Security
Swiftshot is built to handle your meeting data with care. Here's how we protect your information at every layer.
AI & Data Processing
- Meeting notes are processed by Anthropic’s Claude API, which does not use API inputs to train its models
- Notes are processed in real-time and are not retained by Anthropic after the response is returned
- No meeting content is shared with third parties beyond the processors listed in our Privacy Policy
- AI extraction runs on-demand only — your notes are never batch-processed or used for analytics
Authentication & Access Control
- Enterprise-grade authentication via Clerk with email verification
- All authenticated routes protected by server-side middleware
- Row-Level Security (RLS) enabled on every database table
- Session tokens are httpOnly and secure — not accessible to client-side JavaScript
Data Storage & Encryption
- All data stored in Supabase (PostgreSQL) with encrypted connections
- Database credentials are server-side only — never exposed to the browser
- Public database keys have no access to user data (blocked by RLS policies)
- All data encrypted at rest at the infrastructure level
Transport & Infrastructure
- All traffic encrypted with HTTPS/TLS — enforced at the edge
- Hosted on Vercel’s global edge network with automatic SSL certificates
- No sensitive data stored in cookies — only essential session tokens
- Error monitoring via Sentry with source map support for rapid incident response
API Protection
- Global rate limiting on all API endpoints via middleware
- Tighter rate limits on AI extraction and action completion endpoints
- Stripe webhook signature verification prevents forged payment events
- Input validation and HTML escaping on all user-generated content
Email & Communications
- Custom sending domain authenticated with SPF, DKIM, and DMARC
- DMARC policy set to quarantine — spoofed emails are flagged
- Functional unsubscribe mechanism for all action recipients
- No marketing emails — only transactional action notifications
Payments
- All payment processing handled by Stripe — Swiftshot never sees card numbers
- PCI DSS compliance managed entirely by Stripe
- Subscription lifecycle managed via verified webhooks
- Customer billing portal for self-service payment management
Third-Party Processors
These services process data on our behalf under strict contractual obligations.
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication | US |
| Supabase | Database | EU/US |
| Anthropic | AI extraction | US |
| Resend | Email delivery | EU |
| Stripe | Payments | US |
| Vercel | Hosting | US |
| Sentry | Error monitoring | US |
Questions or concerns?
If you have questions about our security practices, need to report a vulnerability, or require additional documentation for your compliance review, contact us at obsidlabs@gmail.com.