Security & data handling
What we do to keep your recordings, transcripts, and guides safe — and what you can expect of us as a vendor.
Encryption
- TLS 1.2+ for every request in transit.
- AES-256 at rest for stored audio, video, transcripts, and generated guides.
- Object-storage tokens scoped to single uploads with 30-minute expiry.
Authentication & access
SSO via Clerk
Email + password, Google, Microsoft, and Apple. Enterprise SSO (SAML, OIDC) on request.
Per-doc permissions
Private, team-only, or public — set per guide.
Audit log
View who accessed, edited, or shared each guide.
Session management
Active sessions visible; revoke anytime.
Where your data lives
UtterNote runs on Vercel (US regions) and Neon (US regions). Audio and video are stored in private Vercel Blob buckets. Transcripts and metadata are stored in a Neon-hosted Postgres instance. No third-party AI training on your data — period.
GDPR + privacy rights
- Right to access: export every guide, transcript, and audio file via the dashboard.
- Right to deletion: delete any guide, transcript, or recording — irrecoverable within 30 days.
- Data Processing Addendum available on request — see /dpa.
- No selling of personal data, ever.
Compliance posture
UtterNote is committed to SOC 2 Type II readiness. We follow OWASP Top 10 practices, run security headers (CSP, HSTS, XFO), gate APIs with Vercel BotID, monitor errors via Sentry, and rate-limit endpoints via Vercel Firewall. For HIPAA-bound use, please contact us — BAA terms are available case-by-case.
Reporting security issues
Email security@utternote.com. We acknowledge within 24 hours and follow a responsible-disclosure process. We don't currently offer a paid bug bounty, but we recognize valid reports publicly with permission.