Security Whitepaper

Circles for Zoom
Circles for Zoom

© Copyright 2020 Unicorn Science, Inc.
All rights reserved.

3rd Party Data

Circles receives access to a user's Zoom profile through OAuth2. Below is a detailed explanation for scopes requested.

  • View current user's meetings
      - We use this to allow Circles to find and display upcoming Zoom meetings to help users easily join.
  • View and manage current user's meetings
       - We use this to allow you to schedule new meetings through the Circles application
  • View current user's information
      - We use this to query access tokens for a given user so they may start or join a meeting through our application. We also use this to store metadata (name, email, etc.) for Circles users and fill in the correct attendee name in the application.



Storage, Retention, and Configurability of Data

Circles stores meeting information (name, time, attendees) from Zoom meeting details when using Circles to share meeting links or to schedule new meetings. Circles encrypts Zoom access tokens using AES256 encryption, they are encrypted when stored and at rest, they are decrypted on-demand per use. Retention is currently unlimited. It is currently unlimited because we plan on providing additional reporting features to our customers. We work with customers to remove data per request.


Circles Personnel Access to Company Data

All access to company customer / production data is restricted to company-managed devices. Removable media is not allowed.


Circles Infrastructure

Circles relies on public cloud infrastructure for its operation.

  • The Circles client is a native Mac OS application. Upon installation, it becomes the default client for hosting & joining Zoom meetings.
    • The client is available for download as an app on Zoom App Marketplace. The client has been audited and reviewed by Zoom's security team, and integrates with Zoom's App SDK.
  • The Circles backend is a NodeJS application, hosted on Amazon Web Services.
    • User data is stored in MySQL.


Application Security

  • Data at Rest
    • All customer data is stored within Amazon's cloud (MySQL) with access tokens encrypted at rest using AES256 encryption.
  • Data in Transit
    • All communication between systems is done over HTTPS (forced - HTTP is not allowed). Circles database client connections require SSL with TLSv1.2
  • Logging



Network Security

  • Access Control
    • Employees have individual accounts for all systems and services. Account permissions are tightly controlled, and only the co-CEOs maintain administrative access.
    • Access to customer/production data is only allowed on company-managed devices.
  • Two-Factor Authentication
    • Two-factor authentication is enforced wherever possible.
  • Physical security
    • All company-managed devices have hardware encryption enabled.
    • Removable storage use is not allowed.


Circles Information Security

Circles has established an information security program.  We've established a thorough set of security policies, and we review and update them annually. Every employee participates in mandatory security training and in ongoing awareness education. These policies may be provided upon request.