How we protect your sessions.

Every server-side third-party key (OpenAI, ElevenLabs, Tavus, Stripe) is held server-side only. The browser never sees them. Realtime sessions are established via short-lived ephemeral tokens that expire in minutes.

Every database table is protected by row-level security: a user can only read their own profile, sessions, and reports. Server-only writes (Stripe webhooks, the grading job) use a service-role key that never reaches the browser. Webhook signatures from Stripe and Tavus are verified before any side effects.

Recordings are stored in private buckets behind signed URLs scoped to the owner. We do not log PII. To report a security issue, email contact@speakseasy.ai.