Security and privacy at Epilude

Epilude is working toward a SOC 2 attestation. We do not yet hold a SOC 2 report, and no certification is claimed today. We will publish status updates here as we progress.

Epilude does not store, process, or transmit payment card information directly. All payment card transactions are handled by PCI DSS–compliant third-party payment processors. As a result, Epilude’s PCI DSS scope is limited, and applicable compliance obligations are met through our payment processing partner, Stripe.

Epilude complies with applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), where they apply.

Epilude maintains processes and controls to support data subject rights, lawful data processing, and transparency obligations. No formal external certification is required for compliance with these regulations.

We adhere to the principle of least privilege, giving team members access only to the information necessary for their job functions. Requests for privilege escalation require documented approval by an authorized manager, and we perform regular audits of access privileges to sensitive applications.

We maintain an incident response plan that defines responsibilities, detection methods, and corrective actions during security incidents. We use monitoring tools for early detection, and we test, review, and update the plan at least annually.

We log, time-stamp, and attribute source code changes to their author in our source code management tool. We restrict access to the tool to authorized users with multi-factor authentication.

We enforce multi-factor authentication (MFA) for user accounts with access to company email, version control tools, and cloud infrastructure.

We patch and update all systems on a documented, regular, and timely schedule, using the Common Vulnerability Scoring System (CVSS) to set patching guidelines. We address critical security vulnerabilities as soon as possible regardless of CVSS score.

Our employees complete mandatory security awareness training continuously, and we maintain records of completion.

We actively manage vendor risks through a structured approach that includes maintaining a critical third-party vendor inventory and conducting risk assessments before initiating third-party work. We repeat these assessments annually to identify any gaps between third-party security controls and our information security standards.

We perform periodic tests, which can include tabletop sessions, disaster simulations, or other realistic scenarios. After each test, we create an assessment report indicating the success of the exercise and any required corrective actions.

We review SOC 2 reports from service providers at onboarding and annually to assess the appropriateness of scope and the impact of identified exceptions. For critical vendors without SOC 2 reports but with access to company data, we perform regularly scheduled risk assessments to evaluate performance and compliance with security commitments.

We collect three broad categories of data to deliver the product. Audio and transcripts are captured when you press to dictate; we send the audio to a speech-to-text service and return the transcript to your Mac. Account information includes your email address, authentication credentials, and basic profile details you provide. Usage and diagnostic data is anonymous information about how you use the app, including errors, crashes, and performance metrics.

Captured audio is treated as Customer Content under our Privacy Policy.

Most processing happens through a small set of trusted subprocessors. The full list, with each subprocessor’s purpose and location, is in the Subprocessors section above.

Audio is sent to our speech-to-text providers to produce transcripts and is deleted from the provider in line with their data-handling commitments. Transcripts may be sent to a large language model provider for formatting or auto-editing when you use those features. Account credentials are managed by our authentication provider. Payment information is handled directly by our payment processor; we do not store full card numbers. Product analytics flow through a self-hosted service so the underlying data stays on infrastructure we control.

We encrypt all sensitive data in transit using industry-standard protocols like TLS 1.3. Data at rest is encrypted using AES-256, and we manage encryption keys securely in a KMS.

No. We do not train any models on your data, and the speech-to-text and large language model providers we use are configured not to train on it either.

We have established procedures to respond to data subject requests within regulatory timeframes. We authenticate requests to verify identity, and we provide data in a commonly used, machine-readable format. We log and track all requests for compliance purposes.

We retain data only for as long as necessary to fulfill business purposes or comply with legal requirements. When data is no longer needed, we securely delete it using approved methods that prevent recovery. We run regular audits to confirm compliance with retention schedules.