Infrastructure
- Hosting — SoScripted runs on a globally distributed edge network with automatic SSL/TLS encryption for all traffic.
- Database — Data is stored in a managed PostgreSQL database with encryption at rest (AES-256) and in transit (TLS 1.2+).
- Async processing — Background jobs run through a secure message queue with signed webhook verification.
Authentication
- Authentication is handled via Google OAuth and magic link providers
- No plaintext passwords are stored — we use OAuth tokens managed by the identity provider
- Session tokens are HTTP-only cookies with secure and SameSite flags
- Bot protection on public forms via CAPTCHA verification
API Security
- Public API uses Bearer token authentication — tokens are hashed before storage
- All API endpoints enforce rate limiting to prevent abuse
- HTTPS is required for all API communication
- Webhook deliveries use HMAC signatures for payload verification
Data Privacy
- User data is never shared with third parties for marketing or advertising
- Transcripts are private to your account — only you can access them
- Payment processing is handled by a PCI-DSS compliant payment processor — we never see your full card number
- Transcript data processed by our AI pipeline is never used for third-party model training
Practices
- Dependencies are regularly updated to patch known vulnerabilities
- Input validation and sanitization on all user-facing endpoints
- Content Security Policy headers on all pages
- No sensitive data (API keys, credentials) in client-side code
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly by emailing support@soscripted.com. We take all reports seriously and will respond promptly.