Developers receive regular training on OWASP Top 10 security risks and secure coding techniques.
  • We incorporate code reviews, automated linting, and static analysis tools into our CI/CD pipelines to catch security issues early.

Environment Isolation

  • We maintain separate AWS accounts for production and pre-production environments. This ensures strict separation between environments and reduces the risk of accidental cross-environment access.
  • Access controls and role-based permissions enforce environment isolation at both the infrastructure and application levels.

Access Control & Identity Management

  • We enforce Multi-Factor Authentication (MFA) for all accounts with access to production systems.
  • Access to production systems is limited to a small group of authorized personnel based on job responsibility, and is audited regularly.
  • IAM roles with least-privilege permissions are used wherever possible, and are regularly reviewed.

Network Security

  • We use segregated subnets within our VPC to separate public-facing services from internal components.
  • Security Groups restrict access to services on a per-store basis.
  • Internal services are not exposed to the public internet unless explicitly required and reviewed.

Monitoring & Threat Detection

  • AWS GuardDuty is enabled across all environments for continuous threat detection and analysis.
  • Logs are collected centrally and monitored via AWS-native and third-party tools for anomaly detection and audit trails.

Vulnerability Management

  • We use Renovate to scan dependencies and automatically generate pull requests for updates, ensuring known vulnerabilities are patched promptly.
  • Regular vulnerability scans and security reviews are part of our CI/CD pipeline.

Audit Logging

  • All infrastructure and application-level actions are logged and timestamped, including authentication events, API calls, configuration changes, and access to sensitive resources.
  • Logs are stored securely in immutable, centralized log storage and retained according to our data retention policy.

Incident Response

  • We maintain a documented and tested Incident Response Plan (IRP) to quickly contain and remediate security incidents.
  • Our team is on-call 24/7 to respond to any critical events.
  • In the event of an incident affecting customer data, we will promptly notify impacted customers in accordance with our terms of service and applicable regulations.
  • Post-incident reviews are conducted to analyze root causes and implement corrective actions.

Backup & Disaster Recovery

  • We perform automated, regular backups of critical systems and data.
  • Backups are securely stored in multiple AWS regions for redundancy and disaster resilience.
  • Our recovery procedures are tested periodically to ensure data can be restored quickly and accurately.
  • Disaster recovery processes are integrated into our incident response planning.

Shared Responsibility Model

  • Security in the cloud is a shared responsibility. We manage the security of the cloud infrastructure (AWS environment, services, and platform-level controls), while our customers are responsible for securing their application-level configurations, user access, and data usage within the platform.
  • We provide tools and documentation to help customers meet their own security and compliance obligations.
Previous
Spoken language detection
Next
Compliance with GDPR
Topics
Getting Started
Floor Map
Schedule a Meeting
Meetings
Magic Minutes
Chat
Lobby
Magicast
Theater
On-It
On-Air
Integrations
Developers
Administrators
Troubleshooting
Videos
Contact Us
PricingDownloadSign InRoam Makes Remote WorkOur TeamCareersSupportTerms of UsePrivacy Policy
Virtual OfficeDrop-In MeetingsTheaterAInboxLobbyMagicastMagic MinutesOn-ItOn-AirMobile
AI StartupsCrypto and Web3 TeamsDesign AgenciesEcommerce AgenciesInsurance TeamsMortgage TeamsRemote TeamsExecutive Assistants
vs Zoomvs Slackvs Teamsvs Meetvs Discordvs WebEx
Virtual Office Platform GuideDeveloper APIRoam InfluencerRoam Certified PartnerPartner Directory
© 2026 Roam HQ