Security at 1on1
Our commitment to protecting your team's most sensitive conversations. We build with a security-first mindset to ensure your data remains yours alone.
Encryption at rest and in transit
Private notes are encrypted at rest with AES-256-GCM and protected in transit with TLS. Access is limited by tenant isolation and role-based controls.
Tenant isolation
Row-level security (RLS) at the database layer prevents any cross-tenant data leakage.
Role-based access
Granular RBAC controls to manage exactly who can view, edit, or delete meeting records.
Controlled access
Strict internal access controls, operational safeguards, and review processes protect customer data throughout the service lifecycle.
Deep Technical Safeguards
We maintain rigorous engineering standards across our entire infrastructure to protect your operational integrity.
Encryption at rest & in transit
All private notes are encrypted using AES-256-GCM with per-tenant keys derived via HKDF. In-transit data is protected by TLS 1.3, ensuring secure connections between your browser and our servers.
Multi-tenancy
Every database table with tenant data includes tenant_id. PostgreSQL Row-Level Security policies enforce isolation at the database level as a safety net beyond application-level filtering.
Authentication
Powered by Auth.js v5 with JWT strategy. Supports Google OAuth, Microsoft OAuth, and email/password with bcrypt hashing. Session cookies are HTTP-only, Secure, and SameSite=Strict.
Authorization (RBAC)
Three roles — admin, manager, member. Resource-level checks verify the user is actually the manager or report on a given series/session, not just the right role.
AI Data Handling
Session content sent to Anthropic Claude API for summaries and suggestions. We do not use customer data to train AI models. AI processing happens in real-time only — zero data retention by the AI provider.
Infrastructure & Hosting
Global performance without compromising regional security requirements.
Compliance & Privacy
GDPR-ready
Full support for data portability (export), right to erasure (deletion), and ready-to-sign Data Processing Agreements (DPA).
Data residency
Host your data in EU regions. We prioritize local data residency requirements for enterprise customers.
Cookie policy
We use essential platform cookies for authentication, locale, and theme preferences, plus privacy-conscious analytics and attribution to understand aggregate website usage.
Enterprise controls
Enterprise customers can request security documentation, DPAs, rollout assistance, and commercially agreed data residency options.
Responsible Disclosure
We value the security community. If you've discovered a vulnerability, please report it to us immediately. We commit to a rapid response.
[email protected]Questions about security?
Our team is ready to provide the technical documentation your IT department needs.
