Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Vonage Video API is a WebRTC platform for embedded real time audio and video calls, previously known as OpenTok or TokBox. It processes highly sensitive audio and video streams in real time, and any optional recording or analytics feature triggers full GDPR and ePrivacy obligations for EU deployments.
Vonage Video API, previously branded OpenTok and originally developed by TokBox, is a WebRTC platform that lets developers embed real time audio and video calls into web and mobile applications. It is now operated by Vonage, a US subsidiary of Ericsson. The service handles signalling, session creation, media routing via Selective Forwarding Units, optional cloud recording and live streaming.
A typical integration loads the opentok.js client, requests access to the camera and microphone via the browser, opens a WebRTC peer connection to a Vonage media router and exchanges DTLS SRTP encrypted streams with other participants. Session tokens are issued by your server, so most state lives in memory rather than in browser cookies.
Vonage Video API mainly processes real time audio and video streams, signalling messages, ICE candidates (which expose IP addresses), session identifiers, device fingerprints for diagnostics and, if enabled, recorded archives. Browser storage is limited: the SDK may write a small amount of local storage for device selection and quality tuning, and the underlying media servers see all IP addresses of participants.
For the core video call requested by the user, the legal basis is typically Art. 6(1)(b) GDPR, performance of a contract. Optional features such as session recording, transcription, AI noise suppression or analytics require Art. 6(1)(a) GDPR consent and, where they store or read information on the device, Art. 5(3) ePrivacy consent. Children, patients and other special categories trigger additional obligations under Art. 9 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Vonage is headquartered in New Jersey and owned by Ericsson. Although Vonage operates European media edges to reduce latency, the control plane, billing data and session metadata are accessed from the US. Transfers rely on the EU US Data Privacy Framework, supplemented by Standard Contractual Clauses, with media level encryption (DTLS SRTP) as the main technical supplementary measure under Schrems II.
Sign a Data Processing Agreement with Vonage, restrict media regions to the EU where possible, request explicit consent before any recording, store archives in EU regions, encrypt archives at rest, document a DPIA, inform users about Vonage as a processor, the US transfer and their rights, and provide a clear in app indicator whenever audio or video is being recorded or transcribed.
Websites using Vonage Video API (formerly OpenTok / TokBox) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally required for Vonage Video API integrations because real time audio and video are personal data of a particularly sensitive nature, and may include children, patients or vulnerable users in telehealth, education or customer service scenarios. The DPIA must analyse media routing paths, US transfers, session recording features, retention of archives, encryption (DTLS SRTP), access controls to the Vonage dashboard, and the impact of any AI or transcription add ons.
Sample consent text
Our video call is powered by Vonage Video API (formerly OpenTok). Your camera and microphone streams pass through Vonage media servers, which can be located outside the European Economic Area, including in the United States. By starting the call you agree to this processing. If we record the session, we will request a separate, clearly identified consent before any recording begins.
Third-party domains contacted
api.opentok.comtokbox.comstatic.opentok.commantis.tokbox.comvideo.api.vonage.comhlg.tokbox.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| OT_AnonymousId | local_storage | Persistent | Anonymous client identifier used by the opentok.js SDK to correlate diagnostic events from the same browser. |
| opentok_session | session | Session | Holds the in memory session token that authorises the WebRTC connection to the Vonage media router. |
| loglevel | local_storage | Persistent | Stores the verbosity level for the Vonage Video SDK logs in the browser. |
| tb_device_prefs | local_storage | Persistent | Remembers the last selected microphone, camera and speaker for the current user. |
| ot_logger | first_party | 1 year | Set on tokbox.com when telemetry is enabled to collect aggregated client side performance metrics. |
Vonage Video API (formerly OpenTok / TokBox) places tracking cookies for advertising — comply with GDPR using FlowConsent.
Vonage Video API itself relies mostly on session tokens and limited local storage for device selection and quality stats. The Vonage corporate domains (tokbox.com, vonage.com) may set analytics cookies if you load assets from them directly, in which case standard consent rules apply.
For the video call itself, consent is generally not the legal basis: you rely on Art. 6(1)(b) GDPR (contract). However, you must obtain explicit consent before enabling recording, transcription, AI processing or analytics, and before storing any non essential data on the user device.
The core video session is grounded in Art. 6(1)(b) GDPR. Recording, transcription and analytics rely on Art. 6(1)(a) GDPR. Security and fraud prevention logs can rely on Art. 6(1)(f) GDPR. Sensitive use cases (health, minors) require additional Art. 9 GDPR safeguards.
Yes. Vonage is a US company owned by Ericsson. Even when media is routed through EU edges, the control plane, dashboard and metadata are accessible from the US. Transfers rely on the EU US Data Privacy Framework and Standard Contractual Clauses, with DTLS SRTP encryption as a supplementary measure.
Yes, in most cases. Video and audio are sensitive personal data, the volume can be large, and certain use cases (telehealth, education, customer support) involve vulnerable users. A DPIA is required under Art. 35(3) GDPR criteria and EDPB guidance.
Sign a Vonage Data Processing Agreement, prefer EU media regions, encrypt archives, restrict admin access, request explicit consent for recording, display a clear recording indicator, document a DPIA and reflect Vonage in your privacy policy as a US processor.
Yes. LiveKit Cloud (EU regions), Daily.co with EU regions, Jitsi as a Service from 8x8, Whereby (Norway) and several self hosted options like Jitsi Meet or mediasoup are EU friendly alternatives with lower Schrems II exposure.
Document Vonage / OpenTok as a processor, list any local storage and signalling endpoints, disclose the US transfer mechanism (EU US Data Privacy Framework plus SCCs), mention recording features when applicable and give users a way to refuse non essential add ons.