Built for buyers whose security review is the hard part.
This is the page your security team is going to read before your legal team signs an MSA. We've tried to put everything they need on one screen.
What your security team needs in 30 seconds.
Compliance posture
SOC 2 Type II in progress, target Q3 2026. Interim letter from our auditor available under NDA. ISO 27001 on the roadmap.
- GDPR & UK GDPR — DPA + SCCs available
- CCPA / CPRA — compliant
- BIPA / CUBI / WA — compliant
- EU AI Act Art. 5 & 53 — ready
- C2PA provenance — compatible
Encryption & access
Defense-in-depth, with the consent vault on its own VPC and IAM boundary.
- AES-256 at rest, TLS 1.2+ in transit
- Role-based access, least privilege
- MFA enforced for all human access
- Hardware tokens for engineering & vault
- Tamper-evident audit log on the vault
Incident response
Documented playbook with notification commitments under GDPR Art. 33 and U.S. state breach laws.
- 72 hr customer notification
- Regulator notification within 72 hr
- Speaker notification when implicated
- Root-cause analysis & written report
- Continuous dependency scanning, quarterly pen test
A narrow, audit-friendly stack.
We deliberately chose a small number of well-understood services to minimize attack surface and simplify diligence.
Cloud infrastructure
- Provider
- AWS
- Default region
- us-east-1
- EU residency
- eu-west-1 available
Audio storage
- Encryption
- Server-side, managed keys
- Versioning
- Enabled
- MFA-delete
- Required for production
- Logging
- Bucket-level access logs
Consent vault
- Isolation
- Separate database, separate VPC, separate IAM
- Encryption
- Application-layer + storage-layer
- Access
- Smaller authorized set, fully logged
Delivery layer
- Pattern
- Signed URLs + cross-account roles
- Targets
- S3, GCS, Azure Blob
- Manifest
- Signed JSON with SHA-256
Identity
- SSO
- Google Workspace
- MFA
- Enforced on every account
- Hardware tokens
- Engineering & vault accounts
Logging & monitoring
- Logging
- Centralized
- Alerting
- Access anomalies
- Audit
- Tamper-evident vault log
Current sub-processor list.
Customers can subscribe to be notified of any addition. Full list maintained at /security/subprocessors.
| Sub-processor | Purpose | Data residency |
|---|---|---|
| AWS | Primary cloud infrastructure | us-east-1, eu-west-1 |
| Stripe | Payments & invoicing | US |
| Postmark | Transactional email | US |
| Plausible | Privacy-respecting site analytics | EU |
| Help Scout | Customer inquiries | US |
| Clerk | Authentication for customer dashboards | US |
Data handling and retention.
| Data type | Retention | Notes |
|---|---|---|
| Source audio | Catalog file lifetime | Deleted on valid speaker revocation |
| Consent vault records | Catalog lifetime + 7 years | Or longer if required by law |
| Customer account data | Relationship + 7 years | Tax and audit |
| Authorized user credentials | Duration of access | Hashed with argon2id |
| Server logs | 90 days | Then aggregated and de-identified |
| Voice biometric verification | 12 months | Deleted earlier on request |
How humans access the systems.
Personnel security
None
- Background checks (where legally permitted)
- Annual security awareness training
- Role-specific training for vault personnel
- Confidentiality agreements before access
- Quarterly access reviews
- Immediate revocation on termination
Customer commitments
None
- Restrict access to authorized users
- Encrypt in transit and at rest
- Maintain access logs
- Promptly notify us of suspected unauthorized access
- Cooperate on revocation notices
- Follow Acceptable Use clause
Responsible disclosure
Found something? Email security@aipodcast.io. We respond within 1 business day and coordinate disclosure in good faith.
Report a security issue →Want the full security pack?
SOC 2 interim letter, sub-processor list, DPA, SCCs, pen-test summary, IR plan summary, and security FAQ — delivered under NDA.