Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Agora is a US based real time engagement platform that provides Voice, Video, Chat and Signaling SDKs over WebRTC. Embedded on a website or app it opens encrypted connections to the Agora Software Defined Real time Network (SD RTN), writes session identifiers to first party storage and routes audio and video media through global edge nodes, including EU edges. Voice and video content is personal data, so Agora integrations need a clear legal basis, consent for non essential telemetry and a documented international transfer mechanism.
Agora is a real time engagement platform headquartered in Santa Clara, California, with a related Chinese entity, Shanghai Agora Lab, that operates the China region. Developers integrate the Agora Web SDK, Voice SDK, Video SDK and Real Time Messaging SDK into a website or mobile app to add live audio, live video, interactive streaming, voice chat and signaling. The SDK opens encrypted WebRTC connections to the Agora Software Defined Real time Network (SD RTN), a global edge network with nodes in the European Union, the United Kingdom, the Americas, Asia Pacific and the Middle East.
For European publishers, Agora is appealing because it provides low latency global infrastructure, but it routes media through a US controlled control plane and writes session identifiers, device fingerprints and quality of experience telemetry to first party storage on the integrating site. Voice and video communications are sensitive personal data, which raises the GDPR risk profile of any Agora deployment.
On a typical integration the Agora SDK writes a session identifier, a peer connection identifier, device capabilities (camera and microphone, codecs, network type) and a small device fingerprint to first party storage (localStorage and IndexedDB) of the embedding site. It opens WebSocket and DTLS/SRTP connections to *.agora.io edge gateways, transmits the audio and video media and continuously sends Quality of Experience (QoE) statistics, including bitrate, jitter, packet loss, IP address and rough geolocation, to statscollector domains.
On agora.io properties (console, dashboard, marketing pages) Agora also sets functional cookies (csrf, session) and uses third party analytics such as Google Analytics, Hotjar and HubSpot. Cloud Recording and Cloud Transcription, when enabled, store the resulting audio, video and text files in Agora controlled buckets (Amazon S3 by default) for the duration configured by the developer.
Voice and video are content data that fall fully within Articles 4 and 5 of the GDPR. Agora acts as a processor (Art. 28 GDPR) on behalf of the publisher who is the controller. The publisher must sign the Agora Data Processing Addendum, document the legal basis, inform users in a privacy notice and implement appropriate technical and organisational measures (TOMs) including encryption in transit (DTLS/SRTP) and access controls on Cloud Recording.
Under ePrivacy (Art. 5(3) of Directive 2002/58/EC and its national transpositions in France, Germany, Spain and other EU member states), the session and device identifiers written to local storage by the Agora SDK are equivalent to cookies. Strictly necessary identifiers needed for the call the user has explicitly initiated may be exempt from prior consent, but device fingerprinting, QoE telemetry, third party analytics on the agora.io domain and any recording always require prior consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Best practice is to load the Agora SDK only after the user has clicked a clear call to action such as Start call, Join room or Enable camera. That click can serve as the legal basis under Art. 6(1)(b) GDPR (contract performance) for the strictly necessary session identifiers. A separate opt in is required for optional recording, transcription, AI based voice analytics and any quality survey or marketing telemetry that goes to third party analytics on the publisher domain.
In the European Union the EDPB consistently considers voice and video processing as high risk, so consent should be granular (call vs recording vs transcription vs analytics), informed (the privacy notice must mention US transfers and the Agora SD RTN) and as easy to withdraw as to give.
Agora Inc. is established in the United States. Although the SD RTN has edge nodes in Frankfurt, Amsterdam, London, Singapore and Sao Paulo, the control plane, account management and most logs remain in the US. The China region is operated by Shanghai Agora Lab and must be treated as a separate transfer to a country without an adequacy decision.
The Agora DPA incorporates the European Commission Standard Contractual Clauses (modules 2 and 3) and the UK International Data Transfer Addendum. EU customers can request that media servers are pinned to the EU region. A Transfer Impact Assessment should review US surveillance laws (FISA 702, EO 12333) and the additional risk of any China region usage.
Sign the Agora DPA from the Agora console. Configure region restriction to the EU when possible. Defer SDK loading until the user clicks to join a call. Wire recording, transcription and AI analytics to a separate optional consent in your CMP. Add Agora to your Article 30 Record of Processing Activities, list *.agora.io and statscollector domains in your privacy policy and CSP. Document the international transfers, run a Transfer Impact Assessment and complete a DPIA covering voice and video content.
Websites using Agora must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally recommended because Agora processes voice and video communications, which are highly sensitive personal data, and routes them through US and Chinese affiliated infrastructure. The DPIA should cover speaker identification risks, recording features, transcription, the use of AI analytics on the media and the international transfers to the United States.
Sample consent text
We use Agora (Agora Inc., United States) to power the voice and video calls and chat features on this site. Joining a call connects you to Agora edge servers, sends audio, video and connection quality data and may set functional cookies. International transfers to the United States are covered by Standard Contractual Clauses. See our privacy policy.
Third-party domains contacted
agora.ioweb-cdn.agora.iowebrtc2-ap-web-1.agora.iowebrtc2-ap-web-2.agora.iostatscollector-1.agora.iostatscollector-2.agora.iovocs.agora.iosd-rtn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| session | first_party | Session | Functional session cookie used by Agora to keep an authenticated session on agora.io and to maintain WebRTC signaling state during a call. |
| csrf | first_party | Session | CSRF protection token used to validate API and signaling requests against the Agora gateway during a call. |
| AID | first_party | 2 years | Internal anonymous identifier used by Agora to correlate Quality of Experience telemetry (bitrate, jitter, packet loss) across sessions of the same browser. |
| _ga | third_party | 2 years | Google Analytics identifier used on agora.io marketing properties to distinguish unique visitors. Loaded only on agora.io properties, not on integrator sites. |
| _hjSessionUser_* | third_party | 1 year | Hotjar session user cookie used on agora.io properties for product analytics and session replay. Not loaded on integrator sites. |
| hubspotutk | third_party | 6 months | HubSpot visitor identifier used on agora.io properties to attribute marketing campaigns and form submissions. Not loaded on integrator sites. |
Agora uses cookies for user preferences — inform visitors with a consent banner.
The Agora Web SDK does not rely on traditional HTTP cookies on the publisher domain. It writes a session ID, a peer connection ID, device capability hints and a short device fingerprint to localStorage and IndexedDB. It also opens WebSocket and DTLS/SRTP connections to *.agora.io and sends Quality of Experience telemetry to statscollector domains. On agora.io itself (console, marketing pages) Agora sets functional cookies and uses Google Analytics, Hotjar and HubSpot.
Yes, in most cases. The strictly necessary session identifiers required to deliver the call the user has explicitly started can rely on contract performance (Art. 6(1)(b) GDPR), but device fingerprinting, Quality of Experience telemetry, recording, transcription, AI voice analytics and any third party analytics on agora.io require prior consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR.
Contract performance (Art. 6(1)(b) GDPR) for delivering the requested voice or video service. Consent (Art. 6(1)(a) GDPR) for non essential features such as recording, transcription, AI analytics and marketing telemetry. Legal obligation (Art. 6(1)(c)) may apply when recordings are kept for regulated sectors such as financial advice. Legitimate interest is rarely sufficient because of the sensitive nature of voice and video.
Yes. Agora Inc. is based in the United States and its related entity Shanghai Agora Lab operates the China region. Media is routed through the closest SD RTN edge but the control plane, account data and most logs are processed in the US. Transfers are covered by the EU Standard Contractual Clauses and the UK IDTA in the Agora DPA. EU customers can restrict media servers to the EU region and should run a Transfer Impact Assessment.
Yes. Article 35 GDPR triggers a DPIA when processing involves large scale processing of communication content, biometric features in voice or video, or systematic monitoring. Agora typically meets at least one of these criteria. The DPIA should cover speaker identification risks, recording, transcription, AI voice analytics, security measures and the international transfers to the United States and China.
Sign the Agora DPA from the console, request EU region restriction where possible, defer SDK loading until the user explicitly joins a call, gate optional features (recording, transcription, AI) behind a separate consent in your CMP, mention Agora and its US transfers in your privacy notice, list *.agora.io and statscollector domains in your CSP and update your Article 30 register and your DPIA.
For EU based real time engagement the main alternatives are Daily, LiveKit Cloud (EU clusters), Vonage Video API (now part of Daily), Twilio Programmable Video (US, similar profile), and self hosted options such as Jitsi Meet, LiveKit OSS, mediasoup or Janus Gateway. EU only deployments of LiveKit OSS or Jitsi often score better on the Transfer Impact Assessment, but require operational effort.
Add an Agora section to your privacy notice describing the SDK, the WebRTC media flows, the QoE telemetry, the use of localStorage and IndexedDB, and the international transfers to the US and China. In your cookie policy and CMP, list Agora as a third party with its own consent toggle, separate from optional recording and analytics features, and link the Agora privacy policy and DPA.