| layout | default |
|---|---|
| title | SafeScribe — Security Architecture |
| description | How SafeScribe protects your data — a technical overview of our privacy-by-design approach. |
| lang | en |
Last updated: March 2026
Overview
TLS 1.2+ encryption and certificate pinning on every connection. No proxy can intercept.
Audio never touches disk. Processed in volatile memory and deleted immediately after transcription.
Your email and name are never stored. Only a one-way hash of your account ID is kept.
AES-256 encrypted storage on device. Keys in hardware-backed secure storage only.
All crash reports are scrubbed of personal data before leaving your device.
Design Principle
Traditional transcription services write your audio to disk, queue it for processing, and may store it indefinitely. SafeScribe takes the opposite approach:
Traditional services write audio to disk and may retain it indefinitely. SafeScribe receives audio into RAM, processes it, and deletes it the moment you receive your transcript. See the full data journey diagram below.
The difference: even if a server were physically seized, there would be no audio or transcript data to recover — it only ever existed in volatile memory.
Layer 1
| Protection | What It Prevents |
|---|---|
| TLS 1.2+ encryption | Eavesdropping on network traffic |
| Certificate pinning | Man-in-the-middle attacks, rogue servers |
| Integrity checksums | Transcript corruption or tampering |
The app contains a cryptographic fingerprint of SafeScribe's server certificate. Even if a certificate authority were compromised, the app refuses to connect to anything other than the genuine SafeScribe server.
Layer 2
This is the core of SafeScribe's privacy design. The server runs OpenAI's Whisper model weights via the self-hosted faster-whisper inference engine — no third-party API calls. The data store is configured for memory-only operation with no disk persistence whatsoever. Every piece of data has an automatic expiry as a failsafe.
- ✓ If the server restarts, all in-memory data is permanently lost — by design
- ✓ No disk file, backup, or log contains your audio
- ✓ Forensic disk analysis of the server would find zero audio content
What the server holds temporarily (in RAM):
| Data | Deleted When |
|---|---|
| Audio bytes | Transcription completes |
| Transcript text | You acknowledge receipt |
| Job metadata | You acknowledge receipt |
What the server stores permanently (on disk):
| Data | Purpose | Contains PII? |
|---|---|---|
| Pseudonymous user identifier | Billing record | No — one-way hash, cannot be reversed |
| Duration and cost | Financial record | No |
| File size (bytes) | Service analytics | No |
| Word count | Service analytics | No |
| Timestamps | Audit trail | No |
Layer 3
SafeScribe uses Google Sign-In and Apple Sign-In for authentication. Your personal details are never stored:
| What the auth provider gives us | What we store |
|---|---|
| Email address | Not stored |
| Display name | Not stored |
| Account ID | One-way cryptographic hash only |
The one-way hash of your account identifier:
- ✓ Cannot be reversed to reveal your identity
- ✓ Is unique to you — for billing only
- ✓ Contains zero personally identifiable information
Layer 4
Transcripts stored on your device are protected by:
| Protection | Technology |
|---|---|
| Encryption | AES-256 |
| Key storage | Platform secure hardware (iOS Keychain / Android Keystore) |
| Database | Encrypted containers |
Even if someone accesses your device's file system, transcript data appears as encrypted binary — unreadable without the key. The encryption key is stored in hardware-backed secure storage, not in the app's files. Deleting the app permanently destroys the key.
Layer 5
When the app encounters an error, an optional crash report can be sent. Before any report leaves your device, the following are automatically removed:
You can opt out of crash reporting entirely in the app's Privacy Settings.
Layer 6
SafeScribe implements immediate cascade deletion — each processing step triggers deletion of the previous step's data:
Each processing step immediately deletes the previous step's data: audio is deleted after transcription, transcript is deleted after acknowledgment. The full data journey diagram shows the complete flow with all deletion points.
This is not a background cleanup job. Deletion happens immediately as part of the processing pipeline — there is no window where data accumulates.
Full Journey
{: #your-datas-journey}
Record/select audio | Preprocess locally | Encrypt + upload ---TLS----> Receive in RAM | AI transcription (RAM only) | Audio DELETED | Receive transcript <--TLS---- Send transcript | | Verify integrity Wait for ACK | | Store encrypted Send ACK ---> Transcript DELETED locally (AES-256) Job metadata DELETED | | Done ZERO data remains
Transparency
We encourage security researchers and privacy advocates to verify our claims:
- Network analysis Use Wireshark or Charles Proxy to inspect traffic. All SafeScribe connections are TLS-encrypted; any interception attempt is blocked by certificate pinning.
- Published assessments Read our Data Protection Impact Assessment for the full risk analysis and decision record.
- Responsible disclosure Found a vulnerability? Contact security@safescribe.dev.