How we protect your data

All connections are encrypted via TLS 1.2/1.3. We enforce HTTPS on every endpoint with HSTS headers and no plaintext fallback.

Audio files, transcripts, and all user data are encrypted at rest using AES-256 managed by the hosting provider.

Audio file access is gated behind time-limited signed URLs generated per request. Raw storage buckets are not publicly accessible.

User authentication uses industry-standard bcrypt password hashing with enterprise-grade session management.

Sessions use short-lived JWTs with refresh token rotation. Tokens are stored in HttpOnly cookies to prevent XSS access.

Every database table has Row Level Security (RLS) policies enforced at the Postgres level. Users can only read or write their own data regardless of API access.

Developer API keys are hashed with SHA-256 before storage. Only the hash is stored; the plaintext key is shown once at creation.

All payment processing is handled by a PCI DSS Level 1 certified provider—the highest level of payment security certification.

EasyCast Studio never sees or stores raw card numbers, CVVs, or full PANs. Only a payment provider customer ID and subscription status are held in our database.

The database runs on managed Postgres with automated backups, point-in-time recovery, and daily snapshots.

Each user account is isolated at the database level via RLS policies. Cross-account data access is structurally prevented.

npm audit runs in CI on every pull request. Known vulnerabilities block merges.

User data is logically isolated per account. You can request a full export of your data at any time from your account settings.

All recordings, transcripts, show notes, and account data can be exported as JSON or downloaded as original files from within the dashboard.

When you cancel, your data is retained for 30 days to allow reactivation or export. After 30 days, recordings and user data are permanently deleted from active storage.

Audio is processed by specialist AI providers for transcription and content generation. All providers operate under data processing agreements with appropriate privacy controls. Audio is not used to train third-party models.