CauceOS
Start free
Security

How we protect your information

Encryption, access control, tenant isolation, monitoring, and incident response.

Last updated · May 13, 2026

Your information, protected by design

CauceOS works with conversations that matter: therapy, coaching, interviews, and 1-on-1 meetings. Security and confidentiality aren't optional — they're the foundation the product is built on.

This page describes our main security practices. For operational details or formal audits, contact us at security@cauceos.com.

Encryption and data transmission

  • In transit: all communications between your browser, our servers, and our providers use TLS 1.3 with perfect forward secrecy. HSTS preload is active across the domain.
  • At rest: databases and file storage encrypt with AES-256 or higher. Encryption keys are rotated periodically and managed with KMS.
  • Sensitive audio: recordings are stored in a dedicated bucket with encryption by default and IAM-restricted access.

Access control

  • Mandatory MFA for all staff with production access.
  • Least privilege: each role gets only the permissions strictly needed for its function.
  • Continuous auditing: every privileged action generates an immutable event in our audit log.
  • Credential rotation: critical secrets are rotated quarterly or after any suspicion of exposure.

Per-tenant isolation

  • Every organization operates over rows tagged with its unique identifier.
  • Database queries enforce Row-Level Security at the engine layer.
  • We periodically audit that no query crosses organizational boundaries.

Secure development

  • Mandatory code review before any merge to the main branch.
  • Continuous dependency scanning and critical patches applied within 72 hours.
  • Security linters running on every pull request.
  • Pre-commit hooks that block accidental secret leaks before reaching the repository.

Operational resilience

  • Automated daily backups of the database, with staged 30-day retention.
  • Point-in-time recovery available for the last 24 hours.
  • Business continuity plan documented and tested at least twice a year.
  • 24/7 monitoring of service health with alerts to our team.

Privacy by design

  • Minimal retention: transcripts are kept in active systems for 90 days by default, then archived to encrypted storage.
  • On-demand erasure: you can request deletion of all your information at any time; we honour it within 30 days at most, unless retention is legally required.
  • PII scrubbing: data sent to our error monitoring is filtered for personally identifiable information.
  • Anonymized analytics: product analytics runs with anonymized IP and no individual profiling.

Incident response

If we detect a security incident that may affect your data:

  • We start investigation within 1 hour of detection.
  • We notify you within 72 hours of confirmation.
  • We publish a public post-mortem once resolved.

To report a vulnerability responsibly: security@cauceos.com. We investigate every report received and we thank those who help keep the platform safe.

Compliance

We comply with the data protection regulations applicable in the jurisdictions where we operate, including European (GDPR), United States (CCPA), and the corresponding Latin American frameworks. Specific legal details are available at /privacy and /terms.

Contact

  • Security: security@cauceos.com
  • Privacy: privacy@cauceos.com
  • General support: hello@cauceos.com