TalkTheDoc
Privacy PolicyTerms of ServiceCookie PolicySecurity

Security

How we protect your data and maintain system security

Last updated: December 24, 2025

Our Commitment

Security is fundamental to TalkTheDoc. We implement multiple layers of protection to keep your documents and conversations safe.

Security Features

Secure API Key Storage

All API keys (OpenAI, Gemini, Polar) are stored server-side only. Your browser never receives or transmits these credentials, eliminating client-side exposure risks.

Encrypted Connections

All data transmitted between your browser and our servers uses TLS/HTTPS encryption. Your documents and conversations are protected in transit.

Webhook Verification

We verify all incoming webhooks using cryptographic signatures (Svix). This prevents attackers from sending fraudulent requests to our systems.

Rate Limiting

API endpoints implement rate limiting to prevent abuse and ensure fair usage. This protects both individual accounts and the overall service.

Ephemeral Voice Tokens

Voice session tokens are single-use and expire after 30 minutes. Even if intercepted, they cannot be reused or exploited.

Input Validation

All user inputs are validated and sanitized before processing. This prevents injection attacks and ensures data integrity.

Data Protection

At Rest

Your documents and data are stored on Convex's cloud infrastructure with encryption at rest. Database backups are also encrypted.

In Transit

All connections use TLS 1.2+ encryption. We enforce HTTPS across our entire application.

Access Control

User data is isolated at the database level. Authentication tokens are required for all API requests, and users can only access their own documents.

Third-Party Security

We carefully select vendors with strong security practices:

  • Clerk - SOC 2 Type II certified authentication
  • Convex - Enterprise-grade cloud database with encryption
  • OpenAI - Enterprise security practices with data handling policies
  • Google Cloud - ISO 27001 and SOC 2 certified infrastructure
  • Polar - PCI-DSS compliant payment processing

Account Security

Protect your account by:

  • Using a strong, unique password
  • Enabling multi-factor authentication (MFA) when available
  • Not sharing your account credentials
  • Logging out on shared devices
  • Reviewing connected sessions periodically

Incident Response

In the event of a security incident, we will:

  • Investigate and contain the issue immediately
  • Notify affected users within 72 hours
  • Provide clear information about what occurred
  • Take steps to prevent future incidents
  • Report to relevant authorities as required by law

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Email us at contact@talkthedoc.com with "Security" in the subject
  • Provide detailed steps to reproduce the issue
  • Allow reasonable time for us to address the issue before public disclosure
  • Do not access or modify other users' data

We appreciate security researchers who help us keep TalkTheDoc safe.

Questions

For security-related questions or concerns, contact us at:

Email: contact@talkthedoc.com