Introduction
Our web application is dedicated to ensuring the privacy and security of our users and their data. This document highlights the security measures we've implemented.
Secure Communication
- TLS/SSL Encryption: All data transferred between our servers and clients' devices are encrypted using the latest TLS/SSL protocols. This ensures that any sensitive information remains confidential and cannot be intercepted during transit.
Authentication
- Single Sign-On (SSO): Our app leverages both Google and Microsoft's Single Sign-On (SSO) capabilities. This not only enhances user experience by reducing the number of passwords a user needs to remember, but it also taps into the robust security infrastructures of these tech giants and leverages MFA where it is configured.
- Token-based Authentication: Upon successful authentication, users receive a token, which is verified for subsequent requests, ensuring that operations are both secure and efficient.
Integration with Google and Microsoft Calendar Scopes
- OAuth 2.0 Authentication: We use the OAuth 2.0 protocol for authentication, ensuring that users can securely grant our application access to their calendar data without sharing their credentials.
- Limited Scopes: Our application only requests read and write access to calendar scopes. We do not request or have access to any other unrelated scopes or user data.
- Token Storage: Access tokens obtained from Google and Microsoft are securely stored using encryption.
Azure and Docker Container-Based Meeting Bot
- Azure and Docker for Meeting Management: We utilize a robust meeting bot, hosted in Azure and running in Docker containers, to facilitate the recording and transcription of meetings. This bot is designed to seamlessly integrate with our meeting platforms, providing a reliable and efficient service.
- Ephemeral Recording Process:
- Transient Recording Storage: The meeting bot records meetings for the sole purpose of transcription. These recordings are ephemeral and not stored permanently.
- Immediate Deletion Post-Transcription: Once the transcription is completed, the recordings are immediately and irreversibly deleted from our temporary storage to ensure privacy and security.
- Transcription Data Handling and Retention:
- Data Capture: The bot captures meeting audio for real-time transcription. This data is processed promptly and is not used for any other purpose.
- Privacy and Confidentiality Assurance: We uphold stringent privacy standards. The transcription process is fully automated, ensuring that the content of the meetings remains confidential and is not accessed or used for any purposes other than transcription.
- Data Retention Policy: Transcription data is stored securely for 30 days to provide functionality and user support, after which it is securely deleted from our systems.
- Data Processing with Azure OpenAI:
- OpenAI Integration: To create meeting summaries, we pass transcription data to Azure OpenAI's API using the Whisper model.
- Data Usage by Azure OpenAI: Azure OpenAI does not use the data provided by our application to train its models or for any other purpose. This ensures confidentiality and aligns with our commitment to user privacy.
- Azure OpenAI data policy: https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy
Data Security
- Encryption at Rest: All data is encrypted at rest using industry-standard encryption algorithms via MongoDB (256-bit Advanced Encryption Standard in Cipher Block Chaining mode via OpenSSL). Keys are managed and rotated using Azure Key Vault.
- Regular Backups: Data backups are taken regularly and are encrypted.
- Siloed Customer Data: Every customer’s data is siloed in a separate database, ensuring no co-mingling of data.
Application Security
- Robust infrastructure: Our web application is hosted on Microsoft Azure, a leading cloud service provider known for its robust and secure infrastructure. Azure employs a wide range of security technologies and practices to safeguard data from any external threats.
- Regular Security Audits: We have onboarded Drata as our SOC2 compliance platform and intend to have SOC2 Type 1 in Q3 2024.
User Privacy
- Calendar Data Access: We only access individual user calendar data when necessary and with explicit user consent during the OAuth flow. We access the following calendar event data:
- IDs
- Title
- Body
- Start/end times
- Location
- Attendees
AI
- AI Vendor: We use Azure OpenAI API to create meeting agendas, summaries, and transcripts.
- Data Used: Azure OpenAI API policy states that this data is not used in the training set for the AI model.
Additional Steps
- NDA: We will sign an NDA upon request.
Conclusion:
Security is our top priority. We are committed to implementing the best practices to ensure the safety of our users and their data. We believe in transparency and are always open to feedback and queries related to our security practices.