How secure is your video call ?

Every day, schools and government departments join virtual meetings without thinking too much about what happens behind the screen. We click “Join”, trust the software and assume our conversations stay private. But who really controls a video call? Is it the user? The platform provider? Or the cloud infrastructure storing and routing the data? As organisations increasingly rely on video conferencing, these questions matter more than ever.

Last month we had a discussion at Pro Integration Future Europe and below are some of the concerns and key points raised.

1. Who ultimately controls a video call — the user, the provider, or the infrastructure behind it?

Most people assume they control a meeting because they schedule it, invite participants and can mute microphones. In reality, control is layered. Users control participation, but providers control software functionality, updates and data policies. Behind both sits cloud infrastructure — the data centres and networks that process traffic. If your meeting is hosted on servers outside your country, then different legal jurisdictions may influence access to that data.

This becomes important in public sector environments. A local authority discussing vulnerable individuals or a school safeguarding concern is very different from a routine staff briefing. Organisations need to ask: where is our meeting data processed, who can access metadata, and under what laws?  Convenience often wins over visibility.

2. “End-to-end encryption” sounds reassuring — but what does it actually mean?

Many video platforms advertise end-to-end encryption (E2EE). The phrase suggests nobody except participants can read or access communications. In practice, implementation varies considerably between providers.

True E2EE means content remains encrypted from sender to recipient without the service provider decrypting it during transit. However, some meeting features — cloud recording, live captions, transcription, AI assistants or joining by telephone — may require data processing that weakens pure end-to-end models. Organisations should therefore ask more detailed questions than simply “Is encryption enabled?”

Questions worth asking include:

• Is encryption on by default?
• Does recording remain encrypted?
• Are transcripts stored?
• Can administrators access content?
• What metadata is collected?

Security claims need scrutiny beyond marketing terms.

3. It’s all about data: recordings, screensharing, notes, transcription

A meeting produces more than conversation. There are chat logs, recordings, shared screens, AI-generated summaries, attendance reports and images. Every piece becomes data that requires protection.

Many providers use European data centres, including facilities located in Germany, where organisations often highlight compliance with stricter EU data protection expectations. Under UK GDPR, organisations remain responsible for understanding where personal data travels and whether transfers outside approved jurisdictions occur.

But compliance does not automatically equal security.

An encrypted recording stored indefinitely still creates risk. A screenshot shared outside an organisation bypasses platform protections entirely. Human behaviour remains one of the biggest vulnerabilities. Secure systems cannot compensate for poor governance around retention, sharing or access controls.

The key question should be: Do we need to store this information at all? 

4. AI in cloud platforms: productivity gains or new security questions?

Artificial intelligence is increasingly embedded within meeting platforms. Features such as automatic framing, noise suppression, real-time transcription and meeting summaries improve accessibility and productivity. For busy teams, these functions are useful.

However, AI features depend on data processing. Audio, video and text may be analysed to create summaries or improve services. Organisations should ask:

• Is meeting content used to train AI models?
• How long is processed data retained?
• Can AI-generated notes expose sensitive discussions?

The challenge is balancing efficiency against exposure. AI can reduce administrative burden but may also increase uncertainty around where information goes and who ultimately benefits from that data.

Cloud-managed devices add another layer. Centralised administration improves updates and security controls, yet also concentrates risk if accounts or permissions are compromised.

5. Sovereign cloud: a genuine alternative or future necessity?

The discussion around sovereign cloud infrastructure is accelerating across Europe. France and Germany have increasingly focused on digital sovereignty — the principle that critical data and infrastructure should remain under national or regional control. Recent moves by parts of the French public sector away from mainstream collaboration platforms have reignited debate about dependency on global technology providers. 

Read more about the French Governments public sector cloud.

The UK is now asking similar questions almost 10 years later. After having our own groundbreaking (at the time) government cloud platform developed and managed through the JANET (JISC) network. It was sold in 2015 to the private sector and sadly no longer exists.

A sovereign cloud approach could offer:

• Greater control and ownership over sensitive government data
• Stronger alignment with domestic legal frameworks
• Reduced reliance on overseas infrastructure
• Increased resilience for critical national services
• A local workforce to manage and build the national service

Yet there are trade-offs. Sovereign solutions may cost more, provide fewer integrated features or develop more slowly than global platforms.

The bigger question is whether the UK risks lagging behind as European neighbours invest heavily in digital sovereignty strategies. For government, defence, education and healthcare sectors, this conversation is no longer theoretical.

Perhaps the future is not one cloud for everything, but different clouds for different levels of sensitivity. So do we bring back the JANET (JISC) services for education?

Conclusion: what does this mean for schools and government organisations?

Perfect security during a video call does not exist. Every organisation makes compromises between cost, convenience, usability and protection. The objective should not be perfection but proportionate security.

Schools require the same meeting controls as defence agencies, yet video call discussions in schools are not protected in the same way, when they hold the most sort after data (data belonging to our young people). Councils discussing public information with employees need different safeguards compared with meetings involving vulnerable residents.

So, should we classify meetings by sensitivity and apply appropriate controls:

• Routine meetings → standard collaboration environments
• Confidential operational discussions → enhanced controls and retention limits
• Sensitive government or safeguarding conversations including schools → stricter environments, potentially sovereign infrastructure

The future of secure communication may not depend on a single trusted platform, but on understanding which cloud is appropriate for which conversation.

The question is no longer “Which video platform do we use?”

It is increasingly: “Where does our data go — and who ultimately controls and owns it?”