Trust & Integrity

Security at 1on1

Our commitment to protecting your team's most sensitive conversations. We build with a security-first mindset to ensure your data remains yours alone.

End-to-end encryption

AES-256-GCM encryption for all private notes, ensuring only meeting participants can read them.

Tenant isolation

Row-level security (RLS) at the database layer prevents any cross-tenant data leakage.

Role-based access

Granular RBAC controls to manage exactly who can view, edit, or delete meeting records.

Open source

Full code auditability and self-hosting options for organizations requiring maximum sovereignty.

Deep Technical Safeguards

We maintain rigorous engineering standards across our entire infrastructure to protect your operational integrity.

Encryption at rest & in transit

All private notes are encrypted using AES-256-GCM with per-tenant keys derived via HKDF. In-transit data is protected by TLS 1.3, ensuring secure connections between your browser and our servers.

AES-256-GCMTLS 1.3

Multi-tenancy

Every database table with tenant data includes tenant_id. PostgreSQL Row-Level Security policies enforce isolation at the database level as a safety net beyond application-level filtering.

Authentication

Powered by Auth.js v5 with JWT strategy. Supports Google OAuth, Microsoft OAuth, and email/password with bcrypt hashing. Session cookies are HTTP-only, Secure, and SameSite=Strict.

Authorization (RBAC)

Three roles — admin, manager, member. Resource-level checks verify the user is actually the manager or report on a given series/session, not just the right role.

AI Data Handling

Session content sent to Anthropic Claude API for summaries and suggestions. We do not use customer data to train AI models. AI processing happens in real-time only — zero data retention by the AI provider.

Infrastructure & Hosting

Global performance without compromising regional security requirements.

Vercel
Edge Compute
Neon
PostgreSQL
EU
EU Region

Compliance & Privacy

GDPR-ready

Full support for data portability (export), right to erasure (deletion), and ready-to-sign Data Processing Agreements (DPA).

Data residency

Host your data in EU regions. We prioritize local data residency requirements for enterprise customers.

Cookie policy

We only use essential cookies necessary for the platform to function — authentication session and locale preference. No marketing trackers.

Self-hosting

Enterprise tier includes Docker deployment for organizations requiring complete physical sovereignty over their meeting data.

Responsible Disclosure

We value the security community. If you've discovered a vulnerability, please report it to us immediately. We commit to a rapid response.

security@surcod.ro

Questions about security?

Our team is ready to provide the technical documentation your IT department needs.

Contact UsView Privacy Policy