Your Conversations Deserve Bank-Level Protection
Every meeting contains ideas worth protecting. From strategic decisions to confidential discussions, your conversations are encrypted, secured, and guarded by the same standards used by financial institutions.
Data Protection
Military-Grade Encryption, Everywhere
Your data is protected whether it's traveling across networks or stored in our systems. We use the same encryption standards trusted by governments and financial institutions worldwide—because your conversations are just as valuable.
- AES-256 Encryption at Rest
- Your recordings and media files are encrypted at rest using AES-256—the gold standard that would take billions of years to crack with current technology.
- TLS 1.3 in Transit
- All data transmitted between your browser and our servers uses TLS 1.3 with perfect forward secrecy, ensuring that even if a key is compromised, past communications remain secure.
- Enterprise Key Management
- Encryption keys are managed through enterprise-grade key management services with automatic rotation policies, ensuring keys are never exposed and are regularly refreshed.
Access Control
Your Account, Fort Knox Protected
We don't just lock the door—we build a fortress. Multiple layers of authentication and granular permissions ensure that only the right people can access your data, and only the data they're supposed to see.
- OAuth 2.0 Single Sign-On
- Authenticate securely through Google Workspace with enterprise SSO. No passwords stored on our servers means one less attack vector for bad actors.
- 57+ Granular Permissions
- Our role-based access control system offers over 57 distinct permissions across 6 system roles. You decide exactly who can see, edit, or share each piece of content.
- Short-Lived JWT Tokens
- Session tokens use HMAC-SHA256 signing with strict validation and short expiration times, making token theft practically useless to attackers.
Infrastructure
Built on World-Class Cloud Security
We don't build data centers—we partner with the best. Our infrastructure runs on AWS in the EU, backed by their industry-leading security certifications and protected by defense-in-depth architecture.
- EU Data Storage
- All data is stored in EU data centers, ensuring GDPR compliance and data sovereignty for European organizations. AI processing is handled through GDPR-compliant providers with appropriate data protection agreements.
- Content Security Policy
- Comprehensive HTTP security headers including CSP, HSTS, X-Content-Type-Options, and clickjacking protection defend against the most common web attacks.
- Intelligent Rate Limiting
- IP-based rate limiting with sliding window algorithms and automatic blocking protects against brute force attacks and denial-of-service attempts.
Compliance
Certified, Audited, Transparent
Security isn't just about technology—it's about process, governance, and accountability. We maintain rigorous compliance standards and undergo regular third-party assessments to prove it.
- GDPR Compliant
- Full compliance with EU data protection regulations including right to deletion, data portability, and transparent processing. Request your data or delete it anytime.
- CASA Security Practices
- We follow Cloud Application Security Assessment methodology, performing regular SAST and DAST scanning using industry-standard tools like FluidAttacks and OWASP ZAP.
- SOC 2 Ready Controls
- Our systems are designed to meet SOC 2 Type II requirements for security, availability, and confidentiality with comprehensive audit logging and access controls.
Monitoring
Proactive Security Testing
Security is a continuous process, not a one-time setup. We regularly test and scan our systems to identify and fix vulnerabilities before they can be exploited.
- Application Request Logging
- All API requests are logged with correlation identifiers, enabling investigation of issues and tracking of system behavior across services.
- Error Tracking & Monitoring
- Application errors and exceptions are captured and tracked, allowing our team to quickly identify and resolve issues affecting system reliability.
- Continuous Vulnerability Scanning
- Regular SAST, DAST, and dependency vulnerability scans identify security issues before they can be exploited. We fix vulnerabilities, not just find them.
Ready for Enterprise-Grade Security?
Your meetings contain your most valuable ideas, strategies, and decisions. They deserve protection that matches their importance. Start using Insight Draft today and experience security that never compromises on convenience.
Security Questions Answered
All data is stored in EU data centers. This ensures GDPR compliance and data sovereignty for European organizations. AI-powered features use GDPR-compliant providers with appropriate data protection agreements in place.
Absolutely. You can request complete deletion of your account and all associated data at any time through your account settings or by contacting us. This includes transcripts, recordings, analytics, and any connected service credentials. We honor deletion requests within 30 days as required by GDPR.
We use multiple layers of protection: OAuth 2.0 for authentication (no passwords stored), JWT tokens with short expiration times, role-based access control with 57+ granular permissions, IP-based rate limiting to prevent brute force attacks, and comprehensive audit logging to detect suspicious activity.
Yes, comprehensively. All meeting transcripts, recordings, and metadata are encrypted both in transit (TLS 1.3) and at rest (AES-256). Encryption keys are managed through AWS KMS with automatic rotation. Even our own engineers cannot read your data without explicit authorization.
We never sell your data. We only use essential third-party services required to provide our services: AWS for infrastructure, OpenAI for AI-powered transcription and analysis, Stripe for payments, and Google for authentication. All vendors are bound by strict data processing agreements and are GDPR compliant.
Please report security vulnerabilities to security@insightdraft.com. We take all reports seriously and will respond within 24 hours. We appreciate responsible disclosure and will work with you to understand and address the issue before any public disclosure.