Your Data, Protected

Technical Security Measures

We implement multiple layers of protection to safeguard your data.

Authentication & Access Control

• Secure session management with automatic timeout
• Sessions stored in database with IP and User-Agent tracking
• Brute-force protection: account lockout after 5 failed login attempts (15-minute cooldown)
• Per-IP and per-account rate limiting on login endpoints
• Role-based access control (RBAC) with 4 permission levels: seller, region_manager, network_manager, superadmin
• CSRF protection on all state-changing API endpoints
• Google OAuth support for single sign-on (optional)

Data Protection

• AES-256-GCM field-level encryption for sensitive data at rest (transcripts, personal information, notes)
• TLS 1.2 or higher for all data in transit
• Audio recordings deleted immediately after transcription — never stored long-term
• Transcripts persist during subscription as a core service feature
• Bcrypt password hashing with salt
• Encryption keys managed via environment variables or secure persistent storage

Infrastructure Security

• Hosted on SOC 2 certified infrastructure (Render) — note: the SOC 2 certification applies to the hosting provider, not MicHelper itself
• Data processed in United States. EU data center planned Summer 2026
• Security headers via Helmet.js: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection
• Global rate limiting: 600 requests/minute per client
• Per-user API rate limiting: 300 requests/minute
• Upload rate limiting: 120 requests/minute per user
• File upload validation: type, size limits (100MB max), path traversal protection
• Parameterized SQL queries to prevent injection
• XSS pattern detection on input
• Automated database backups with rotation

Audit & Monitoring

• Comprehensive audit logging of access, modifications, and security events
• Transcript access logging (who viewed what, when)
• Login attempt tracking with IP information
• Error and security incident logging with configurable retention
• Sensitive data redaction in logs

Data Lifecycle

Privacy & Compliance

Designed with GDPR principles in mind. MicHelper helps you meet regulatory requirements while gaining valuable sales insights.

Data Lifecycle & Retention

Audio Recordings

Raw audio recordings are processed transiently. Audio is uploaded to our servers solely for the purpose of transcription. Once transcription is complete, the original audio file is permanently deleted immediately. Audio is never stored long-term on our servers.

Transcripts

Text transcripts generated from audio recordings persist during your subscription. Transcripts are a core service feature used for analytics, coaching, and reporting. Transcripts are encrypted at rest using AES-256-GCM field-level encryption.

Analytics, Scores & Performance Data

QA scores, coaching notes, event timelines, and metadata persist during your subscription plus 30 days after termination, to allow for data export. This data represents computed metrics and does not contain raw audio. Customers may request deletion through the account deletion process.

Account & Configuration Data

User accounts, network configurations, scripts, and system settings are retained for the duration of the active subscription and for 30 days following account termination to allow for data export.

Summary

Security Commitment & Limitations

MicHelper implements industry-standard security measures to protect your data, including but not limited to:

• HTTPS/TLS encryption for data in transit, AES-256-GCM for data at rest
• Immediate deletion of raw audio after transcription — audio is never stored long-term
• Field-level encryption for sensitive data (transcripts, personal information)
• Secure password hashing (bcrypt with salt)
• Rate limiting and brute-force protection on all authentication endpoints
• CSRF protection on all state-changing operations
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) via Helmet.js
• Role-based access control (RBAC) with principle of least privilege
• Automated data cleanup and retention enforcement
• Comprehensive audit logging of all access and modifications

No Absolute Guarantee. While we employ robust, multi-layered security controls and follow industry best practices, no system connected to the internet can guarantee 100% security. We commit to:

• Promptly investigating and addressing any security vulnerabilities discovered
• Notifying affected customers within 72 hours of confirming a data breach
• Continuously improving our security posture based on evolving threats
• Maintaining transparency about our security practices through this page

If you discover a potential security vulnerability, please report it responsibly to michelperhelp@gmail.com. We appreciate the security research community and will acknowledge valid reports.

Vulnerability Disclosure

We value the security research community and welcome responsible disclosure of security vulnerabilities.

• Contact: michelperhelp@gmail.com
• Response time: We will acknowledge receipt within 48 hours
• Scope: All MicHelper services at michelper.com
• Safe harbor: We will not pursue legal action against security researchers who follow responsible disclosure practices

Please do not access or modify other users' data, disrupt services, or publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.