VoxChron Security & Data Protection

1. Data Encryption

1.1 In Transit

All connections use TLS 1.2+ with modern cipher suites. Plain HTTP is automatically redirected to HTTPS.
HSTS (HTTP Strict Transport Security) headers prevent downgrade attacks.
File uploads to our object storage use server-side TLS connections.

1.2 At Rest

Database storage is encrypted with AES-256. Backups are encrypted and stored in separate geographic regions.
Uploaded audio/video files are encrypted at rest in our cloud object storage with AES-256 server-side encryption.
Source files are automatically deleted within 24 hours of processing completion.

2. Authentication & Access Control

Password hashing: bcrypt with an adaptive cost factor, ensuring resistance to brute-force attacks.
Session management: Secure, httpOnly session tokens via NextAuth.js with CSRF protection on every request.
Email verification: All accounts require email confirmation before accessing paid features.
API keys: Hashed with SHA-256; only the key prefix is stored in plaintext for identification. Per-key rate limits and optional expiration dates.
Role-based access: Admin actions are gated behind isAdmin checks with full audit logging.

3. Infrastructure Security

Application hosted on hardened Linux servers with automatic security updates.
24/7 monitoring with automated alerting for downtime, error spikes, and suspicious activity.
Daily encrypted database backups with point-in-time recovery capability.
Network-level firewalls restrict access to essential ports only.
Container-based backend isolation (Docker) for audio processing workloads.

4. API Security

Authentication: All API endpoints require a valid API key or session token.
Rate limiting: Configurable per-key rate limits (default 60 requests/minute). Login endpoints limited to prevent brute-force.
Input validation: Strict schema validation on all request bodies. File uploads validated for type, size, and content headers.
OWASP Top 10 mitigations: Parameterised database queries (Prisma ORM), output encoding, CSRF tokens, Content Security Policy headers.
Stripe webhook verification: All payment webhooks are signature-verified before processing.

5. GDPR & Data Protection

VoxChron is fully committed to GDPR compliance. Key measures include:

Right / Measure	How We Implement It
Right of Access (Art 15)	One-click JSON data export from Account Settings
Right to Rectification (Art 16)	Edit your profile information at any time in Settings
Right to Erasure (Art 17)	Self-service account deletion with 30-day recovery window
Data Portability (Art 20)	Export all data in machine-readable JSON format
Consent Management	Granular cookie consent with essential, analytics, and marketing categories. Marketing opt-in/opt-out toggle in Settings.
Unsubscribe Compliance	One-click email unsubscribe in every marketing email. RFC 8058 List-Unsubscribe headers. Suppression list enforcement.
Audit Trail	All admin actions and sensitive data operations are logged with timestamps, IP addresses, and action details.
Data Minimisation	Source files auto-deleted within 24 hours. Only necessary data collected. No tracking beyond consented categories.
International Transfers	Standard Contractual Clauses (SCCs) with all sub-processors

6. AI & Content Processing Security

Audio and video files are processed in isolated, containerised environments.
No model training: Your uploaded content is never used to train our AI models or any third-party models.
Source files are automatically purged within 24 hours of job completion. Processing results are retained only while your account is active.
All AI inference runs on dedicated infrastructure — your data never passes through shared multi-tenant GPU pools.

7. Payment Security

All payment processing is handled by Stripe (PCI DSS Level 1 certified).
VoxChron never receives, stores, or processes credit card numbers.
Stripe webhook signatures are verified on every billing event to prevent tampering.
VAT ID validation for EU/UK B2B customers is handled server-side via the VIES API.

8. Third-Party Sub-Processors

We share data with the following services, each under a Data Processing Agreement (DPA):

Service	Purpose	Data Shared	Compliance
Cloud Object Storage	File storage	Uploaded audio/video files (AES-256 encrypted)	GDPR, ISO 27001
Stripe	Payment processing	Email, billing address	PCI DSS, GDPR
Resend	Transactional emails	Email address, name	GDPR, DPA
Vercel	Frontend hosting	IP address, request data	SOC 2, GDPR

9. Data Retention

Data Type	Retention Period
Source audio/video files	Deleted within 24 hours of processing
Processing results	Retained while account is active
Account data	Deleted within 30 days of deletion request
Payment records	7 years (legal/tax requirement)
Audit logs	2 years
Cookie consent records	3 years

10. Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue:

Email security@voxchron.com with full details of the vulnerability.
We will acknowledge your report within 2 business days.
Initial assessment provided within 5 business days.
We will not pursue legal action against good-faith security researchers.
We commit to providing transparent updates and reasonable time to patch.

11. Accessibility & Captioning Compliance

VoxChron is designed to support compliance with accessibility regulations for captioning and subtitles:

WCAG 2.1 AA: Our captioning output supports Web Content Accessibility Guidelines.
FCC §79.1: Closed captioning standards for video programming.
ADA Title III: Accessibility requirements for public-facing digital content.
Section 508: Federal accessibility standards for electronic content.

Note: VoxChron provides tools to support compliance. Users should consult legal counsel to validate compliance for their specific use case and jurisdiction.

12. Contact

For security concerns or data protection inquiries:

Security: security@voxchron.com
Data Protection Officer: dpo@voxchron.com
Privacy: privacy@voxchron.com
General support: support@voxchron.com