Skip to main content
ReplySequence

Security you can verify

Your transcripts and your inbox are the two most sensitive things you give us. Here's how we protect both.

AES-256 at rest
TLS 1.3 in transit
SOC 2 Type II infrastructure
OAuth, narrow scopes
Active

OAuth with narrow scopes

Gmail and Outlook connect via OAuth 2.0. We request the minimum scopes needed to send on your behalf — nothing more. No passwords are ever stored, and tokens are encrypted at rest and refreshable without re-auth.

Active

AES-256 encryption at rest

All sensitive data — OAuth tokens, transcripts in-flight, generated drafts — is encrypted with AES-256-GCM, the same standard used by banks and government agencies.

Active

TLS 1.3 in transit

Every request to and from ReplySequence is sent over TLS 1.3. HSTS is enforced with preload so downgrade attacks are not possible.

Active

Transcripts are not stored permanently

Transcripts are processed to generate your draft, then purged on a short retention window. We do not keep a long-term archive of what was said in your meetings, and transcripts are never used to train AI models.

Active

SOC 2 Type II infrastructure

Hosted on Vercel and backed by Supabase (Postgres) — both SOC 2 Type II certified. You inherit that posture through us, with row-level security, automated backups, and point-in-time recovery.

Active

Signed webhooks

All inbound webhooks (Fireflies, Granola, Zapier, Resend) are verified via HMAC-SHA256 signatures. Unsigned or tampered payloads are rejected before they reach the pipeline.

Active

Least-privilege access

Every API endpoint enforces explicit ownership checks. You can only ever see your own meetings, drafts, and sequences — never another user's data, even by ID guessing.

Active

Rate limiting & abuse protection

Public endpoints, webhooks, and onboarding flows are rate-limited. Stripe and Clerk handle payment and auth surfaces so card data and credentials never hit our servers.

How we handle your data

Collection

  • • Only the data we need to draft a follow-up
  • • OAuth tokens encrypted on arrival
  • • We never sell personal data

Processing

  • • AI inference via Anthropic Claude
  • • Transcripts not used for model training
  • • Processed in memory, purged quickly

Deletion

  • • Full data export on request
  • • Account deletion within 30 days
  • • Backups purged after retention window

Compliance posture

SOC 2 Type II
Via Supabase & Vercel
Infrastructure inheritance
GDPR
Compliant
EU data protection
CCPA
Compliant
California privacy law
HIPAA
Not in scope
No PHI processed

Full policies

For the long-form details on data use, rights, retention, and terms of service.

Privacy PolicyTerms of Service

Report a vulnerability

Found a security issue? Responsible disclosure is appreciated and acknowledged. Email goes straight to the founder — no triage queue.

security@replysequence.com