Security

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using industry-standard Transport Layer Security (TLS 1.3):

• All API endpoints enforce HTTPS connections with TLS 1.3
• We use strong cipher suites and perfect forward secrecy
• HTTP Strict Transport Security (HSTS) is enforced across all domains
• Audio file uploads are encrypted during transmission
• All webhook notifications use encrypted channels

1.2 Encryption at Rest

Your data is encrypted when stored on our servers:

• Audio Files: Encrypted using AES-256 encryption in our secure storage infrastructure
• Database: All sensitive data in our PostgreSQL database is encrypted at rest
• Backups: All backup files are encrypted using AES-256 before storage
• Transcription Data: Stored with encryption and access controls

1.3 End-to-End Protection

From the moment you upload a file until it's deleted:

• Files are encrypted immediately upon upload
• Processing occurs in isolated, encrypted environments
• Results are encrypted before storage
• Secure deletion protocols ensure data cannot be recovered

2. Infrastructure Security

2.1 Cloud Infrastructure

Our infrastructure is built on enterprise-grade cloud platforms:

• Hosting: Deployed on Vercel's secure, globally distributed edge network
• Database: Supabase PostgreSQL with automatic backups and point-in-time recovery
• Storage: Secure object storage with redundancy and geo-replication
• CDN: Global content delivery network with DDoS protection

2.2 Network Security

• Web Application Firewall (WAF) to protect against common attacks
• DDoS protection and rate limiting on all endpoints
• IP allowlisting capabilities for enterprise customers
• Network isolation between production and development environments
• Regular security scanning and penetration testing

2.3 Application Security

• Secure coding practices following OWASP Top 10 guidelines
• Input validation and sanitization on all user inputs
• Protection against SQL injection, XSS, and CSRF attacks
• Regular dependency updates and vulnerability scanning
• Automated security testing in our CI/CD pipeline

3. Access Control & Authentication

3.1 User Authentication

• Email Verification: All accounts require email verification
• Password Security: Passwords are hashed using bcrypt with salt
• Session Management: Secure session tokens with automatic expiration
• OAuth Support: Integration with trusted identity providers
• Multi-Factor Authentication (MFA): Available for enhanced account security

3.2 Authorization & Permissions

• Role-based access control (RBAC) for team collaboration
• Granular permissions for team members (Owner, Admin, Member)
• Row-level security policies in our database
• API key management with scoped permissions
• Audit logging of all access attempts

3.3 Internal Access Controls

• Principle of least privilege for all internal systems
• Multi-factor authentication required for all team members
• Regular access reviews and permission audits
• Automated deprovisioning of access when team members leave
• All administrative actions are logged and monitored

4. Data Protection & Privacy

4.1 Data Minimization

We collect only the data necessary to provide our services:

• No unnecessary personal information is collected
• Audio files are automatically deleted after processing (unless saved by user)
• Temporary processing files are securely deleted within 24 hours
• User data retention follows our published retention policies

4.2 Data Isolation

• Complete data isolation between customer accounts
• Team collaboration features maintain proper access boundaries
• No cross-tenant data access or visibility
• Separate environments for different subscription tiers

4.3 Data Deletion

• Users can delete their data at any time through the dashboard
• Secure deletion protocols prevent data recovery
• 30-day grace period for account deletion (with immediate data inaccessibility)
• Complete data removal including backups after grace period

5. Compliance & Certifications

5.1 Regulatory Compliance

• GDPR: Full compliance with EU General Data Protection Regulation
• CCPA: California Consumer Privacy Act compliance
• SOC 2 Type II: Currently pursuing certification (expected 2026)
• HIPAA: Available for healthcare customers (Enterprise plan)

5.2 Industry Standards

• OWASP security best practices
• ISO 27001 information security management principles
• PCI DSS compliance for payment processing (via Stripe)
• Regular third-party security audits

5.3 Data Processing Agreements

For enterprise customers, we offer:

• Data Processing Agreements (DPA)
• Business Associate Agreements (BAA) for HIPAA compliance
• Custom security addendums
• Standard Contractual Clauses (SCC) for international data transfers

6. Incident Response

6.1 Security Monitoring

• 24/7 automated monitoring of all systems
• Real-time alerting for suspicious activities
• Log aggregation and analysis
• Intrusion detection and prevention systems
• Regular security audits and vulnerability assessments

6.2 Incident Response Plan

We maintain a comprehensive incident response plan:

• Detection: Automated systems detect potential security incidents
• Assessment: Rapid evaluation of severity and impact
• Containment: Immediate action to limit damage
• Investigation: Root cause analysis and evidence collection
• Remediation: Fix vulnerabilities and restore normal operations
• Notification: Timely notification to affected users as required by law

6.3 Breach Notification

In the event of a data breach:

• Affected users will be notified within 72 hours
• Detailed information about the breach will be provided
• Clear guidance on protective measures will be shared
• Regulatory authorities will be notified as required
• Post-incident reports will be published

7. Business Continuity

7.1 Backup & Recovery

• Automated daily backups of all critical data
• Point-in-time recovery capabilities
• Geo-replicated backups across multiple regions
• Regular backup restoration testing
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour

7.2 High Availability

• 99.9% uptime SLA for Pro and Enterprise plans
• Multi-region deployment for redundancy
• Automatic failover mechanisms
• Load balancing across multiple servers
• Real-time health monitoring and auto-scaling

7.3 Disaster Recovery

We maintain a comprehensive disaster recovery plan:

• Regular disaster recovery drills
• Off-site backup storage
• Documented recovery procedures
• Alternative processing capabilities

8. Third-Party Security

8.1 Vendor Management

All third-party vendors undergo security review:

• Security questionnaires and due diligence
• Contract requirements for data protection
• Regular vendor security assessments
• Limited data access based on necessity

8.2 Key Service Providers

• Vercel: Application hosting (SOC 2 Type II certified)
• Supabase: Database and authentication (ISO 27001 certified)
• AssemblyAI: AI transcription processing (SOC 2 Type II certified)
• Stripe: Payment processing (PCI DSS Level 1 certified)
• Resend: Transactional email delivery

8.3 API Security

• All third-party API calls use encrypted connections
• API keys are stored in secure environment variables
• Regular rotation of API credentials
• Minimal data sharing with third parties

9. Employee Security

9.1 Security Training

• Mandatory security awareness training for all employees
• Regular phishing simulation exercises
• Secure development training for engineering team
• Annual security refresher courses

9.2 Background Checks

• Background checks for employees with data access
• Non-disclosure agreements (NDAs) for all team members
• Clear desk and clean screen policies

9.3 Access Management

• Just-in-time access provisioning
• Regular access reviews and revocation
• Separation of duties for critical operations
• All access changes logged and audited

10. Customer Security Responsibilities

10.1 Shared Responsibility Model

While we secure the platform, customers are responsible for:

• Account Security: Maintaining strong passwords and enabling MFA
• Access Control: Managing team member permissions appropriately
• Data Classification: Understanding sensitivity of uploaded content
• Compliance: Ensuring your use complies with applicable regulations
• Monitoring: Reviewing account activity and audit logs

10.2 Security Best Practices

We recommend customers:

• Use unique, strong passwords (minimum 12 characters)
• Enable multi-factor authentication on all accounts
• Regularly review team member access and permissions
• Report suspicious activity immediately
• Keep recovery email addresses up to date
• Review security logs regularly
• Use API keys securely and rotate them periodically

11. Security Testing & Audits

11.1 Internal Testing

• Automated security scanning in CI/CD pipeline
• Regular code reviews with security focus
• Static application security testing (SAST)
• Dynamic application security testing (DAST)
• Dependency vulnerability scanning

11.2 External Audits

• Annual third-party penetration testing
• Regular vulnerability assessments by external firms
• Compliance audits for certifications
• Bug bounty program (launching Q1 2026)

11.3 Continuous Improvement

Our security program includes:

• Regular review and update of security policies
• Tracking of security metrics and KPIs
• Post-incident reviews and lessons learned
• Staying current with emerging threats and best practices

12. Security Reporting

12.1 Responsible Disclosure

If you discover a security vulnerability, please:

• Email us immediately at security@audiototext.site
• Provide detailed information about the vulnerability
• Give us reasonable time to address the issue before public disclosure
• Do not exploit the vulnerability beyond proof of concept

12.2 Security Updates

We keep customers informed through:

• Status page for real-time incident updates
• Security advisories for critical issues
• Regular security newsletter (opt-in)
• In-app notifications for security-related changes

12.3 Transparency

We believe in security transparency:

• Public status page showing system health
• Security white papers available upon request
• Annual security report publication
• Open communication about security incidents

13. Security Documentation

13.1 Available Resources

For enterprise customers, we provide:

• Detailed security white paper
• Architecture and data flow diagrams
• Compliance documentation and certificates
• Security questionnaire responses (VSA, CAIQ, SIG)
• Penetration test reports (summary)

13.2 Contact Security Team

For security-related inquiries:

• Security Issues: security@audiototext.site
• Compliance Questions: compliance@audiototext.site
• General Contact: Contact Form

14. Updates to This Policy

We regularly review and update our security practices. Changes to this security page will be:

• Posted on this page with an updated "Last Updated" date
• Announced via email for significant changes
• Made available in our change log

We encourage you to review this page periodically to stay informed about our security measures.