Security Overview

Security Overview

Security is fundamental with our approach to safety and privacy, which is why we destroy conversations the moment you leave the chat with Tell Sid, in addition to everything else we do.

Last Updated: 15 May 2025

Last Updated: 15 May 2025

Encryption in transit

All traffic between your browser and our servers travels over HTTPS with TLS 1.2 or higher. Modern browsers display the padlock icon when the connection is encrypted.

Encryption at rest

Tell Sid itself stores no user data. Any temporary server-side files sit on infrastructure provided by Vercel. Vercel states that all customer data is encrypted at rest using AES-256-GCM. If we ever change hosting provider we will update this notice to reflect the new controls.

Penetration testing and vulnerability scans

  • A CREST-accredited penetration test is commissioned once a year.

  • Automated dependency and network vulnerability scans run monthly; critical issues are patched within 72 hours, high-severity issues within seven days.

Access control and logging

Only two senior engineers hold production access, protected by hardware security keys and single sign-on. Access events are logged and retained for 90 days for audit.

Incident-response process

If we discover a security incident that affects personal data we will:

  1. Activate our incident-response plan within two hours.

  2. Investigate and contain the issue, preserving relevant logs.

  3. Notify affected users and the ICO within 72 hours where legally required.

  4. Publish a post-mortem on the Trust Centre once containment is complete.

Contact the incident team at security@insinto.ai — this inbox is monitored 24 × 7. Please include any reproduction steps or logs you can share.

Dependency management

All open-source libraries are pinned to specific versions. We run npm audit in CI and receive automated GitHub Dependabot alerts. Vulnerable dependencies are upgraded within the patch windows described above.

Third-party processors

We keep the supply-chain short. Only OpenAI (speech-to-text and chat) plus the infrastructure and e-mail vendors listed in the Privacy Notice can touch limited user data, and each holds ISO 27001- or SOC 2-type II-level certifications.

Responsible disclosure

Found a vulnerability? E-mail security@insinto.ai with the details. We will acknowledge within two business days and keep you informed of our remediation progress. We do not operate a paid bug-bounty programme yet, but we credit researchers who help us keep users safe.

Encryption in transit

All traffic between your browser and our servers travels over HTTPS with TLS 1.2 or higher. Modern browsers display the padlock icon when the connection is encrypted.

Encryption at rest

Tell Sid itself stores no user data. Any temporary server-side files sit on infrastructure provided by Vercel. Vercel states that all customer data is encrypted at rest using AES-256-GCM. If we ever change hosting provider we will update this notice to reflect the new controls.

Penetration testing and vulnerability scans

  • A CREST-accredited penetration test is commissioned once a year.

  • Automated dependency and network vulnerability scans run monthly; critical issues are patched within 72 hours, high-severity issues within seven days.

Access control and logging

Only two senior engineers hold production access, protected by hardware security keys and single sign-on. Access events are logged and retained for 90 days for audit.

Incident-response process

If we discover a security incident that affects personal data we will:

  1. Activate our incident-response plan within two hours.

  2. Investigate and contain the issue, preserving relevant logs.

  3. Notify affected users and the ICO within 72 hours where legally required.

  4. Publish a post-mortem on the Trust Centre once containment is complete.

Contact the incident team at security@insinto.ai — this inbox is monitored 24 × 7. Please include any reproduction steps or logs you can share.

Dependency management

All open-source libraries are pinned to specific versions. We run npm audit in CI and receive automated GitHub Dependabot alerts. Vulnerable dependencies are upgraded within the patch windows described above.

Third-party processors

We keep the supply-chain short. Only OpenAI (speech-to-text and chat) plus the infrastructure and e-mail vendors listed in the Privacy Notice can touch limited user data, and each holds ISO 27001- or SOC 2-type II-level certifications.

Responsible disclosure

Found a vulnerability? E-mail security@insinto.ai with the details. We will acknowledge within two business days and keep you informed of our remediation progress. We do not operate a paid bug-bounty programme yet, but we credit researchers who help us keep users safe.

Encryption in transit

All traffic between your browser and our servers travels over HTTPS with TLS 1.2 or higher. Modern browsers display the padlock icon when the connection is encrypted.

Encryption at rest

Tell Sid itself stores no user data. Any temporary server-side files sit on infrastructure provided by Vercel. Vercel states that all customer data is encrypted at rest using AES-256-GCM. If we ever change hosting provider we will update this notice to reflect the new controls.

Penetration testing and vulnerability scans

  • A CREST-accredited penetration test is commissioned once a year.

  • Automated dependency and network vulnerability scans run monthly; critical issues are patched within 72 hours, high-severity issues within seven days.

Access control and logging

Only two senior engineers hold production access, protected by hardware security keys and single sign-on. Access events are logged and retained for 90 days for audit.

Incident-response process

If we discover a security incident that affects personal data we will:

  1. Activate our incident-response plan within two hours.

  2. Investigate and contain the issue, preserving relevant logs.

  3. Notify affected users and the ICO within 72 hours where legally required.

  4. Publish a post-mortem on the Trust Centre once containment is complete.

Contact the incident team at security@insinto.ai — this inbox is monitored 24 × 7. Please include any reproduction steps or logs you can share.

Dependency management

All open-source libraries are pinned to specific versions. We run npm audit in CI and receive automated GitHub Dependabot alerts. Vulnerable dependencies are upgraded within the patch windows described above.

Third-party processors

We keep the supply-chain short. Only OpenAI (speech-to-text and chat) plus the infrastructure and e-mail vendors listed in the Privacy Notice can touch limited user data, and each holds ISO 27001- or SOC 2-type II-level certifications.

Responsible disclosure

Found a vulnerability? E-mail security@insinto.ai with the details. We will acknowledge within two business days and keep you informed of our remediation progress. We do not operate a paid bug-bounty programme yet, but we credit researchers who help us keep users safe.

Copyright © INSINTO LTD 2025. All rights reserved.

Copyright © INSINTO LTD 2025. All rights reserved.

Copyright © INSINTO LTD 2025. All rights reserved.

Copyright © INSINTO LTD 2025. All rights reserved.

Copyright © INSINTO LTD 2025. All rights reserved.