Security Posture

Edge Network Isolation: The SpeakToText marketing website and routing systems are served on the Cloudflare global edge network, isolated behind standard Cloudflare Web Application Firewalls (WAF) to prevent DDoS attacks, code injection, and unauthorized request scanning.

Transport Encryption: All data in transit across our marketing site, desktop clients, mobile clients, and backend APIs is encrypted using advanced TLS 1.3 encryption protocols. Plaintext HTTP is globally disabled.

Backend Container Separation: Our production backend microservice (speaktotext-api) operates in isolated containerized cluster nodes hosted on Railway. Each container runs with strict, minimally scoped service accounts under rigid firewall boundaries.

Local-First Databases: Your local dictation configurations, workflow mappings, and personal replacement rules are stored directly on your computer inside sandboxed SQLite application directories. This data never touches our cloud databases.

System Keychain Caching: SpeakToText does not store passwords or plaintext access tokens in clear text files. On Windows, credentials and session tokens are encrypted and cached using the Windows Credential Manager. On macOS, tokens are written securely to the native Apple Keychain using hardware-backed cryptographic protections.

Tauri Security Profile: Our desktop application is built on Tauri (Rust), eliminating massive Chromium resource footprints and compiling with strict webview Content Security Policies (CSP). The app enforces isolated inter-process communication (IPC) protocols, preventing cross-site scripting (XSS) or browser injection attacks from gaining system-level command capabilities.

In-Memory Transcription: When using cloud dictation services, your audio inputs are processed purely in-memory. Audio files are streamed over secure pipelines, decoded in transient RAM, parsed by speech-to-text models, and immediately erased from RAM upon completion. No audio files or raw text blocks are ever written to persistent disk storage on our servers.

No Persistent Logging: We maintain minimal system logs required to maintain service availability and troubleshoot performance issues. These logs contain strictly metadata (such as timestamps, API response codes, and subscription status) and never capture audio files, transcript contents, or account secrets.

Enterprise PostgreSQL: Our production database is hosted in isolated cloud clusters on Supabase. We enforce connection pooling and restrict direct access through secure TLS protocols, ensuring your user records are heavily isolated.

Multi-Factor Authentication (MFA): All administrative consoles, deployment interfaces, and Railway dashboard environments require hardware-backed Multi-Factor Authentication (MFA / TOTP) to prevent credential stuffing or session hijacking attacks.

CORS Whitelisting: Our live API endpoints enforce strict CORS whitelists at the application layer, permitting cross-origin access only from verified SpeakToText production domains, local developer environments, and secure admin interfaces.

All payment pipelines are fully isolated. Subscriptions are checked out out-of-band directly on Stripe Hosted Checkouts.

We never store, intercept, or process credit card numbers or raw bank details on our servers. Stripe is certified as a PCI-DSS Level 1 Service Provider (the most stringent security standard in the payment industry).

We welcome security researchers and developers to audit our systems. If you believe you have identified a vulnerability or security exposure in our website, API, or applications:

• Submit a detailed report detailing the reproduction steps, impact, and proposed resolution to support@speaktotext.org.

• Allow us a reasonable timeframe (typically 7-14 days) to analyze and remediate the issue before public disclosure.

• Avoid executing destructive actions, extracting user data, or executing automated penetration testing tools against production environments.

We commit to reviewing all security reports promptly. Legitimate researchers operating in good faith will be granted safe harbor protection from legal action, and we will work collaboratively to patch issues swiftly.