TigerScribeSign in

Security

Security overview

The technical and organizational measures behind TigerScribe. We default to short retention, least-privilege access, and we publish the things every procurement reviewer will ask us about — even before we’re asked.

Last updated · May 4, 2026

1. Encryption

  • In transit — TLS 1.3, modern ciphers only, HSTS preload submitted.
  • At rest — AES-256 on all persistent storage (database, object storage, backups).
  • Audio in transit between subprocessors — encrypted under SCCs, with re-encryption at each hop.
  • Voiceprints — stored as embeddings, encrypted at rest, never transmitted in plaintext.

2. Access control

Access to production systems and customer data follows least-privilege. Engineers do not have routine access to customer audio or transcripts; access is granted only for time-bounded debugging with customer consent or a documented support case. Every access is logged and reviewed.

  • SSO + hardware-key MFA required for all internal systems.
  • Quarterly access reviews with terminations within 24 hours of role change.
  • Production secrets stored in a managed secret store with audit logging.
  • No shared accounts. No shared credentials.

3. Retention defaults

  • Audio uploads — 30 days, then permanent deletion (including from backups within 30 days).
  • Transcripts — as configured by user; default 90 days.
  • Voiceprints — until user deletion; deletable any time.
  • Logs and audit records — 13 months, then aggregate-only.

4. We do not train models on customer data

5. Subprocessors

Each subprocessor has a written DPA and a non-training commitment for our data.

  • Vercel, Inc.

    Web hosting & edge delivery

    US, EU

  • Neon, Inc.

    Postgres database hosting

    US (us-west-2)

  • Cloudflare, Inc.

    Object storage (R2), DNS, DDoS, WAF

    Global edge

  • Trigger.dev

    Background tasks (transcription, speaker matching)

    US

  • AssemblyAI / Gladia

    AI transcription engine

    US, EU

  • Anthropic

    LLM-assisted speaker name inference & anonymization

    US

  • Stripe / Lemon Squeezy

    Payments & merchant of record

    US, EU

  • Resend

    Transactional email

    US

6. Compliance status

SOC 2 Type II

Audit kickoff scheduled for Q3 2026 with an in-flight Type I report by year-end and Type II within 12 months of launch. We’ll publish each milestone here and notify customers under NDA on request.

HIPAA & BAA

BAAs are available to Team-plan customers via written request once your subprocessor BAA chain is verified. See the BAA page.

GDPR & UK GDPR

Standard Contractual Clauses with subprocessors are in place for cross-border transfers. A customer-facing DPA is available — see the DPA page.

State biometric laws (BIPA, CUBI, etc.)

Voiceprint enrollment is consent-gated, scoped to the enrolling user, and deletable. See the voiceprint section of our Privacy Policy.

7. Incident response

We follow a documented incident-response runbook with three severities. We notify affected customers within 72 hours of identifying a personal-data breach. Post-incident reviews are written for every Sev-1 / Sev-2 event.

8. Responsible disclosure

Found a vulnerability? Email security@tigerscribe.com. We acknowledge within 24 hours, triage within 5 business days, and credit reporters in the changelog if requested.

  • Don’t access data that isn’t yours.
  • Don’t test against production accounts that aren’t yours.
  • Give us reasonable time to patch before disclosure.