Every security control is implemented in the core platform, not added as an afterthought. Strict-by-default, deny-by-default, validated at every layer.
Six security controls active in production today.
All API credentials and sensitive configuration are encrypted at rest using AES-256-GCM. Encryption key is required at startup with no fallback.
Server-side OAuth flow with secure token handling. Bearer tokens required for all API routes when authentication is enabled. No same-origin bypass.
Every query is scoped to the authenticated user. Transcripts, analyses, and configurations are isolated per account. No cross-tenant data leakage.
Outbound URL validation at the DNS resolution level. Blocks private, loopback, and link-local addresses including IPv6 mapped addresses. HTTPS enforced.
All dynamic content is escaped before rendering. Client-side JS files use escapeHtml() for innerHTML. Security headers applied to every response. AQL injection prevented via whitelist maps.
File uploads validated by size (50MB max), extension (.vtt, .srt, .txt), and content signature. Path traversal blocked. Filenames sanitized for Content-Disposition.
Keep sensitive audio on your own infrastructure.
A Rust-based CLI tool for local transcription with speaker diarization. Audio files never leave your machine. Process recordings on-premises before uploading only the text transcript to TranscriptIntel.
Licensed under BSL 1.1. Runs on macOS, Linux, and Windows. Supports all common audio and video formats.
What we are building next on the security roadmap.
Automatic detection and redaction of personally identifiable information and protected health information. Configurable policies for GDPR, HIPAA, and CJIS compliance.
Formal SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria. Independent third-party audit.
Business Associate Agreement support for healthcare customers. Required for processing transcripts containing protected health information.
Comprehensive audit logging for all data access, analysis runs, exports, and configuration changes. Immutable log storage with configurable retention.
Our team can walk you through the full security architecture and answer questions about your specific compliance requirements.