SpotWhisper is committed to protecting your data. This page describes the technical and organizational security measures we maintain.
Encryption
- Data encrypted in transit (TLS 1.2+) and at rest (AES-256) via infrastructure providers
- Encrypted database connections and backups
Access Control
- Role-based access controls with least-privilege
- Unique user accounts; no shared credentials
- Prompt access revocation on role change
Infrastructure Security
- Hosted on enterprise-grade cloud infrastructure (Vercel, Supabase) with SOC 2 certified providers
- Network isolation and firewalling
- Automated patching and vulnerability management
Data Retention
- Raw audio files: automatically deleted 30 days after creation
- Transcripts and extracted data: retained while account is active; deleted after 12 months of inactivity
- Users may request earlier deletion by emailing support@spotwhisper.com
Development Security
- Code review required for all production changes
- Automated test suites (unit, integration, contract, end-to-end) with branch protection
- Environment separation between development, test, and production
Incident Response
- 72-hour breach notification commitment
- Post-incident review and remediation tracking
Operational Security
- Centralized error monitoring with PII redaction
- Rate limiting on sensitive endpoints (authentication, password reset)
- Audit logging of administrative actions
For security concerns, contact support@spotwhisper.com.