Legal

Security.

How the system is built, how your data is protected, and how to tell us if something looks wrong.

Transport.

All traffic is over TLS 1.3. The marketing site, the API, and the per-org workspaces are served over HTTPS with HSTS. The .app top-level domain is HTTPS-only by default.

Storage.

Meeting content is stored in a per-org Google Sheet under our Google Workspace, with Google's at-rest encryption. Marketing site assets are served from Cloudflare Pages.

Architecture.

Two layers:

  • Cloudflare Worker at the edge for real-time meeting state, live tallies, and the founding-member counter.
  • Google Apps Script for writes to the per-org Sheet (signup, magic-link auth, minute book persistence).

The marketing site is fully static. There is no PHP, no shared web host runtime, no admin panel exposed on the public domain.

Auth.

No passwords. Sign-in is via email magic-link, 15-minute expiry, single-use token. JWTs live in memory only never localStorage. No third-party identity broker required for Community or Pro tiers; SAML SSO is available on Public Sector and Enterprise.

Backups.

Per-org Sheet backed up nightly to a separate Google Drive folder under retention lock. Worker key-value store snapshotted hourly.

How audio is handled in transit and at rest.

The mic-station iPads stream PCM audio over a WebSocket protected by TLS 1.3. The bytes go from the browser straight to the streaming speech-to-text vendor (Deepgram by default), proxied through our meeting Worker. The Worker forwards. It does not write raw audio to disk along the way.

Transcript chunks are written to Cloudflare R2 with bucket-level encryption at rest. Retention is one year, enforced by an R2 lifecycle rule that auto-purges objects past their expiry. There is no manual delete step.

Raw audio is not persisted at all on the Pro tier. On the Public Sector tier, raw audio is stored encrypted in R2 for 90 days, then auto-purged, to give records officers a window for FOIA verification. Executive-session periods are never sent to the vendor, never reach the Worker, and never reach R2.

The speech-to-text vendor is behind a thin interface in the Worker, not a direct SDK call from the surfaces. We can swap vendors without changing the meeting Worker or any client. That matters for FedRAMP and state-level compliance asks as we move into more public-sector deployments.

Headers.

The site sends Content Security Policy, HSTS (preload-ready), X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, and a strict Permissions-Policy. The full list lives in our _headers file.

Vulnerability reporting.

If you find a security issue, email contact@madeby1891.com with the subject line "Security." Please do not disclose publicly until we have had a chance to fix it. We will reply within one business day and credit you in the changelog when the fix ships, if you would like.

What we don't do.

  • We do not request camera permission anywhere in the product. Microphone permission is requested only on paired mic stations, only with attendee consent, and only when the chair has started a recorded session.
  • We do not store PII in any non-Google data store.
  • We do not commit secrets to source control; runtime secrets live in *-secret.js files that are git-ignored.

Last updated: 2026-05-26