Security is built into everything we do

Tarnvox handles sensitive business conversations. We treat that responsibility seriously at every layer — from how you log in to how long your transcripts are stored.

Account security

Every password is hashed with bcrypt before storage — your plaintext password is never saved anywhere on our systems. New accounts require email verification before access is granted, so no one can sign in on your behalf with a freshly created email. We also support Google OAuth 2.0 so you can avoid passwords entirely.

Passwords hashed with industry-standard bcrypt — never stored in plaintext
Email verification required before first login
Google OAuth 2.0 as a password-free alternative
Accounts flagged as blocked or deleted are immediately refused authentication
Login and password-reset endpoints are rate-limited per IP to prevent brute-force attacks

Data in transit

All communication between your browser and our servers happens over HTTPS/TLS. We enforce HTTP security headers via Helmet — including X-Frame-Options, X-Content-Type-Options, and a Content Security Policy. Our CORS policy is an explicit allowlist; wildcard origins are not permitted. WebSocket connections used for live transcription are encrypted the same way.

Data at rest

Meeting transcripts are stored in AWS S3 with server-side encryption. User account data lives in MongoDB. Passwords are never stored in plaintext. Session tokens written to Redis carry a time-to-live so stale credentials expire automatically.

Transcripts stored in AWS S3 — encrypted at rest
User passwords never stored in plaintext
Redis session tokens are short-lived with automatic TTL expiry
Password reset and email verification tokens expire after 2 hours

API and infrastructure protection

Every API endpoint validates its inputs through strict schemas before any business logic runs. A global rate limit per IP protects against abuse and automated scanning. Third-party webhook callbacks from Recall.ai are verified with HMAC signatures so spoofed events are rejected at the door.

Payment security

Tarnvox does not store or process card numbers. All payment handling is delegated to Stripe, which is certified at PCI DSS Level 1 — the highest level available. Every Stripe webhook we receive is verified using an HMAC signature before any action is taken. Webhook events are also processed idempotently so a replayed event can never double-charge you.

No card numbers stored on Tarnvox servers
Stripe PCI DSS Level 1 certification covers all card processing
Stripe webhooks verified via HMAC signature on every request
Idempotent event processing prevents duplicate charges

Data retention

We keep meeting transcripts for 90 days from the date the meeting ends, then delete them automatically. You can also delete your account at any time from your profile — this immediately deactivates your account and cancels any active subscription.

Meeting transcripts deleted automatically after 90 days
Password reset tokens expire after 2 hours
Email verification tokens expire after 2 hours
Account deletion immediately deactivates your account and cancels any active subscription

Responsible disclosure

If you discover a security vulnerability in Tarnvox, please report it to us privately before disclosing it publicly. We will acknowledge your report within 48 hours and work with you to resolve the issue as quickly as possible.

Report a vulnerability· security@tranvox.com

Questions about security? Reach out to our team at support@tranvox.com

Back to home

Preparing your workspace

Security