Security & Privacy
Your interview audio
never lives on our servers.
SubcueAI is built native, encrypted in transit and at rest, and deliberately stateless when it comes to your interview audio. Here's exactly how.
Last updated: May 15, 2026
Audio handling
The interview audio never leaves your machine permanently.
- Captured locally: the macOS / Windows app uses ScreenCaptureKit (Mac) and WASAPI loopback (Win) to capture audio from your video call. No browser extension, no meeting bot.
- Streamed for STT: audio is streamed (not stored) to a speech-to-text provider for real-time transcription. The audio buffer is dropped from memory as soon as the transcript chunk lands.
- Zero server persistence: we never write the audio waveform to disk on our backend. R2 / D1 / KV all hold transcripts and metadata only.
- Transcript is yours to delete: per-record deletion from /dashboard/records wipes both the transcript and the AI analysis immediately.
Encryption
Transit + at-rest
In transit
TLS 1.3
Forced HTTPS via Cloudflare. HSTS preloaded with max-age=63072000 (2 years).
At rest
AES-256
Cloudflare R2 (resumes / job descriptions / release binaries) uses SSE-256 server-side encryption by default.
Authentication
PBKDF2 + JWT
Password hashing: PBKDF2 100,000 iterations. Session tokens: JWT signed with HMAC-SHA256.
Sub-processors
Who touches your data
Subcue AI LLC is the data controller. The following sub-processors handle specific slices of customer data under contract. Each entry lists what they see and where their infrastructure is located.
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare | Hosting, CDN, D1 (database), KV, R2 (object storage), Vectorize (embeddings) | Global edge / US-EU |
| OpenAI | GPT-4o for AI answer generation | United States |
| Deepgram | Speech-to-text (real-time) | United States |
| ElevenLabs | Speech-to-text (alternative) | United States |
| Paddle | Merchant of Record + checkout, billing, tax compliance | United Kingdom |
| Stripe | Payment processing (select flows) | United States |
| Apple | App Store In-App Purchases (iOS/macOS users) | United States |
| Resend | Transactional email (verification, receipts) | United States |
| Google Analytics | Web analytics — anonymized usage metrics (IP-masked) | United States |
Updates to this list are announced in Terms of Service revisions.
Access & authentication
Tokens, sessions, revocation
- JWT access tokens, 1-hour TTL.
- Refresh tokens stored in HttpOnly Secure SameSite=Lax cookies, hashed server-side before storage.
- Server-side revocation list — logout invalidates tokens immediately across all devices.
- OAuth (Google / Apple) flows happen server-to-server; access tokens never reach browser JavaScript.
- Desktop app uses subcue:// custom protocol with one-time auth code exchange — same security model as native macOS / Windows OAuth flows.
HTTP security headers
What every response carries
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=() Content-Security-Policy-Report-Only: ...
Compliance
Regional regulations
GDPR (EU / EEA / UK)
We process EU personal data under lawful bases including consent, contract performance, and legitimate interests. Data subject rights (access, correction, erasure, portability) are honored — email contact@subcue.app with your request.
CCPA (California)
California residents have the right to know, delete, and opt out of data sale. We do not sell personal data. Submit CCPA requests to the same address as GDPR.
Data retention
What we keep, for how long
- Account data: retained while your account is active.
- Interview transcripts: retained until you delete the record. Per-record deletion available at /dashboard/records.
- Audio waveforms: never persisted.
- Account deletion: all personal data wiped within 30 days. Anonymized aggregate stats (e.g., total interviews assisted) retained indefinitely.
- Telemetry events: retained 90 days by default (configurable in admin), then auto-purged by daily cron.
Responsible disclosure
Found a vulnerability?
Email contact@subcue.app with subject line [SECURITY]. We commit to:
- Acknowledge receipt within 48 hours.
- Provide a triage update within 5 business days.
- Follow a 90-day responsible disclosure timeline before public discussion.
- Credit reporters publicly (with consent) once the issue is resolved.
Out of scope: social engineering, physical attacks, attacks on third-party sub-processors.
Questions about this page? Email contact@subcue.app.
See also: Privacy Policy · Terms of Service