Security & Trust
Data Compliance
Last updated: April 2026
At ShortVox, we take the security and privacy of your data seriously. This document outlines our commitment to data protection, our security architecture, and the trusted third-party partners we engage as sub-processors.
1. Security Architecture
- Encryption at Rest: All user data, including uploaded videos and generated assets, are encrypted at rest using industry-standard AES-256 encryption.
- Encryption in Transit: All communications between your browser, our application servers, and our sub-processors are encrypted in transit using Transport Layer Security (TLS 1.2 or higher).
- Authentication: We utilize secure, token-based authentication (JWT) backed by Supabase to ensure that accounts remain secure and sessions are strictly isolated.
- Least Privilege Access: Internal access to production data is strictly limited to authorized personnel under the principle of least privilege, requiring multi-factor authentication (MFA).
2. Authorized Sub-Processors
ShortVox utilizes specific third-party service providers ("Sub-processors") to deliver our AI capabilities and host our infrastructure. We have entered into Data Processing Agreements (DPAs) with each of these providers.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, Authentication, Storage | United States |
| Stripe | Payment Processing | United States |
| Vercel / Render | Application Hosting | Global Edge Network |
| Google (Gemini API) | AI Script Generation | United States |
| ElevenLabs | AI Voice Synthesis | United States |
Notice regarding AI Providers: ShortVox explicitly uses Enterprise API tiers for providers such as Google Gemini and OpenAI when applicable, which guarantees that zero customer data (inputs or outputs) is harvested to train their foundational models.
3. Data Subject Requests (DSR) Workflows
We fully support the rights granted under GDPR, CCPA, and other global data privacy frameworks.
- Account Deletion: Users have self-serve mechanisms to delete their accounts via the dashboard. This triggers a cascading deletion of relational data.
- Data Export: Users may request a full JSON export of their account history and generated assets by contacting our privacy team.
4. Incident Response
In the event of a confirmed data breach that impacts user's personal data, ShortVox will notify the affected users and any required regulatory authorities within 72 hours, detailing the scope of the incident and the proactive measures taken to mitigate it.