Security Controls

All data encrypted in transit using TLS 1.3

Database encryption at rest (AES-256)

Network isolation (Cloudflare Edge → Vercel → Neon)

DDoS protection via Cloudflare WAF

Automated daily backups with 30-day retention

AI Prompt Injection defense (input/output filtering)

Rate limiting on all API endpoints

XSS, CSRF, and SQL Injection protection

File upload validation (magic bytes + size limits)

No secrets exposed in frontend bundle

WebSocket connection limits per user

Regular penetration testing

Data export available (GDPR Article 20)

Account deletion with 30-day grace period (GDPR Article 17)

Meeting transcripts stored with encryption

Data automatically cleaned on service exit

Payment processed by Paddle — no card data on our servers

Passwordless authentication (Magic Link — no password storage risk)

AI models do not use customer data for training

AI system prompts are fully isolated and cannot be extracted

AI output automatically scanned for sensitive information

AI cost anomaly monitoring with automatic rate limiting

Meeting content used only for that session's analysis — never shared cross-user

Third-party AI providers (Google, Microsoft) are SOC 2 certified