Your client conversations deserve serious protection.

All communication between your browser or client and Audora's servers occurs over TLS 1.3, the current industry standard for transport security. Connections using older protocol versions are rejected. We use HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks and ensure browsers only connect over HTTPS.

At rest, all data - including call recordings, transcripts, generated documents, and account information - is encrypted using AES-256. Encryption keys are managed separately from the data they protect and are rotated on a regular schedule. Key management follows the principle of least privilege: no single system or individual has access to both encrypted data and the corresponding decryption keys simultaneously.

Webhook payloads and any outbound integrations (to Cursor, Linear, Notion, etc.) are also transmitted over encrypted channels. We validate TLS certificates on all outbound connections and do not accept self-signed certificates from integration targets.

Call recordings are the most sensitive data we handle. We treat them accordingly. When a call ends and the Audora bot completes transcription, the original audio recording is scheduled for deletion within 72 hours. This is not a best-effort target - it is an automated, enforced process. The recording is not available after deletion, including to our own team.

Transcripts and generated outputs (PRDs, task lists, SOWs, client briefs) are retained for the duration of your active subscription. When your account is closed or your subscription lapses, data enters a 30-day grace period during which you can export or access it. After 30 days, all data is permanently and irreversibly deleted from our systems.

Billing records are the only category of data retained beyond your subscription period, and this retention is required by law for tax and accounting compliance. Billing data does not include call content, transcripts, or outputs of any kind.

Audora enforces strict role-based access control (RBAC) at both the account and team level. Each subscription account is a fully isolated tenant. There is no administrative interface that allows Audora employees to browse customer data. Access to customer data by Audora staff requires explicit customer authorization, a documented support reason, and generates an immutable audit log entry.

Authentication requirements for your account:

• Minimum 12-character passwords enforced at account creation
• Session tokens expire after 24 hours of inactivity
• All sessions are bound to the originating IP and user agent
• Concurrent session limits enforced per user seat
• Failed login attempts trigger progressive rate limiting and lockout
• Account owners receive email alerts on new device logins

Team seats on Studio and Agency plans can be assigned with scoped permissions. Workspace owners control what each team member can access, including which client profiles, call histories, and outputs are visible to each seat. Permission changes take effect immediately and generate audit log entries.

Audora internal access controls: Our team members access production systems only through time-limited, audited sessions using hardware security keys. No production credentials are stored in code repositories, CI/CD pipelines, or shared password managers. All internal access to infrastructure follows the principle of least privilege - each team member has access only to what their role requires, nothing more.

Audora uses large language models to generate transcripts, project briefs, PRDs, task breakdowns, and statements of work from your call recordings. We want to be completely transparent about how this works and what protections are in place.

When your call data is sent to AI processing infrastructure, it travels over encrypted channels and is processed in isolated, single-use contexts. The AI models we use do not retain conversation context between calls or between users. Each processing request is stateless - the model has no memory of previous requests from your account or any other account.

Our AI infrastructure providers are contractually prohibited from using customer data for model training. These restrictions are explicitly written into our data processing agreements and are auditable.

• No training use - contractual and technical
• Stateless AI processing - no cross-account or cross-call context
• Encrypted data in transit to AI providers
• Data processing agreements with all AI infrastructure providers
• Zero-retention policies on AI provider side for customer data

Audora's infrastructure runs on enterprise cloud providers in the United States. We use multiple availability zones to ensure redundancy - if one zone experiences an outage, traffic is automatically routed to healthy zones without manual intervention and typically without any perceptible disruption to users.

All infrastructure changes go through a controlled deployment process with automated rollback capabilities. We do not make ad-hoc changes to production systems. Deployments are staged, tested in an isolated environment that mirrors production, and rolled out incrementally with automated health checks at each stage.

Database instances run on encrypted volumes with point-in-time recovery enabled. Backups are stored in a separate geographic region from the primary data and are tested for restorability on a regular basis. We do not consider untested backups to be valid backups.

Audora uses a limited set of carefully vetted third-party service providers to operate the platform. Each subprocessor has signed a data processing agreement that restricts their use of customer data to providing the contracted service only. None of our subprocessors are permitted to use your data for their own purposes, including model training, marketing, or analytics.

Our subprocessor categories include:

• Cloud infrastructure - Hosting, storage, and database services. Data processed in the US.
• Meeting bot infrastructure - Joins calls, captures audio, and returns raw audio streams to our systems. Subject to zero-retention policy for raw audio after transfer.
• AI processing - Language model inference for transcription and document generation. Zero-retention policy, no training use.
• Payment processing - Handles billing and subscription management. Audora never stores raw payment card data.
• Email delivery - Transactional email only (receipts, alerts, notifications). No marketing use of email addresses without explicit opt-in.
• Error monitoring - Captures application errors and performance issues. Error reports are scrubbed of personally identifiable information before logging.

We do not sell, share, or trade your data with advertising networks, data brokers, or any party whose purpose is not directly related to delivering the Audora service to you. If we add a new subprocessor that processes customer call data, we will notify affected customers at least 14 days in advance.

We maintain a formal incident response plan that covers detection, containment, eradication, recovery, and post-incident review. Our security monitoring runs continuously and alerts our on-call team immediately when anomalous patterns are detected - unusual access volumes, authentication anomalies, unexpected data egress, or infrastructure irregularities.

In the event of a confirmed security incident affecting customer data:

• We will notify affected customers by email within 72 hours of confirmation
• Notification will include what data was affected, how, and what we have done about it
• We will notify applicable regulatory authorities as required by law
• We will publish a post-incident report within 30 days describing root cause and remediation
• We will not obscure, minimize, or delay disclosure of confirmed incidents

We do not wait until the investigation is complete to notify customers. If we know your data may have been affected, we tell you immediately with whatever information we have, and we update you as we learn more.

Minor incidents - those affecting service availability without data exposure - are documented in our status page in real time. We maintain a full incident history publicly accessible at our status page so you can evaluate our track record rather than just take our word for it.

Audora's bot joins your meetings and records audio. Recording laws vary significantly by jurisdiction - some require only one party's consent (the party initiating the recording), while others require all participants to actively consent before recording begins. Several countries outside the US have strict requirements that apply regardless of where the recording party is located.

The simplest approach: tell participants at the start of the call that the session is being recorded. Most video conference platforms also display a recording indicator to all participants when a bot joins, which provides an implicit notification. We recommend combining both - verbal notice and platform notification - for any call involving participants in jurisdictions you are not certain about.

Audora's Terms of Service require you to comply with all applicable recording laws. We reserve the right to suspend accounts where we have credible evidence of recording without required consent.