Policy doesn't have to be confusing or difficult, so we've made it simple to read our Security Overview, easy to grasp, or if you get stuck, copy it and put it into Tell Sid.
Last Updated: 15 May 2025
1. Our security philosophy
Tell Sid is built with privacy by design and zero-trust architecture. We collect the minimum data necessary, encrypt everything in transit and at rest, and delete data as soon as possible.
2. Data minimisation
•Voice streams are processed in real-time and never stored.
•Transcripts exist only in your browser tab and are deleted when you close it.
•Session metadata is anonymised and retained for just 30 days.
•Access logs are kept for 7 days only, for security monitoring.
3. Encryption & transport security
•TLS 1.2+ for all connections between your browser and our servers.
•AES-256 encryption at rest for any stored data.
•Certificate pinning to prevent man-in-the-middle attacks.
•HSTS headers to enforce secure connections.
4. Third-party processors
We keep the supply-chain short. Only Google (speech-to-text processing) and OpenAI (chat generation) plus the infrastructure and e-mail vendors listed in the Privacy Notice can touch limited user data, and each holds ISO 27001- or SOC 2-type II-level certifications or equivalent enterprise-grade security standards.
5. Infrastructure security
•Vercel Edge Network – globally distributed, DDoS-protected hosting.
•Cloudflare – additional DDoS protection and Web Application Firewall.
•Automated security scanning – continuous monitoring for vulnerabilities.
•Dependency updates – automated patching of security issues.
6. Access controls
•Multi-factor authentication for all administrative accounts.
•Role-based permissions – team members can access only what they need.
•Audit logging – all administrative actions are logged and monitored.
•Regular access reviews – permissions are reviewed quarterly.
7. Incident response
•24/7 monitoring via automated alerts and human oversight.
•Incident response plan with defined escalation procedures.
•Breach notification within 72 hours if required by law.
•Post-incident reviews to prevent recurrence.
8. Compliance & auditing
•GDPR compliance with appropriate technical and organisational measures.
•Regular security assessments by independent third parties.
•Penetration testing at least annually.
•Staff security training and background checks.
9. Vulnerability disclosure
Found a security issue? We welcome responsible disclosure:
•E-mail security@insinto.ai with details.
•We'll acknowledge receipt within 24 hours.
•We'll provide a fix timeline within 5 working days.
•We may offer a bug bounty for qualifying vulnerabilities.
Please do not test vulnerabilities on the live service without permission.
10. Security updates
This overview is reviewed quarterly and updated as our security posture evolves. Material changes will be announced via our transparency reports.
Questions about security?E-mail security@insinto.ai – we're happy to discuss our approach in more detail.