Security

Information Security Program

speechx employs information security policies and there is an executive-level commitment to implement and follow the policies throughout the organization.

Information Security program is lead by the Chief Technology Officer.

Customer Data

speechx (Windows and Mac) is a desktop app which analyses a user's voice during online calls, video meetings, practice sessions using their favorite apps (Zoom, Skype,  Teams, etc) to provide insights into their speaking behaviours. speechx processes all voice audio data on secure servers hosted on Amazon Web Services.

speechx stores the following customer data in its cloud:

  • Email addresses (if the customer is using email-based signup). No email addresses will be stored if the customer is using device-based authentication.
  • Team names
  • Payment history and invoices
  • Analytics data - Time and duration when speechx has been used
  • Metadata - Behavioural insights for each speechx session
  • (Optional) Audio recording files, only when opted in for this feature (see section below)

Recordings

Recordings is an optional feature in speechx.

speechx allows users to record audio from the machine’s microphone and speaker. This feature is disabled unless the user explicitly opts in for it. When users opt-in, they can hit a record button from inside the speechx app and speechx will start recording the audio for that session. The audio files are stored on speechx's AWS S3 storage, in encrypted form.

If you would like to learn more about how this feature works, please contact security@speechx.tech

Encryption

TLS 1.2 is enforced throughout all our services (no exception).

All production databases and customer data are encrypted at rest with AES-256 (no exception).

Authentication

speechx supports two authentication methods for users:

  • Google sign-in (OAuth 2.0)
  • Email verification based sign-in (a random magic code is sent to the user’s email every time)

GDPR and Data Retention

Customers can delete all their data by sending an email to support@speechx.tech

Customers can request all their data by sending an email to support@speechx.tech

Once a user account is deleted, all associated data (account settings, etc.) are removed from speechx systems. This action is irreversible.

Data Access and Segregation

Account data is gated at the application layer. Account data is not physically segregated at the database or storage layers.

Internal Team Data Access

By default, only our key engineering leads have access to customer data. All other engineers do not have access to customer data unless granted permission for debugging purposes.

Infrastructure Availability

The speechx app operates locally on the users’ machines and needs to connect to its backend to display insights. When it detects that it can no longer connect to the backend it stops operating.

Our backend infrastructure is entirely hosted on AWS, it’s fully automated and monitored by continuous functional tests to detect any sort of downtime.

Production and Datacenter Security

speechx backend is entirely hosted on AWS and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS provides. The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3.

In addition, speechx backend is security-hardened by:

  • Using the least privilege principle for limiting internal communication between its hosts
  • Closing all unused ports (including SSH) with AWS’s built-in firewall
  • Only allowing HTTPS communication with AWS’s most recommended TLS settings
  • Using best and modern practices for secure programming

Regular PenTests and Security Scans

speechx backend is regularly scanned with industry-standard scanning tools for monitoring and detecting vulnerabilities.

Responsible Disclosure

We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability
  • Do not reveal the problem to others until it has been resolved,
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Submit a vulnerability report by clicking the button below, or email your findings to security@speechx.tech

What we are seeking:

On our frontend applications – security bugs that are results of improper deserialization of input data which could lead to vulnerabilities like dom xss on the web, various kinds of overflows, incorrect memory handlings, and anything else that could lead to user account, machine, private data compromise.

On the backend side – security bugs that are results of improper user input handling, security misconfiguration, improper access control and anything else that could lead to user account, private data compromise, information disclosure, various kinds of abuses, server compromise.

What is in scope:

  • *.speechx.tech,
  • speechx windows application,
  • speechx macOS application.

What we promise:

  • We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date,
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report,
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
  • We will keep you informed of the progress towards resolving the problem.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Contact

If you have any questions about this doc please contact us at:
security@speechx.tech