Security

In transit. All client-to-server traffic uses TLS 1.2+. Internal calls between Transcribr and our service providers (speech-to-text, LLM, storage, payments, email) are likewise TLS-encrypted.

At rest. Audio files and transcripts are stored on encrypted volumes via Cloudflare R2. Database (Postgres-on-Railway / SQLite-in-development) volumes are encrypted at rest by the underlying provider. Backups inherit the same encryption.

Authentication uses passwordless magic-link sign-in via Resend. We never see or store your password.

API keys you create are stored as SHA-256 hashes; the raw key is shown once at creation, and we have no mechanism to recover it. Keys can be scoped (read / write / all), expired, or revoked at any time.

Internal staff access to production systems follows the principle of least privilege. Privileged actions (credit adjustments, account merges) are audit-logged.

We use the following sub-processors. Each operates under a written agreement that binds them to data-protection standards substantially similar to the Australian Privacy Principles, and (for EU customers) to Standard Contractual Clauses approved by the European Commission.

• Speech-to-text: processes audio for transcription. Zero data retention; no training on customer data.
• OpenRouter (LLM gateway): routes AI feature requests (Show Notes, Ask) to underlying models such as Claude. Zero data retention.
• Cloudflare R2: object storage for audio files and exported artefacts.
• Stripe: payment processing and subscription billing. PCI-DSS Level 1 compliant.
• Resend: transactional email delivery (sign-in links, usage warnings).
• Vercel: hosting and edge delivery for the application.

A current sub-processor list is appended to our DPA and updated whenever a sub-processor is added or replaced.

You choose how long we keep your audio. Options are 1, 7, 30, 90 days, or “keep forever”. Default is 7 days. The transcript text remains in your account until you delete it, regardless of the audio-retention setting.

When the retention window passes, audio is deleted from R2 (or local disk in development) and the storage key is cleared from the database. Deletion is best-effort on access — if no one tries to play the audio, a daily cron will sweep expired files.

We do not use your audio or transcripts to train AI models, and we do not authorise our service providers to do so. Both our speech-to-text provider and our LLM gateway operate under zero-data-retention policies for the API tier we use.

AI features (Show Notes generation, Ask Your Transcript chat) are off by default for every transcript and only execute when you click the relevant button.

Application errors are captured for triage. Transcript content is excluded from error reports — we log identifiers and stack traces only. Access logs (who accessed what transcript and when) are retained for security and audit purposes for 90 days.

We monitor for unusual usage patterns (sudden spikes, credential-stuffing patterns) and rate-limit at the API gateway.

Found a vulnerability? Email security@transcribr.net with details and a proof-of-concept. We commit to:

• acknowledge your report within 2 business days,
• investigate and provide a status update within 7 business days,
• credit you (with permission) once a fix has shipped.

Please do not test against accounts you don't own, exfiltrate data beyond what is needed to demonstrate the issue, or publish details before we've had a chance to fix.

Today we operate under the Australian Privacy Act 1988 and the Notifiable Data Breaches scheme. We extend GDPR-equivalent rights to all users and CCPA/CPRA rights to California residents.

On the roadmap (subject to demand from enterprise customers):

• SOC 2 Type 1 — targeting completion within 12 months of enterprise traction.
• HIPAA Business Associate Agreement — once the underlying speech-to-text provider supports it for our tier.
• Data residency selection (EU, AU) — when R2 region pinning is wired up at the customer level.

If your purchase decision depends on any of these, get in touch — we'll share our current trajectory and where you fit in it.