[ STATION / SECURITY ]

Built for teams that can't trust consumer SaaS with raw media.

Recording sessions touch privileged material -- exec interviews, attorney-client conversations, IRB research, financial M&A discussions. Here's how we keep them yours, not ours.

[ FIVE PILLARS ]

Per-session AES-256 encryption

Every recording session generates its own AES-256-GCM data encryption key. The encryption context binds the key to your organizationId + sessionId -- cross-tenant decryption is infeasible even if the key escapes.

Postgres row-level security

RLS policies enforce tenant isolation in the database itself, not just at the application layer. A bug in the API can't leak data across orgs because the database refuses to return it.

Cryptographic erase

When a recording is deleted -- manually, by retention policy, or by org purge -- the per-session DEK is destroyed. The encrypted bytes in object storage become permanently unreadable. Faster than scrubbing terabytes; provably irreversible.

Tamper-evident audit log

Every administrative action -- invites, role changes, exports, deletions, admin access denials -- lands in an append-only audit log scoped to your org. Available as CSV export for compliance reviews.

Passwordless from day one

No passwords stored, no password resets to phish. Sign-in is a single-use 6-digit code emailed each session. argon2id where any credential hash is still required (legacy invite tokens). Honeypot + rate limits on every form.

Cryptographic erasure

Tenant offboarding overwrites the per-session DEK and the master encryption key. Data isn't 'deleted' -- it's mathematically unrecoverable. The deletion promise is an encryption guarantee, not a support ticket.

[ HOW IT'S BUILT ]

Specifics, not marketing.

Recording at rest

AES-256-GCM, per-session DEK, AAD bound to orgId+sessionId

Recording in transit

TLS 1.2+ end-to-end (chunk uploads -> MinIO/S3 with signed URLs)

Tenant isolation

Postgres row-level security policies on every multi-tenant table

DEK wrapping

Local KMS by default; AWS KMS available for Enterprise

Authentication

Passwordless 6-digit email codes; PASETO session tokens; httpOnly + Secure cookies

CSRF protection

SameSite=Lax cookies + Origin-header allowlist for mutating requests

Rate limiting

Per-IP + per-email on auth; chunk upload caps; rotating-nonce honeypot

Audit log

Append-only with org tombstones for compliance retention

Cryptographic erase

DEK overwrite + S3 object delete on retention or admin shred

DDoS / bot defense

CrowdSec community blocklist + per-IP rate limiting

SOC 2 Type II

Not yet certified; controls in place. Audit on the roadmap.

HIPAA BAA

On request for Enterprise customers with self-hosted deployment.

[ RESPONSIBLE DISCLOSURE ]

Found a vulnerability?

Email security@cratersync.fm with details. We acknowledge within 24 hours and aim to patch within 14 days for high-severity issues. We do not prosecute good-faith researchers; please don't access real customer data, and give us a chance to fix before disclosing.

No paid bug bounty at this time. We'll happily credit you in the changelog and refer reporters to security teams we work with.

[ COMPLIANCE PACK ]

Need our security review questionnaire?

Drop a note and we'll send what we have ready today: the security review pack (encryption design + threat model with code references) and our information security and incident response policies. Custom security questionnaires (SIG, CAIQ, your in-house template) we answer on a call -- usually within two business days.

Request the pack >security@cratersync.fm