Security
We take the security of your recordings, transcripts and account seriously. This page explains the controls that are in place today, and how to reach us if you find a vulnerability.
How we protect your data
- Encryption in transit. All traffic between your browser and our servers uses HTTPS/TLS. Traffic to third-party processors (Deepgram, Stripe, the AI gateway) also uses TLS.
- Per-user isolation. Every table that contains user data enforces row-level security in the database, keyed to the authenticated user's account ID. One user cannot read another user's lectures, transcripts, notes or subscription rows.
- Private audio storage. Audio files live in a private storage bucket that is not publicly accessible; the app streams them only for the file's owner via time-limited signed URLs.
- Least-privilege access. Public client keys can only see what row-level security allows. Elevated operations (deleting your account, running webhooks) use short-lived server functions on our backend and never expose secrets to the browser.
- Payment isolation. Card details are entered directly into Stripe's PCI-DSS certified checkout iframe. We never see or store full card numbers.
- Account controls. Password-based sign-in and Google OAuth, with password reset via email; you can delete your account and all its data at any time from Settings.
We do not currently claim SOC 2, ISO 27001 or HIPAA compliance. If your use case requires those, contact us before onboarding significant data.
Responsible disclosure
If you believe you've found a security issue in ExamRecalls AI, please email us at security@examrecalls.fun. Please:
- Give us reasonable time to investigate and remediate before public disclosure.
- Do not access, modify or delete data that isn't yours.
- Do not run denial-of-service, spam or social-engineering tests against our users or staff.
- Provide enough detail for us to reproduce the issue (URL, steps, screenshots, sample account if relevant).
We commit to acknowledging valid reports within 5 business days and keeping you updated as we work on a fix. We don't currently run a paid bug-bounty program, but we're happy to publicly credit researchers who help us.
