Back to home
Legal · Security

Security

How we protect your audio, text, and account.

voibly is built for people whose work depends on confidentiality — lawyers, doctors, founders, engineers. Security isn't a marketing layer for us; it's the architecture.

1. Architecture

voibly's default flow keeps audio on your device. The signed desktop app captures audio only while the hotkey is held, runs a local Whisper-derived model, and writes the cleaned text directly to your active app. No microphone audio is ever uploaded in this mode.

If a workspace enables cloud polishing, audio is streamed over TLS to a hardened inference endpoint, processed in memory, and the resulting text is returned. Audio is not persisted to disk and is discarded immediately after transcription.

2. Data handling

In transit

All connections to voibly services use TLS 1.3 with modern cipher suites and HSTS preload. Certificates are issued by a public CA and rotated automatically.

At rest

Persistent data — account info, subscription state, snippets — is encrypted with AES-256-GCM. Snippets are additionally encrypted with a per-workspace data-encryption key wrapped by AWS KMS.

Backups

Production databases are backed up continuously with point-in-time recovery for 35 days. Backups are encrypted and stored in a separate AWS account.

3. Access & identity

Access to production is restricted to a small number of engineers and requires:

  • Single sign-on (Google Workspace) with hardware-key-only second factor.
  • Just-in-time elevation through an internal access broker; every elevation is logged and time-bounded.
  • Mandatory laptop encryption, automatic patching, and EDR.
  • Quarterly access reviews and immediate revocation on departure.

4. Infrastructure

voibly runs on AWS in the us-east-1 and eu-central-1 regions. We use private VPCs, a single internet-facing load balancer per service, and IAM roles scoped to the principle of least privilege. Secrets are managed through AWS Secrets Manager and never committed to source control.

We use SOC 2 Type II–certified vendors throughout our stack: AWS, Stripe, Postmark, and Sentry.

5. Secure development

  • All code changes go through pull-request review by at least one other engineer.
  • Static analysis (Semgrep) runs on every PR and blocks merges that introduce known weaknesses.
  • Dependency scanning (GitHub Advanced Security) flags vulnerable libraries; we patch criticals within 24 hours.
  • Quarterly third-party penetration tests cover the application and infrastructure.
  • Engineers complete annual secure-coding and privacy training.

6. Monitoring & response

Production is monitored 24/7 with alerting on availability, latency, error rates, and security signals. Logs are centralized in CloudWatch and retained for 13 months.

We maintain a documented incident response plan. In the unlikely event of a breach affecting your data, we'll notify you within 72 hours of confirmation, with details on what happened, what we're doing, and what you should do.

7. Compliance

  • SOC 2 Type II — audit in progress; report available under NDA in Q3 2026.
  • GDPR & UK GDPR — voibly acts as data processor for paid plans; see our Data Processing Addendum.
  • CCPA / CPRA — California residents can exercise their rights via support@voibly.app.
  • HIPAA — Business Associate Agreements available for Pro and Lifetime customers in healthcare.

8. Responsible disclosure

If you've found a security vulnerability, please report it privately to support@voibly.app. Don't access user data beyond what's necessary to demonstrate the issue, and don't publicly disclose until we've had a reasonable chance to fix it. We respond to reports within 2 business days, fix valid issues within 30 days for criticals, and we pay bounties up to USD 5,000 depending on severity.

9. Contact

General security questions: support@voibly.app
Vulnerability reports: support@voibly.app (PGP key on request)
Compliance & DPA requests: support@voibly.app

Read the rest of our policies

Privacy Policy Terms of Service DPA Back to home