CareAR has implemented a session recording feature for its CareAR Assist product utilizing the recording features from our media provider Agora.io. Session recording is controlled by the host of a given session and, when activated, captures video, audio, and any AR annotations in a recording file. With this optional feature, the customer is responsible for sourcing and configuring the storage used to house the recording files. Today, that storage option is AWS’s Simple Storage Service (S3). We may support other options in the future and will depend on Agora.io’s capabilities.
The customer must be subscribed to the Enterprise plan to have access to the session recording feature.
Recording File Access
In no way does CareAR have access to the customer’s recording files. While CareAR does know the initial location of the file on the customer’s AWS S3 bucket, that’s all that CareAR knows. CareAR is not able to access, view, or otherwise manage the recording file for any reason. Note that the location of the file (represented by a URL) is populated against the historic session data in the customer’s portal experience. The customer’s tenant admins, tenant analysts, and the user creating the recording file are all able to see a recording file’s URL in the session.
If the session was initiated via ServiceNow, the recording file’s URL is captured and stored against the SNOW service ticket/incident/case. This contrasts with snapshots (images) that may have been created during a CareAR Assist session and attached to the SNOW service ticket/incident/case.
AWS S3 Bucket
To enable recording, a customer needs to set up an Amazon AWS S3 bucket within their organization’s AWS account for the recording files. The customer then configures the recording feature with the S3 bucket ID and credentials. The policies on this bucket are determined by the needs of the customer. However, CareAR recommends that the credentials provided only allow depositing of the recordings (write only).
By utilizing the Customer’s S3 bucket, the CareAR recording feature allows customers to control the recordings with no ability for CareAR to view the recordings. This is accomplished by following the CareAR guidance and creating S3 credentials that allow for writing only but not reading. This allows the recorder to deposit the recordings on the S3, but no permissions to read these files. The account should not have read or delete access to your S3 bucket.
The S3 bucket is configured at the tenant level; if a customer is using more than one tenant and wants to have recording enabled, then a unique S3 bucket must be assigned to each tenant.
To configure video recording a tenant administrator can log into the admin web portal https://carear.app/#/admin. Once logged in there will be a section for Amazon S3 Configuration. By default these fields are blank. To view the full recording configuration please visit: Recording Configuration
Data information while recording
When video recording is engaged a video recording component from Agora.io will join the CareAR session to record the video. When this recorder joins the CareAR session the call (if encryption enabled) will become a hop-by-hop encrypted call. While it records the video / audio of the CareAR session there are a few steps the recording’s journey takes.
Temp files in Agora Recorder
The Agora recorder will buffer recording segments into “chunks” locally to the Agora recording service. When the recording is stopped (by the host user or if the system determines the session is over), then Agora assembles and converts the recording data into the final MP4 file.
Temp files in Amazon S3
Once the final MP4 recording file is successfully moved to the customer’s Amazon S3 bucket, the temporary file held in the Agora domain will be deleted by Agora. Until both conditions are met these files will remain on the Agora recorder for up to 7 days re-attempting.
Completion of video recording
When a video recording is complete the Agora recorder will stich the temporary files together into a final .mp4 video file. Once the conversion process is complete the recorder deletes the source files from the Agora service.
Encryption during recording
When encryption is enabled, the recorder needs to have the encryption key in order to create recordings. This necessarily changes the media encryption from end-to-end encryption to hop-by-hop encryption. But at no point is the media traffic sent unencrypted unless you have encryption turned off in the CareAR tenant configuration.
Encryption After Recording - Amazon S3 Bucket Encryption
The form of encryption for the data at rest, the final video recording, will depend on the configuration of your organization’s Amazon S3 account. To view more about managing the encryption of your S3 Bucket please visit: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html and https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html to find out more.
Are users aware of recording?
Yes. During a CareAR session when the video recording function is utilized warning messages will display to all participants that recording has been turned on.
As the call continues a red recording icon will display in the top center with the duration of the recording.