Become a TechRadar Insider
We spend a significant part of our working lives video conferencing. Internal meetings, client discussions, board-level decisions, even clinical consultations. These are not casual conversations. They often involve information we would never put in writing, let alone share publicly.
And yet, most of the time, we don't question what happens to that data once the call ends. That's understandable. We shouldn't have to. The platform should just do the right thing.
CEO & CTO, Haia.
Most video conferencing platforms are not designed with privacy as their primary objective. The call itself is just the interface. Beneath it sits an infrastructure built to move, process, and increasingly analyze communication data.
Features like transcription, summarization, and sentiment analysis are useful, but they depend on processing the content of conversations. That content has to travel, be handled, and in many cases be stored.
The assumption is that encryption solves the problem. It doesn't.
Data on the move
When you join a video call, your audio and video don't travel directly to the other participants. They pass through relay servers, signaling infrastructure, and media handling layers, often crossing borders multiple times within a single session.
Each of those steps is a routing decision. In many cases, those decisions are driven by cost or available capacity, not jurisdiction. A call between two people in the same country can be routed through IT infrastructure in another, placing that data under a different legal framework without anyone realizing.
From a technical standpoint, data in transit is encrypted using standard WebRTC protocols such as DTLS-SRTP. That protects the media stream as it moves across networks, and most modern platforms implement this correctly.
But encryption in transit only answers part of the question. It does not address where that data is routed, what infrastructure it touches, or which laws may apply along the way.
Latency tells you more than you think
Latency is usually framed as a quality issue. Nobody enjoys talking over someone because of a delay.
But latency can also be a signal.
When media is routed through centralized infrastructure far from the participants, it introduces delay. That often means the data is being processed or relayed through systems that users have no visibility into, potentially being buffered or handled in ways they do not control.
A lower latency connection is not just about a smoother call. It often reflects a shorter, more direct data path, with fewer intermediaries involved.
For organizations that care about control and predictability, that distinction matters.
Sovereignty is not a checkbox
"Data sovereignty" is now a familiar requirement in procurement processes. It is often treated as a checkbox, supported by contractual assurances about where data is stored.
In practice, it is more complicated.
Where data is stored is only one factor. Where a company is incorporated, and which laws it is subject to, can be just as important. In some cases, organizations can be compelled to provide access to data regardless of where it physically resides.
For example, under laws such as the US CLOUD Act, US-incorporated companies can be required to provide access to data held overseas.
This creates a gap between perceived compliance and actual exposure.
For organizations operating under GDPR, handling public sector data, or working in regulated sectors such as healthcare, legal, and financial services, that gap has real implications.
The shift you might not see
Another change is happening more quietly.
AI-driven features are becoming standard in communication platforms. Transcription, summarization, and action tracking can be valuable tools, but they rely on analysing the content of conversations. By definition, they turn communication into data that can be processed, stored, and potentially reused.
These features are often introduced incrementally, enabled through settings or updates that are easy to overlook. Over time, the platform shifts from carrying communication to interpreting it.
There is a difference between a tool you choose to use and one that is embedded into the infrastructure handling your conversations.
Rethinking the default
None of this means video conferencing is inherently insecure, or that encryption in transit is ineffective. Those elements are well understood and widely implemented.
The issue is that they are often treated as the full solution, when in reality they are just one layer.
A more complete view needs to consider: the full path data takes during a call, the infrastructure it depends on, and the legal context that surrounds it.
Only then can organizations answer a simple question with confidence: where does our communication data go, and who ultimately has control over it?
As video communication continues to replace in-person interaction, that question is becoming harder to ignore.
Because these conversations are not just data in motion. They are decisions, relationships, and sensitive information that organizations are responsible for protecting.
And that responsibility does not end when the call does.
We've ranked the best webinar software.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit