Trust · Security
Security Overview
Velvet is built with security and privacy as foundational design values, not afterthoughts. Below is a transparent summary of our technical and organisational safeguards.
Encryption in transit & at rest
All data between Velvet and our servers travels over TLS 1.3. Local settings, dictionaries, and snippets are AES-256 encrypted at rest on your device.
Hardened infrastructure
Account data lives on a hardened Linux server with encrypted volumes, automated security patches, and network segmentation. HTTP is disabled site-wide.
Password security
Passwords are hashed with bcrypt (cost factor 12) and never logged or stored in plaintext. We enforce strong password requirements and never email passwords.
Zero retention by default
Cloud audio is deleted immediately after transcription. In Privacy Mode, Velvet writes nothing to disk. No audio or transcripts are retained for model training.
Access control
Production system access is gated by hardware security keys, multi-factor authentication, and full audit logging. Infrastructure access is limited to founders.
Third-party oversight
Our payment processor (PayPal) and email provider (Resend) are SOC 2 Type II compliant. Cloud transcription (Groq) operates under a strict data-processing agreement with no-training clauses.
Subprocessors & third parties
We engage the following subprocessors to deliver our services. Each is contractually bound to process data only on our behalf and for the purposes listed.
| Provider | Purpose | Location |
|---|---|---|
| PayPal | Payment processing, subscription management, VAT | United States |
| Resend | Transactional email delivery | United States |
| Cloudflare | CDN, DNS, DDoS mitigation | United States / EU |
| Groq | Cloud transcription & AI text cleanup (Pro, opt-in) | United States |
| Hetzner | Server hosting (Linux VMs, encrypted volumes) | Germany (Nuremberg) |
Data residency & transfers
Account and billing data are stored on servers in the European Union (Germany). When you use cloud transcription, audio is processed by Groq in the United States. We rely on Standard Contractual Clauses (SCCs) for any personal data transfers outside the UK and EEA, as required by UK GDPR and EU GDPR.
Incident response & breach notification
We maintain an internal incident response plan. In the unlikely event of a personal data breach, we will notify affected users and the UK Information Commissioner's Office (ICO) within 72 hours where required by law. We will also notify any relevant EU supervisory authorities.
Compliance roadmap
We are actively working toward SOC 2 Type II and ISO 27001 certification. While we do not yet hold these certifications, the controls described above are designed to meet or exceed their requirements. We will update this page as certifications are achieved.
Reporting security issues
If you discover a vulnerability or security issue, please use our contact form and select Security as the topic. We commit to acknowledging reports within 48 hours and resolving valid issues promptly.