Security

How we protect your data

Your audio files and transcripts are encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Passwords are hashed with bcrypt and never stored in plain text.

Access to your data is controlled through authenticated sessions with JWT tokens stored in httpOnly, secure, same-site cookies. Every API request is verified against your identity and organization membership before any data is returned.

Two-factor authentication (TOTP) is available for all accounts and strongly recommended.

We do not use your audio, transcripts, or any account data to train AI models. Your content is processed solely to generate your transcript, then removed from processing servers.

Infrastructure

User accounts, transcripts, and application data are stored in a managed PostgreSQL database with encrypted backups. Audio files are stored in encrypted object storage during processing and deleted after transcription completes.

Access to production infrastructure requires multi-factor authentication and is restricted to authorized personnel on a need-to-know basis. All production access is logged and auditable.

Third-party services (payment processing, email delivery, GPU compute) are selected for their security posture and bound by data processing agreements. Payment data is handled entirely by Stripe and never touches our servers.

Reporting vulnerabilities

If you discover a security vulnerability in YanaScript, we ask that you report it responsibly so we can address it before it affects users.

Email security@yanascript.com with a description of the issue, steps to reproduce, and any supporting evidence. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.

Our security.txt file is available at the standard well-known URI for automated discovery.

We will not take legal action against researchers who report vulnerabilities in good faith and do not access, modify, or expose user data beyond what is necessary to demonstrate the issue.

Compliance

Kenya Data Protection Act (2019). YanaScript complies with the Kenya DPA, including lawful processing, data minimization, and the rights of data subjects to access, correct, and delete their personal data.

GDPR. For users in the European Economic Area, we uphold all rights under the General Data Protection Regulation, including data portability, the right to erasure, and transparent processing disclosures.

SOC 2. SOC 2 Type II certification is on our compliance roadmap. We are actively implementing the controls required for the Trust Services Criteria covering security, availability, and confidentiality.

For compliance inquiries, contact privacy@yanascript.com.