Encryption
At restAES-256-GCM with per-user/per-meeting keys
When you register, a unique 256-bit Data Encryption Key (DEK) is generated for you. This key is wrapped using a key derived from your password via PBKDF2 (100,000 iterations, SHA-256). Your DEK is never stored in plaintext.
Every piece of sensitive data — transcripts, AI responses, documents, briefings, working memory — is encrypted at rest with per-user/per-meeting keys before being written to our database. Transcript-at-rest encryption is enforced unconditionally (fail-closed): if encryption cannot be applied, the content is not persisted, so it is never written to our database in plaintext. Content is decrypted only, and briefly, in server memory while a meeting session is active so the AI can participate; because we operate the keys required to provide the Service, this is encryption at rest rather than end-to-end or zero-knowledge encryption.
In transitTLS 1.2+
All connections use TLS 1.2 or higher. We enforce HSTS with a 1-year max-age. Cookies are httpOnly, secure, and sameSite: lax.
Passwordsbcrypt, 12 rounds
Passwords are hashed with bcrypt (12 rounds) and compared using timing-safe functions to prevent timing attacks.
API keysHMAC-SHA256
API keys are hashed with HMAC-SHA256 before storage. We never store plaintext keys. All comparisons use crypto.timingSafeEqual().
Data lifecycle & purge
Recording & transcription
To provide the Service, an AI bot joins your meeting and the meeting is recorded and transcribed in real time. You are responsible for obtaining any participant consent required by applicable law.
Post-meeting automatic purge
When a meeting ends, the following data is permanently and irreversibly deleted:
- Document chunks and vector embeddings
- Raw document text from uploads
- Pre-read research caches (web research, context queries)
- Uploaded files from server storage
- Diagnostic and telemetry events
Deletion certificates
Every deletion generates a cryptographically signed certificate documenting:
- Exactly what data was deleted (transcript entries, chunks, documents, responses, etc.) with counts
- What data was intentionally retained (billing records, soft-deleted metadata)
- When the deletion occurred
- HMAC-SHA256 signature to prove the certificate is authentic and unmodified
Verify any deletion certificate via our API at GET /api/certificates/:id.
Account deletion & retention
When you delete your account it is soft-deleted, and an automated retention job permanently removes soft-deleted accounts and their associated data within approximately 30 days (a limited set of records such as billing history may be retained longer where required by law). Each meeting receives its own deletion certificate.
Access controls
Authentication
Sessions use JWT tokens stored in httpOnly cookies with 7-day expiry. Rate limiting protects all authentication endpoints: 10 login attempts per 5 minutes, with Redis-backed tracking per IP.
Multi-tenant isolation
Tenant data is strictly isolated. API keys are scoped to specific tenants with granular permissions. Meeting ownership is verified on every request.
Webhook security
All webhooks are verified with HMAC-SHA256 signatures and timestamp-based replay protection (5-minute window).
Audit logging
We maintain a tamper-evident audit trail of security-relevant events:
- Authentication events — successful logins, failed login attempts (with reason), account deletions
- Data lifecycle events — meeting deletion (with deletion certificate ID), ephemeral data purge, interview data purge
- Administrative actions — API key creation/revocation, tenant configuration changes
Each audit log entry records the action, actor, affected resource, IP address, and user agent. Audit logs are append-only.
Infrastructure & headers
Security headers
Strict-Transport-Security— HSTS with 1-year max-ageContent-Security-Policy— restricts script, style, and connection sourcesX-Frame-Options: DENY— prevents clickjackingX-Content-Type-Options: nosniff— prevents MIME sniffingReferrer-Policy: strict-origin-when-cross-originPermissions-Policy— camera and geolocation disabled, microphone self-only
Logging & PII protection
All structured logs automatically redact sensitive fields: passwords, tokens, API keys, authorization headers, and cookies.
Third-party processors
| Processor | Purpose | Retention | Compliance |
|---|---|---|---|
| OpenAI | AI responses (text & voice) | API data not used for training | SOC 2 Type II |
| Anthropic | AI reasoning & experts (Claude) | API data not used for training | SOC 2 Type II |
| Deepgram | Speech-to-text | Zero retention | SOC 2 Type II · HIPAA · GDPR |
| xAI | AI voice & translation (Grok) | API data not used for training | GDPR |
| Recall.ai | Meeting bot, recording & transcription | Per Recall policy | SOC 2 · ISO 27001 · GDPR · HIPAA |
| Render | Application & database hosting | Encrypted at rest | SOC 2 Type II |
| Amazon Web Services | Realtime audio relay & storage | Encrypted at rest | SOC 2 Type II · ISO 27001 · GDPR |
| Stripe | Payment processing | Per Stripe policy | PCI DSS L1 · SOC 2 Type II |
All sub-processors are US-based. International transfers (for users outside the United States) rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.
We do not sell your data. We do not use your meeting content to train AI models.
Incident response
We follow a structured incident response process:
To report a security vulnerability, email security@aimeetings.net. We respond within 24 hours.
Our promise
- Your meeting content is never used to train AI models.
- Your meeting content is encrypted in transit and at rest and never persisted in plaintext.
- Ephemeral data is permanently purged when meetings end.
- Every deletion produces a cryptographically signed certificate you can verify.
- We maintain an append-only audit trail of all security-relevant events.