Your Data, Protected

Technical Security Measures

We implement multiple layers of protection to safeguard your data.

Authentication & Access Control

• Secure session management with 8-hour automatic timeout
• Sessions stored in database with IP and User-Agent tracking
• Brute-force protection: account lockout after 5 failed login attempts (15-minute cooldown)
• Per-IP and per-account rate limiting on login endpoints
• Role-based access control (RBAC) with 4 permission levels: seller, region_manager, network_manager, superadmin
• CSRF protection on all state-changing API endpoints
• Google OAuth support for single sign-on (optional)
• Two-factor authentication planned for a future release

Data Protection

• AES-256-GCM field-level encryption for sensitive data at rest (transcripts, personal information, notes)
• TLS 1.2 or higher for all data in transit
• Audio recordings deleted immediately after transcription — never stored long-term
• Transcripts auto-deleted after configurable retention period (default: 7 days)
• Bcrypt password hashing with salt (10 rounds)
• Encryption keys managed via environment variables or secure persistent storage
• Database backup encryption available (BACKUP_ENCRYPTION_KEY)

Infrastructure Security

• Hosted on Render.com (SOC 2 Type II certified infrastructure)
• Security headers via Helmet.js: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection
• Global rate limiting: 600 requests/minute per client
• Per-user API rate limiting: 300 requests/minute
• Upload rate limiting: 120 requests/minute per user
• File upload validation: type, size limits (100MB max), path traversal protection
• IP-based suspicious activity detection and blocking
• Parameterized SQL queries to prevent injection
• XSS pattern detection on input
• Automated database backups every 6 hours (configurable) with rotation
• SQLite WAL mode for data integrity

Audit & Monitoring

• Comprehensive audit logging of access, modifications, and security events
• Transcript access logging (who viewed what, when)
• Login attempt tracking with IP and geolocation
• Error and security incident logging with configurable retention
• Sensitive data redaction in logs (LOG_REDACT)

Data Lifecycle

Privacy & Compliance

MicHelper helps you meet regulatory requirements while gaining valuable sales insights.

Data Lifecycle & Retention

Audio Recordings

Raw audio recordings are processed transiently. Audio is uploaded to our servers solely for the purpose of transcription. Once transcription is complete, the original audio file is permanently deleted immediately. Audio is never stored long-term on our servers. During the brief processing window, audio is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM).

Transcripts

Text transcripts generated from audio recordings are stored for a default period of 7 days, after which they are automatically and permanently deleted. This retention period is configurable by the customer (network administrator). Transcripts are encrypted at rest using AES-256-GCM field-level encryption.

Analytics, Scores & Performance Data

Aggregated analytics data, compliance scores, performance ratings, KPI metrics, and point balances are retained for up to 500 days and are continuously updated as new interactions are processed. This data represents computed metrics and does not contain raw audio or verbatim conversation text. Customers may request deletion through the account deletion process.

Account & Configuration Data

User accounts, network configurations, scripts, and system settings are retained for the duration of the active subscription and for 30 days following account termination to allow for data export.

Summary

Security Commitment & Limitations

MicHelper implements industry-standard security measures to protect your data, including but not limited to:

• End-to-end encryption: TLS 1.2+ for data in transit, AES-256-GCM for data at rest
• Immediate deletion of raw audio after transcription — audio is never stored long-term
• Field-level encryption for sensitive data (transcripts, personal information)
• Secure password hashing (bcrypt with salt)
• Rate limiting and brute-force protection on all authentication endpoints
• CSRF protection on all state-changing operations
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) via Helmet.js
• Role-based access control (RBAC) with principle of least privilege
• Automated data cleanup and retention enforcement
• Comprehensive audit logging of all access and modifications
• Regular security assessments and code reviews

No Absolute Guarantee. While we employ robust, multi-layered security controls and follow industry best practices, no system connected to the internet can guarantee 100% security. We commit to:

• Promptly investigating and addressing any security vulnerabilities discovered
• Notifying affected customers within 72 hours of confirming a data breach
• Continuously improving our security posture based on evolving threats
• Maintaining transparency about our security practices through this page

If you discover a potential security vulnerability, please report it responsibly to security@michelper.app. We appreciate the security research community and will acknowledge valid reports.

Vulnerability Disclosure

We value the security research community and welcome responsible disclosure of security vulnerabilities.

• Contact: security@michelper.app
• Response time: We will acknowledge receipt within 48 hours
• Scope: All MicHelper services and infrastructure
• Safe harbor: We will not pursue legal action against security researchers who follow responsible disclosure practices

Please do not access or modify other users' data, disrupt services, or publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.