In today’s connected workplace, video conferencing is essential — not just for team collaboration, but for secure, day-to-day communication and mission-critical operations. While cloud-based platforms like Microsoft Teams, Zoom, and Google Meet dominate the market, they’re not always the right choice.
For organizations that deal with sensitive data, strict regulatory requirements, or require full control over the data lifecycle, self-hosted video conferencing offers critical advantages. By running conferencing infrastructure on your own hardware or in your private cloud, you retain control over data security, data sovereignty, and access to a full suite of conferencing features — without compromise.
In this blog, we explore:
- What self-hosted video conferencing really means
- The importance of data security in virtual meetings
- How data sovereignty and localization impact your regulatory compliance
- The trade-off between cloud convenience and security — and how to avoid it
- How VQ Conference Manager enables full-featured, secure, self-hosted video conferencing
Let’s start by understanding the core of the issue: virtual meeting data.
What is Virtual Meeting Data?
Virtual meeting data (VMD) includes all the information sent to and from meeting participants and the various servers supporting a virtual meeting.
When asked about this topic, most people think virtual meeting data is just the video and audio sent back and forth during a meeting. However, there are many forms of virtual meeting data, including:
- User data (email address, time zone, account settings, etc.)
- Meeting room data (email address for scheduling, location, configuration, etc.)
- Scheduling data
- Real-time video and audio data
- Shared content data
- Virtual whiteboard data
- Chat data
- Q&A data
- Gesture data
- Meeting transcripts
- Meeting recordings
- Meeting summaries and to-do lists
The First Line of Defense – Encryption
Encryption is essential for protecting virtual meeting data, both in transit and at rest. But not all encryption is created equal.
Types of Virtual Meeting Data Encryption
There are two types of encryption commonly used to protect virtual meeting data – standard encryption and end-to-end encryption (E2EE).
With standard encryption, cloud service providers can access your meeting data. However, with E2EE, only the sender and intended recipient can decrypt and access your information.
The table below highlights a few differences between standard encryption and end-to-end encryption of virtual meeting data.
| Encryption | End-to-End Encryption (E2EE) | |
| Key Management | Service provider manages encryption keys | Keys are generated and managed on user devices |
| Access to Content | Service provider can potentially access content | Only meeting participants can access content |
| Availability | Usually available to all users | Sometimes available to top-tier subscribers only |
| Implementation | Usually enabled by default | Often an optional feature that users must enable |
| Feature Compatibility | Supports all platform features | May limit certain features (e.g., recording, transcription) |
| Server Role | Servers can decrypt and re-encrypt data | Servers relay encrypted data without ability to decrypt |
| Use Case | Standard security for day-to-day meetings | Enhanced privacy for sensitive discussions and content |
Simply stated, end-to-end encryption means only you (meaning your meeting participants) can access your virtual meeting data.
Encryption Challenges
Fortunately, most cloud calling providers enable standard encryption by default. And many, but not all, offer end-to-end encryption. However, there are many encryption-related caveats to consider, including:
- Most cloud calling services, including some leading platforms, turn off end-to-end encryption by default.
- Some calling services only offer E2EE with their premium or top-tier subscriptions.
- Some calling services require E2EE to be selected during the meeting scheduling process.
- Some calling services offer E2EE for point-to-point (two party) calls but not for meetings.
- Some calling services encrypt video and audio traffic but do not encrypt shared content data, chat data, whiteboard data, app data, reactions data, Q&A data, transcription data, or translation data. This data is sometimes sent and stored in clear text (meaning unencrypted).
- Some calling services do not support key meeting features (e.g., meeting recording, some types of interop calling, transcription, real-time translation, etc.) when end-to-end encryption is in use.
- Some calling services do not allow certain types of endpoints (e.g., meeting room systems) to join E2EE meetings.
On the surface, encryption seems like a bulletproof way to keep your data secure. However, as described above, encryption is not a universal solution for deterring bad actors.
Can User Authentication Secure Cloud Meetings?
Usernames, passwords, passkeys, multi-factor authentication (MFA), single sign-on (SSO) and other user authentication approaches are a key part of limiting unauthorized access to critical data.
However, cloud services are accessible to anyone from the public internet. This gives threat actors around the world an opportunity to exploit login systems using phishing, credential stuffing, or social engineering.
Once the threat actor logs into the system, they gain immediate access to all meeting and account information available to that user.
Despite attempts to thwart such attacks using encryption or authentication policies, security breaches are common. For example, in 2023, hackers were able to hijack meetings, manipulate contacts, access organization-wide whiteboards, and extract sensitive chat data from one of the leading cloud calling providers.
Staying Secure with Self-Hosted
With self-hosted video conferencing, your virtual meeting data never leaves your network.
From meeting scheduling data to chat data to meeting recordings, these valuable bits travel to and from your servers on yournetwork.
And your virtual meeting data benefits from the same network security systems, tools, and procedures you use to protect the rest of your critical data.
In other words, your network security becomes an additional layer of protection on top of the encryption, authentication, and other tools within your video conferencing solution.
So, when a user forgets to enable end-to-end encryption for a critical meeting, the unencrypted data is still safe behind your firewall.
And, when encryption or E2EE must be disabled (either completely or for specific segments of the data path) to allow a meeting to be transcribed or recorded, your data is still protected from external prying eyes.
Understanding Data Residency and Data Localization
Self-hosted conferencing offers organizations more than just security — it provides confidence that their data stays where it belongs. This enables organizations to be compliant with data sovereignty regulations.
There are two key factors when weighing compliance with data privacy legislation: data residency and data localization.
Data Residency
Data residency refers to the physical or geographic location where data is stored. In most (but not all) cases, data residency is based on an organization’s wants, needs, or preferences.
It is important to understand that data residency focuses on where data is stored but does not limit where data travels or is processed.
For example, to ensure that data requests are processed quickly, an organization based in Paris might define a data residency policy that active data must be stored in data centers within 500 km.
Similarly, another organization might choose to host its data in Houston because its hosting company or storage provider offers the best rates for data stored in that location.
Notably, these data residency policies would not prohibit the transmission of the stored data to other locations to serve user requests or for other types of processing.
Data Localization
Data localization expands the concept of data residency by focusing on where the data travels, where it’s processed, and where it’s stored. Essentially, data localization is concerned with the entire data lifecycle – not just where the data is stored.
While data residency is typically an organizational choice, data localization is usually the result of government regulations requiring strict control over data movement, processing, and storage to protect citizen data or maintain national security.
For example, to comply with HIPAA regulations, a healthcare organization in the U.S. might have a data localization policy that requires patient data to always remain in the United States.
Comparing Data Residency and Data Localization
The table below highlights the key differences between data residency and data localization within the context of virtual meeting data.
| Data Residency | Data Localization | |
| Definition | Where data is stored | Where data is stored, processed, and travels |
| Legal Driver | Organizational preference | Government regulations |
| Flexibility | High – Data can travel and be processed as required (but must be stored in the proper location) | Low – Data is prohibited from leaving the defined geographic location (e.g., country of origin) |
| Control | Policy is typically controlled by the host organization | Regulation or mandate typically controlled by a Government |
| Purpose | Transparency, compliance, operational benefits, cost savings, customer experience improvements, etc. | Compliance with laws and regulations |
| Example | A multi-national e-commerce company requires marketing data to be stored in regional hubs to optimize access speeds. | A government agency requires that all data be stored on servers within the United States, processed only by computing facilities within U.S. borders, and transmitted solely through networks that do not route data outside the country. |
Data residency is about preference. Data localization is about compliance.
Data Sovereignty and Virtual Meeting Data
With cloud video conferencing services, each participant sends and receives data to and from the calling provider’s servers over the public internet.
Many cloud calling providers route virtual meeting data through multiple servers for cost, reliability, and scalability reasons,. Some providers aggregate specific types of data (e.g., chat data, meeting recordings, etc.) on servers in specific geographic locations for efficiency.
For example, imagine a user based in London was invited to a meeting hosted by a user based in New York. In this case, meeting data could be distributed as follows:
- User data (email address, time zone, account settings, etc.) might be stored in servers in the US, Europe, and Asia based on the home location of each registered user.
- Meeting scheduling data might be stored in a Hong-Kong server cluster.
- Real-time meeting traffic might travel from the London user’s PC to a server in London to a server in New York and ultimately to the meeting server in Phoenix, Arizona.
- Content shared with the London user during the meeting might traverse servers in the US and London before ultimately landing in a Singapore server cluster.
- Chat data might be hosted on a New York server during the meeting and then archived within a Singapore server cluster.
- To generate meeting transcripts, audio data might be sent from the New York server hosting the meeting to a transcription server in California, and then back to each user through multiple servers, before being stored on the Singapore server cluster.
- Meeting recordings might be stored on servers in the US, Europe, and Asia.
The takeaway is that with cloud video conferencing services, your virtual meeting data could travel to and be stored on multiple servers, in multiple countries, and even on multiple continents.
What about Cloud Provider Data Location Control Features?
Some cloud calling providers allow system admins to define data routing and storage location preferences. However, these are often treated as requests – not strict rules.
For example, given the choice between re-routing meeting traffic outside a customer’s preferred geographical preference area or having that meeting fail due to network congestion, some cloud calling providers will choose the route that protects the meeting experience at the expense of your data sovereignty policy.
Similarly, some cloud calling providers offer data localization for GDPR and specific country requirements (e.g., Germany requires some types of data must remain in Germany or only travel to countries with appropriate levels of data protection).
However, some of these data localization offerings offer “best effort” instead of strict data localization compliance as there are some circumstances when data may be:
- Transmitted to, processed by, or stored on servers in other parts of the world
- Accessed by support staff or others in other locations
For regulated industries — healthcare, finance, government — this loss of control is a dealbreaker. Cloud providers may offer location ‘preferences’ but often reserve the right to reroute data to maintain service quality.
The Video Conferencing Feature Explosion
The last few years have seen an explosion of innovation with video platforms like Cisco Webex, Microsoft Teams, Zoom Meetings, and Google Meet rolling out hundreds of new features at a dizzying pace:
- Real-time transcription and translation
- AI meeting summaries
- Background noise suppression
- Smart framing and face tracking
- Join-before-host
- Breakout rooms, whiteboards, polls, and more
These modern video conferencing platforms are packed with intelligent, server-powered features that require access to meeting data — meaning encryption must be dropped or weakened.
Server-Side vs. Client-Side Processing
Video conferencing platforms distribute tasks between server-side and client-side processing to optimize performance, functionality, and scalability.
Server-side processing involves using centralized resources to handle resource-intensive tasks like video mixing, transcription, and recording.
Client-side processing uses resources on user or meeting room devices to handle latency-sensitive functions such as camera framing and initial audio/video encoding.
Modern solutions often blend both approaches by using client-side pre-processing before optimizing server-side, offering cost-effectiveness, efficiency, and experience benefits.
The Cloud Ultimatum – Feature Set vs. Security
It makes perfect sense for video conferencing platforms to use centralized, shared, server-side resources to perform specific tasks and provide processor-intensive features.
However, this introduces a significant problem. To do their job, these server-side resources must have access to the virtual meeting data.
Unfortunately, this means the server must decrypt the virtual meeting data to provide server-side features. In other words, server-side processing and end-to-end encryption are mutually exclusive.
This is the unavoidable ultimatum between giving your users the power features they want and expect and protecting your virtual meeting data.
Video Conferencing Features Impacted by Data Security and Data Sovereignty Requirements
Not all server-dependent video conferencing features are obvious. While centralized recording clearly relies on server processing, many other popular features also depend on server-side resources — often without IT managers or users realizing.
This section identifies some of the features that normally utilize server-side processing that can impact both video conferencing security and data sovereignty.
| Video Conferencing Feature | Security and Data Sovereignty Impact |
| Cloud Recording | Requires decrypted data on cloud servers |
| Transcription & Captions | Requires audio to be processed remotely |
| Smart Summaries | Requires AI access to full meeting data |
| Join Before Host | Needs persistent access to video/audio streams |
| Breakout Rooms | Often incompatible with E2EE |
| PSTN/VoIP Participants | Typically can’t join E2EE meetings |
The above list includes only some examples of server-powered video conferencing features that typically introduce security or data sovereignty trade-offs.
Customers using a cloud video conferencing service provider have two options:
- Prioritize user experience by allowing access to features that introduce data security risks and violate data sovereignty policies.
- Prioritize data protection by denying users access to power features that significantly enhance the overall meeting experience.
Full Features Without Compromise
A common misconception is that self-hosted means stripped-down functionality. That’s simply not true.
This is especially the case with an enterprise-ready platform like VQ Conference Manager.
VQ Conference Manager enables:
- Interoperability with meeting room systems
- Sophisticated scheduling and resource management
- High availability and scalability
- Rich meeting feature sets
- Compliance with national and international data regulations
You get the best of both worlds: enterprise-grade features and total control over data. With self-hosted video conferencing solutions like VQ Conference Manager, the servers that process your virtual meeting data are under your control, processing only your data.
With self-hosted video conferencing, your data never leaves your network. Even when the virtual meeting data must be decrypted for processing (e.g. for AI noise reduction, meeting recording, or transcriptions), your data is still protected by your network security system and policies.
Why VQ Conference Manager?
You’ve spent (and still spend) a fortune creating and maintaining your secure network.
Self-hosting keeps your confidential virtual meeting data on your network, protecting your data from unauthorized access during every meeting.
VQ Conference Manager is trusted by some of the most demanding and security-conscious organizations in the world — including government agencies, healthcare institutions, and critical infrastructure providers.
It’s not just about conferencing. It’s about mission-critical communications with guaranteed compliance, resilience, and privacy.
It’s just that simple.