BriefVox AIBriefVox AI
Home

BriefVox AI

Security Policy

Last updated: 2026-05-30

BriefVox AI Security Policy

Operator details

The operator of BriefVox AI is: Filip Ogonowski, a natural person conducting unregistered business activity within the meaning of Art. 5 of the Polish Act of 6 March 2018 – Entrepreneurs' Law, Generała Dezyderego Chłapowskiego 12, 05-825 Grodzisk Mazowiecki, Poland.

Customer support contact: support@briefvox.com.

Privacy and data protection contact: privacy@briefvox.com.

1. Purpose of this document

This document may be published as a public-facing Security page and used internally as a set of security requirements for BriefVox AI.

2. File security

Audio files, video files, and linked media imports are stored in a private, non-public data store.

Files are accessed through temporary, expiring links.

Files are encrypted at rest and in transit.

Files are not publicly indexed and must not be accessible without user authorization.

3. Administrative access

Administrative access must be limited to individuals who genuinely require it.

Administrative accounts must have two-factor authentication (2FA) enabled.

Administrative actions must be logged.

Service staff and technical personnel do not have standard access to the contents of user recordings or transcriptions. Emergency access, if technically provided for, may only be used in exceptional circumstances, must require authorization, must be recorded in logs, and must be limited to the minimum scope necessary to resolve the issue.

4. Application security

passwords stored only as secure hashes,

sessions in secure HTTP-only cookies,

rate limiting on login and password reset,

file validation and 2 GB size limit,

server-side audio-track duration verification,

Stripe webhooks with signature verification and idempotency,

protection against concurrent minute-limit bypass,

regular dependency updates.

5. Transcription and AI providers

Audio files, video files, and linked media imports are transcribed on the Operator's own infrastructure and are not sent to an external transcription provider. If the User chooses to generate AI Notes, transcript text may be sent to the configured AI provider solely to generate the selected AI Note.

6. Backups and recovery

the system must have backups of the database and metadata,

backups must be encrypted,

access to backups must be restricted,

backup restoration must be tested periodically,

the backup deletion cycle must align with the Data Retention Policy.

7. Vulnerability reporting

Security issues can be reported to: privacy@briefvox.com. A report should include a description of the vulnerability, reproduction steps, and the potential impact. The Operator will not penalize good-faith disclosures that do not involve accessing other users' data or disrupting the Service.