Trust & Security
JustHereToListen.io is built for sensitive meeting data: recordings,
transcripts, chat messages, summaries, action items, CRM exports, and
workflow automations. This page summarizes the controls available to
customers and administrators.
Security Architecture
- Tenant isolation. Meeting data is scoped by account, optional business sub-user, and workspace membership.
- API authentication. User API keys are stored as peppered HMAC hashes with prefix lookup; dashboard sessions use signed JWT cookies.
- Role-based access. Workspace roles separate viewer, member, and admin capabilities for shared meetings.
- Transport security. Production deployments should run behind HTTPS/TLS only.
- Secrets at rest. Integration and OAuth tokens are encrypted at rest when
ENCRYPTION_KEYis configured. - Delivery signing. Webhook deliveries can be signed and retried with persistent delivery logs.
Meeting Privacy Controls
- Consent announcements. Bots can announce recording and transcription when they join a meeting.
- Account consent policy. Account administrators can require consent, set the default announcement, and define the opt-out phrase through the Privacy API.
- Workspace consent policy. Workspace settings can force consent for every bot created inside that workspace.
- Opt-out redaction. Participants who say or type the opt-out phrase are redacted from the transcript.
- Deletion request intake. Participants can submit a deletion request without an account. Owners review and complete erasure.
Data Lifecycle
- Retention policies. Accounts can set separate retention windows for bot data, recordings, and transcripts.
- Recording cleanup. Retention enforcement removes audio/video artifacts independently from transcripts and summaries.
- Account erasure. GDPR account deletion purges account-owned rows across mapped data tables and deletes cloud recordings where configured.
- Export controls. Meeting data can be exported as JSON, Markdown, PDF, and SRT by authenticated owners.
Administrative Controls
- Google and Microsoft SSO for user sign-in.
- SAML configuration for enterprise workspaces.
- Workspace member management with admin/member/viewer roles.
- Support-access keys that are user-generated, expiring, and stored only as hashes.
- Audit logs for security-relevant account actions.
Integration Safety
- Slack, Notion, Google Drive, Linear, Jira, HubSpot, and Salesforce integrations are account-scoped.
- URL-bearing integrations are checked for private/internal targets before registration and delivery.
- CRM and task integrations can require approval before action items are sent into external systems.
- Integration secrets are redacted in API responses.
AI Processing
- Meeting content may be processed by configured AI providers for transcription, summarization, Q&A, action-item extraction, coaching, and semantic search.
- Optional PII redaction can mask emails, phone numbers, SSNs, credit card numbers, and similar identifiers before analysis.
- Customers can choose supported transcription providers per bot when configured by the deployment.
Compliance Status
JustHereToListen.io includes product controls that support GDPR-style access, deletion, retention, and minimization workflows. Formal certifications such as SOC 2, ISO 27001, HIPAA/BAA, and regional data residency depend on the operator's deployment, infrastructure, vendors, and contractual setup.
Responsible Disclosure
Report suspected security issues to security@justheretolisten.io. Include affected endpoint paths, reproduction steps, and whether any data exposure may have occurred.