Secure & Private

Data Protection

How we protect your data with industry-leading security measures.

Last Updated: January 01, 2026

Our Security Commitment

SpeakSights employs multiple layers of security to protect your data from unauthorized access, disclosure, alteration, or destruction. We follow industry best practices and comply with international data protection standards.

Bank-Level Encryption

GDPR Compliant

Automatic Deletion

1. Data Encryption

1.1 Encryption in Transit

All data transmitted to and from SpeakSights is protected using:

TLS 1.3: Latest encryption protocol for all web traffic
HTTPS Only: No unencrypted HTTP connections allowed
Strong Cipher Suites: AES-256-GCM and ChaCha20-Poly1305

1.2 Encryption at Rest

Data stored on our servers is encrypted using:

•AES-256: Industry-standard encryption for all database records
•Azure Blob Encryption: Automatic encryption for file storage
•Key Management: Secure key rotation every 90 days

1.3 Payment Data Encryption

We never see your payment details. All payment processing is handled by Razorpay, a PCI DSS Level 1 certified payment processor. Card data never touches our servers.

2. Access Control

2.1 Authentication

Access to your reports is secured through:

🔑 Unique Access Tokens

43-character cryptographically random tokens (256-bit entropy)

⏰ Time-Limited Links

Access links expire after 90 days for security

📧 Email Verification

Links sent only to your registered email address

🔒 Revocable Access

Tokens can be revoked immediately if compromised

2.2 Access Monitoring

Every access is logged:

Timestamp of each report access

IP address for security audits

Secure session management

Rate limiting to prevent brute-force attacks

Automatic logout after inactivity

IP-based suspicious activity detection

2.3 API Security

Secure API keys with encryption
Rate limiting and throttling
Request validation and sanitization
API access logging and monitoring

3. Data Minimization

We follow the GDPR principle of data minimization by collecting and storing only the data necessary to provide our service.

✅ What We Collect (Minimal)

✓Email address: For report delivery and account management

✓Profession: For profession-specific analysis

✓Analysis results: Credibility scores and insights (90 days)

✓Order records: Transaction history (legal requirement)

❌ What We DON'T Collect

×Names, phone numbers, physical addresses

×Payment card details (handled by Razorpay)

×Social media profiles or personal identifiers

×Browsing history or tracking cookies

×Location data or device fingerprints

4. Data Retention & Automated Deletion

4.1 Retention Policy

Audio/Video Files

Retention: 0 seconds

Deleted immediately after processing completes. Never stored on our servers beyond the processing pipeline.

Analysis Reports

Retention: 90 days

Stored for 90 days to allow access and re-downloads. Automatically deleted after this period via nightly cron jobs. No manual intervention required.

Business Records

Retention: 7 years

Order history and transaction records retained as required by tax law. Contains minimal personal data (email + order details only).

Badge Certification Data

Retention: Permanent

Certificate data (badge tier, score, certificate ID, verification hash, badge URLs) is retained permanently to enable public verification. This ensures your displayed badges remain verifiable throughout their 24-month validity period and beyond.

This data is essential for credential verification and cannot be deleted without invalidating legitimate badges you've displayed publicly on LinkedIn, websites, or resumes.

4.2 Deletion Verification

Audit Trail: Every automated deletion is logged in our data_retention_logs table:

• Deletion timestamp
• Number of records deleted
• Tables affected
• Verification status

This provides proof of GDPR compliance and data protection accountability.

5. Third-Party Security

We carefully vet all third-party services for security and compliance:

AssemblyAI (Speech Recognition)

SOC 2 Type II certified, automatic audio deletion after processing

OpenAI GPT-4 (Analysis)

Enterprise API, zero data retention policy, no training on our data

Microsoft Azure (Cloud Infrastructure)

ISO 27001, SOC 1/2/3, FedRAMP certified, data centers in US & EU

Razorpay (Payments)

PCI DSS Level 1 certified, we never see your payment details

ZeptoMail (Email Delivery)

GDPR compliant, transactional emails only, no marketing tracking

Data Processing Agreements: All third-party providers sign DPAs ensuring GDPR compliance and secure data handling.

6. Infrastructure Security

6.1 Hosting & Infrastructure

Cloud Provider: Microsoft Azure (enterprise-grade security)
Database: Neon PostgreSQL with automatic backups
File Storage: Azure Blob Storage with encryption
CDN: Global content delivery with DDoS protection

6.2 Network Security

🛡️ DDoS Protection

Cloudflare protection against distributed attacks

🔥 Firewall

Web Application Firewall (WAF) blocks malicious traffic

🔒 Private Networks

Database in private network, not publicly accessible

📊 Traffic Monitoring

24/7 monitoring for suspicious activity

6.3 Backup & Disaster Recovery

We maintain robust backup systems to ensure data availability:

• Automated daily database backups (retained for 30 days)
• Geo-redundant storage across multiple data centers
• Point-in-time recovery capabilities
• Disaster recovery plan with 4-hour RTO (Recovery Time Objective)

7. Incident Response

7.1 Security Incident Protocol

In the event of a security incident, we follow a structured response process:

7.2 Response Timeline

Detection & Assessment

Identify and assess severity of incident

Containment

Isolate affected systems and prevent spread

User Notification

Notify affected users within 72 hours (GDPR requirement)

Remediation

Fix vulnerabilities and restore secure operations

Post-Incident Review

Analyze incident and improve security measures

7.3 Vulnerability Management

Regular security audits and assessments
Automated vulnerability scanning
Prompt patching of security vulnerabilities
Third-party penetration testing (annually)
Bug bounty program (coming soon)

8. Employee Security & Training

8.1 Security Training

All team members undergo:

Security awareness training (mandatory)
GDPR and data protection training
Secure coding practices
Incident response procedures
Regular security refresher courses

8.2 Access Management

Principle of Least Privilege:

• Team members have access only to data needed for their role
• Access reviews conducted quarterly
• Immediate access revocation upon role change/departure
• All access requests require approval and logging

8.3 Confidentiality Agreements

All employees, contractors, and partners sign comprehensive Non-Disclosure Agreements (NDAs) and confidentiality agreements before accessing any systems or data.

9. Compliance & Certifications

✅ GDPR Compliant

Full compliance with EU General Data Protection Regulation, including data minimization, user rights, and automated deletion.

🇬🇧 UK GDPR Compliant

Compliant with UK GDPR (post-Brexit data protection regulation).

🇮🇳 India DPDP Act Ready

Prepared for India's Digital Personal Data Protection Act requirements.

🔒 ISO 27001 Infrastructure

Hosted on ISO 27001 certified cloud infrastructure (Microsoft Azure).

10. How You Can Help Protect Your Data

✅ Do This

• Use a secure email provider
• Keep access links confidential
• Download reports for offline storage
• Report suspicious activity immediately
• Use strong, unique passwords

❌ Don't Do This

• Share your account credentials
• Use the same password across sites
• Click suspicious links in emails
• Upload files from untrusted sources
• Ignore security notifications

Security Questions or Concerns?

Security Team:

security@speaksights.com

Privacy Inquiries:

privacy@speaksights.com

Report a Vulnerability:

security@speaksights.com

Response Time:

24 hours for security issues

We take security seriously and appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us immediately at security@speaksights.com.