Security

Security and encryption in CauceOS

How CauceOS protects your data and your clients' data: TLS 1.3, AES-256 encryption at rest, role-based access control, multi-factor authentication, and retention policies. Explained for non-technical readers.

4 min readUpdated: 2026-05-13

The sessions you process with CauceOS contain confidential conversations. We take that responsibility seriously. This guide explains, in accessible terms, the measures that protect your information and your clients' information.

Encryption in transit
Encryption at rest
Access control
Authentication and user account
Organization isolation
Retention and deletion
Incident response
Common questions

Encryption in transit

All communication between your browser, the bot, and CauceOS servers travels protected with TLS 1.3 — the most modern standard for in-transit encryption. TLS 1.3 ensures that no one on the network (internet providers, Wi-Fi access points, third parties) can intercept or read the content of that communication.

This applies to:

The panel you open in your browser
The transcription that travels from the bot to your panel in real time
Any API request (reports, settings, etc.)

What this means for you: You can use CauceOS from a hotel or airport Wi-Fi network and the communication is equally protected.

Encryption at rest

Data stored in CauceOS — transcriptions, reports, settings — is encrypted with AES-256, the standard used by financial and defense organizations. Encryption applies to both the database and file storage.

What this means for you: If someone were to gain physical access to the servers where your data resides (which is highly unlikely given the hosting environment), they could not read the content without the decryption keys, which are stored separately and securely.

Access control

CauceOS uses role-based access control (RBAC). This means that each user can only see and modify data that their role gives them permission to access.

In a Business account with multiple members:

A team member only sees their own sessions, not their colleagues'.
An administrator can see sessions for all members of their organization, but not those of external organizations.
The CauceOS support team does not have routine access to your transcriptions. They can only access them in the case of technical support explicitly authorized by you.

Authentication and user account

Passwords: CauceOS delegates authentication to a specialized identity management provider. Passwords are never stored in plain text — they are protected with secure hashing.

Multi-factor authentication (MFA): You can activate MFA from Settings → Security. Once activated, you will need your password plus a one-time code to log in. We recommend activating it, especially if you work with clinical data.

Active sessions: You can view and close all your active sessions from Settings → Security → Active devices. If you suspect someone has accessed your account, close all sessions from there and change your password immediately.

Organization isolation

Each organization (individual account or Business workspace) is completely isolated. A user from Organization A cannot view, access, or affect the data of Organization B under any technical circumstance.

This isolation applies at the database level (rows tagged with the organization ID and row-level security policies) and at the storage level (isolated directories per organization with individual access control).

Retention and deletion

Default retention: 90 days from the session date. After 90 days, transcriptions are archived in compressed format in cold storage. They are not accessible from the panel, but can be retrieved upon request.

On-demand deletion: You can delete any session, report, or transcription at any time. See How to delete my data for complete instructions.

Complete account deletion: When you delete your account, all your data is deleted from active storage within 7 business days and from backups within 30 days.

Incident response

We have a documented security incident response process. If an incident is detected that affects user data:

We contain the incident as quickly as possible.
We assess the scope and affected data.
We notify affected users within a maximum of 72 hours of detection.
We publish a summary of the incident and the measures taken.

We have never had a security incident that affected user data. This process exists in case one ever occurs.

To report a vulnerability: If you discover something you believe is a security issue, write to us at security@cauceos.com. We respond in under 24 hours.

Common questions

Is CauceOS HIPAA compliant? CauceOS is not HIPAA certified and does not position itself as a covered tool under HIPAA for processing PHI (Protected Health Information) from US patients in a regulated clinical context. If your practice is in HIPAA jurisdiction, consult your legal advisor before using CauceOS with patients.

Where are the servers located? Data is stored in cloud infrastructure managed in data centers in the European Union. Region selection prioritizes data protection and low latency.

What happens to session audio? Audio is processed in real time to generate the transcription. We do not store audio files. Once processed, the audio does not persist in any system.

Can I get a Data Processing Agreement (DPA)? Yes. Write to us at support@cauceos.com with the subject "DPA Request" and we will send you the standard agreement. If your organization requires a custom DPA, we can manage that as well.

Related articles

Still have questions? Write to us at support@cauceos.com.

Was this article helpful?

← Back to help center

Didn't find what you were looking for? Write to us at support@cauceos.com