Legal

Security Policy

We try to keep these short, plain, and free of dark patterns. If anything's unclear, email legal@praatbox.com — a human reads them.

Last updated: April 2026

Hosting

Praatbox runs entirely on Cloudflare — Workers at the edge, with Cloudflare D1 for the database and R2 for file storage. We have not yet pinned data to a guaranteed EU-only jurisdiction. If you have a specific data-residency requirement, email security@praatbox.com and we'll confirm exactly where your data sits and what we can commit to.

Encryption

TLS 1.3 in transit. Encrypted at rest (AES-256) on Cloudflare's platform. Stripe handles all card data — we never see PANs or CVCs.

Access control

Role-based access — Owner, Admin, and Agent roles with granular per-member permissions. 2FA is required for all Praatbox staff with production access.

Compliance

GDPR-aligned by design: a Data Processing Agreement, support for data-subject requests, and clear sub-processor disclosure. We don't currently hold a formal SOC 2 or HIPAA attestation, and we haven't yet pinned hosting to a guaranteed EU-only region. If your procurement process needs specific certifications or data-residency guarantees, email security@praatbox.com and we'll tell you exactly where we stand.

Reporting a vulnerability

We operate a responsible-disclosure process. Email security@praatbox.com with reproduction steps. We aim to acknowledge within 24 hours and prioritize critical issues immediately.