Your recordings are sensitive. This page describes the technical and organizational measures PodAir uses to protect your account, sessions, and stored media.
Transport
All connections to podair.com, our API, and our real-time media endpoints use TLS 1.2 or higher. HSTS is enabled on every domain we operate.
Authentication
User authentication is handled by Clerk. Session tokens are short-lived JWTs, stored in httpOnly, SameSite=Lax cookies scoped to our API domain. CSRF tokens protect state-changing requests. Passwords are never stored by PodAir directly.
Session Access Control
Every recording session is bound to a host. Guests join via a single-use magic link that expires in 15 minutes and is consumed atomically on redemption. Each participant receives a scoped JWT and LiveKit access token; tokens cannot be reused across sessions.
Storage
Raw and processed media are stored in Amazon S3 with server-side encryption (AES-256). Access to storage requires scoped IAM credentials; nothing in our infrastructure reaches the open internet. Download links are issued as short-lived (15-minute) presigned URLs.
Infrastructure
Our application runs in Docker containers behind an Nginx reverse proxy with strict Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and HSTS headers. Secrets are injected at container start from an environment file that is never committed to source control.
Monitoring & Incident Response
Application errors are captured in Sentry with PII redaction. We are notified of anomalous error rates and availability degradation. If we become aware of a security incident that affects your data, we will notify you without undue delay and no later than 72 hours after confirmation, consistent with applicable law.
Backups
Application database backups run daily and are retained for 30 days. Media stored in S3 is durable by design and replicated across availability zones.
Responsible Disclosure
If you believe you have discovered a vulnerability in PodAir, please email security@podair.com. Include a proof of concept and the impact. We ask that you give us a reasonable window to remediate before public disclosure and that you do not exfiltrate user data. We will acknowledge your report within 3 business days.
Subprocessors
Clerk (auth), Amazon Web Services (compute, storage, networking), LiveKit (real-time media), Deepgram (transcription), OpenRouter or OpenAI (highlight scoring), Stripe (payments), Resend (transactional email), Sentry (error monitoring).
Data Location
Primary storage and compute are located in the United States.