Security & Data Handling

Data Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database connections require SSL. Audio files are stored in private buckets with authenticated-only access policies.

Access Control

Row-level security policies enforce user isolation across all database tables. Users can only access their own transcriptions, credits, and profile data. No cross-user visibility exists at the database level.

Authentication

Email-based authentication with leaked password protection powered by Have I Been Pwned. OAuth sign-in available via Google. Session tokens are validated server-side on every request.

Data Residency

Primary data storage is in US East (AWS us-east-1, via Supabase). Cross-border data transfers occur only for processing through subprocessors. Customers requiring specific data residency (EU, LATAM) should contact legal@musavox.io to discuss available options.

Staff Access

Production data access is restricted to the engineering lead. All access is logged via Supabase audit logs. Customer data is never accessed except for support requests initiated by the customer.

Rate Limiting

Upload and processing endpoints enforce per-user rate limits to prevent abuse and cost overrun.

Audio File Retention

Audio files uploaded for transcription are stored in private cloud storage. Files are retained for 90 days from upload to support re-processing and re-download, then automatically deleted. Users can delete individual transcriptions and their associated audio files at any time.

Transcription Data

Transcription results (lyrics, timestamps, ad-libs, sections, confidence scores) are stored in the user's account and accessible only to that user. Edited versions are stored separately from AI-generated versions, preserving both.

Data Portability

Users can export all personal data including transcription history, credit usage, and profile information through the platform settings.

Account Deletion

Users can delete their account and all associated data. Deletion cascades to all transcriptions, audio files, credit history, and profile data.

Deduplication

Audio files are fingerprinted using SHA-256 hashing before upload. Duplicate detection is based on file content, not filename. Hash values are stored; original audio content is not compared across users.

All payment processing is delegated to Stripe, which maintains PCI-DSS Level 1 certification — the highest level of payment security certification. Musavox systems never store, process, or transmit cardholder data.

In Progress

SOC 2 Trust Services Criteria — Internal controls aligned with SOC 2 Trust Services Criteria. Formal audit engagement scheduled with revenue and customer milestones.

Aligned With

GDPR — Data retention controls, right to erasure, data portability, privacy by design architecture.

Not Required

PCI-DSS — Delegated entirely to Stripe (Level 1 certified).

For security inquiries or vulnerability reports: security@musavox.io

For Data Processing Agreement (DPA) requests: legal@musavox.io