Security & Privacy

🔐 Data Encryption

All data is protected both in transit and at rest:

• In transit: All connections use HTTPS/TLS encryption. HTTP requests are automatically redirected to HTTPS.
• At rest: Conversation content is encrypted using AES-256-GCM, the same standard used by financial institutions. Encryption keys are stored securely and separated from the data.

🤖 AI Privacy

We use Anthropic's Claude API for AI-powered coaching feedback. Your data is protected by Anthropic's enterprise agreement:

• Conversations are not used to train AI models.
• Uploaded transcripts are processed in memory only and deleted immediately after analysis. No copies are retained on our servers.
• AI interactions are stateless — each session is processed independently.

🔑 Access Control

The platform supports two access models, each with its own security measures:

Individual accounts (email & password)

• Passwords are protected using industry-standard hashing — passwords are never stored in plain text.
• Account lockout: Accounts are temporarily locked after repeated failed login attempts to prevent brute-force attacks.
• Rate limiting: Login endpoints are protected against credential-stuffing and automated attacks.
• Google SSO is available as an alternative to password-based authentication.
• Users can change their password at any time from within their account.
• Secure password recovery is available via email.

Corporate program access (code-based)

• Each code grants access to a specific participant for a defined program and duration — no account creation required.
• Single-session enforcement: Logging in with a code invalidates any previous active sessions.
• Codes can be set to auto-expire on a specific date.
• Participants can only access the sandbox modes assigned to their program.

All access types

• Sessions are managed via secure, signed tokens with configurable expiry.
• Sessions can be revoked immediately when a user logs out or access is removed.

🗓️ Data Retention

We provide configurable data lifecycle management:

• Each program can be assigned a retention period (e.g. 90 days after the program ends).
• When the retention period expires, all conversation and usage data for that program is automatically deleted.
• Administrators can also manually delete all data for a specific program at any time.
• Participants can delete individual conversations from within the app at any time.

📋 Audit Trail

All administrative actions are logged for accountability and compliance:

• Code generation, user management, and configuration changes are recorded with timestamps.
• Data cleanup actions (automatic and manual) are logged.
• Audit logs are retained independently of conversation data.

🛡️ Application Security

The platform implements industry-standard security practices:

• Input validation: All user inputs are validated and sanitized.
• Rate limiting: API endpoints are protected against abuse.
• Security headers: HTTP security headers including Content Security Policy.
• Automated backups: Regular automated backups ensure data can be recovered in the event of an incident.

☁️ Infrastructure

• Hosted on a managed cloud platform with SOC 2 Type II compliance.
• Deployed behind a reverse proxy with automatic TLS certificate management.
• Zero-downtime deployments from a protected, version-controlled codebase.

📊 Reporting & Compliance

• Usage reports can be exported per program as CSV files for client reporting.
• Data handling complies with the Privacy Act 1988 (Cth) and Australian Privacy Principles.
• For questions or concerns about data handling, contact us.