Security Architecture

In short: SafeScribe processes your audio exclusively in volatile server memory (RAM). The moment your transcript is delivered, all data is permanently erased. No disk writes, no backups, no copies — ever. This page explains how each layer of protection works.

Last updated: March 2026

Overview

Six Layers of Protection

🔐

Layer 1 — Transport

TLS 1.2+ encryption on every connection. Traffic is end-to-end encrypted with no exceptions.

🧠

Layer 2 — RAM-Only

Audio never touches disk. Processed in volatile memory and deleted immediately after transcription.

👤

Layer 3 — Pseudonymous Identity

Your email and name are never stored. Only a one-way hash of your account ID is kept.

🔒

Layer 4 — Local Encryption

AES-256 encrypted storage on device. Keys in hardware-backed secure storage only.

🐛

Layer 5 — PII Redaction

All crash reports are scrubbed of personal data before leaving your device.

🗑

Layer 6 — Cascade Deletion

Each processing step immediately deletes the previous step's data. TTL failsafe as backup.

Design Principle

Process, Deliver, Delete

Traditional transcription services write your audio to disk, queue it for processing, and may store it indefinitely. SafeScribe takes the opposite approach:

Traditional services write audio to disk and may retain it indefinitely. SafeScribe receives audio into RAM, processes it, and deletes it the moment you receive your transcript. See the full data journey diagram below.

The difference: even if a server were physically seized, there would be no audio or transcript data to recover — it only ever existed in volatile memory.

Layer 1

Transport Security

Protection	What It Prevents
TLS 1.2+ encryption	Eavesdropping on network traffic
Integrity checksums	Transcript corruption or tampering

You can verify: Use any network inspection tool (e.g., Wireshark) to confirm all SafeScribe traffic is TLS-encrypted.

Layer 2

RAM-Only Server Processing

This is the core of SafeScribe’s privacy design. The server runs OpenAI’s Whisper model weights via the self-hosted faster-whisper inference engine — no third-party API calls. The data store is configured for memory-only operation with no disk persistence whatsoever. Every piece of data has an automatic expiry as a failsafe.

✓ If the server restarts, all in-memory data is permanently lost — by design
✓ No disk file, backup, or log contains your audio
✓ Forensic disk analysis of the server would find zero audio content

What the server holds temporarily (in RAM):

Data	Deleted When
Audio bytes	Transcription completes
Transcript text	You acknowledge receipt
Job metadata	You acknowledge receipt

What the server stores permanently (on disk):

Data	Purpose	Contains PII?
Pseudonymous user identifier	Billing record	No — one-way hash, cannot be reversed
Duration and cost	Financial record	No
File size (bytes)	Service analytics	No
Word count	Service analytics	No
Timestamps	Audit trail	No

By design: There is no "download again" option. Once you acknowledge receipt, the data is gone — there is nothing left to retrieve.

Layer 3

Pseudonymous Identity

SafeScribe uses Google Sign-In and Apple Sign-In for authentication. Your personal details are never stored:

What the auth provider gives us	What we store
Email address	Not stored
Display name	Not stored
Account ID	One-way cryptographic hash only

The one-way hash of your account identifier:

✓ Cannot be reversed to reveal your identity
✓ Is unique to you — for billing only
✓ Contains zero personally identifiable information

You can verify: Inspect API traffic from the app. After authentication, no request contains your email or name — only a Bearer token that the server validates internally.

Layer 4

Local Encryption

Transcripts stored on your device are protected by:

Protection	Technology
Encryption	AES-256
Key storage	Platform secure hardware (iOS Keychain / Android Keystore)
Database	Encrypted containers

Even if someone accesses your device’s file system, transcript data appears as encrypted binary — unreadable without the key. The encryption key is stored in hardware-backed secure storage, not in the app’s files. Deleting the app permanently destroys the key.

Layer 5

PII Redaction in Diagnostics

When the app encounters an error, an optional crash report can be sent. Before any report leaves your device, the following are automatically removed:

Redacted before sending: Email addresses · Phone numbers · IP addresses · File paths · Authentication tokens

What's included: Error type and stack trace (technical only) · Device model · OS version · App version

You can opt out of crash reporting entirely in the app’s Privacy Settings.

Layer 6

Cascade Deletion

SafeScribe implements immediate cascade deletion — each processing step triggers deletion of the previous step’s data:

Each processing step immediately deletes the previous step’s data: audio is deleted after transcription, transcript is deleted after acknowledgment. The full data journey diagram shows the complete flow with all deletion points.

This is not a background cleanup job. Deletion happens immediately as part of the processing pipeline — there is no window where data accumulates.

Failsafe: Even if the normal deletion process fails (network error, app crash), every piece of data in server memory has an automatic expiry. Data self-destructs regardless.

Full Journey

Your Data’s Journey

Your Device SafeScribe Server Your Device ----------- ----------------- ----------- Record/select audio | Preprocess locally | Encrypt + upload ---TLS----> Receive in RAM | AI transcription (RAM only) | Audio DELETED | Receive transcript <--TLS---- Send transcript | | Verify integrity Wait for ACK | | Store encrypted Send ACK ---> Transcript DELETED locally (AES-256) Job metadata DELETED | | Done ZERO data remains

Transparency

Independent Verification

We encourage security researchers and privacy advocates to verify our claims:

Network analysis Use Wireshark or Charles Proxy to inspect traffic. All SafeScribe connections are TLS-encrypted.
Published assessments Read our Data Protection Impact Assessment for the full risk analysis and decision record.
Responsible disclosure Found a vulnerability? Contact security@safescribe.dev.