Last updated: April 2026
Hosting
EU-only. Frankfurt region (europe-west3). Data never leaves the EEA. SSO/SAML available on Business.
Encryption
TLS 1.3 in transit. AES-256 at rest. Per-tenant key derivation. Stripe handles all card data — we never see PANs or CVCs.
Access control
Role-based access (Owner, Admin, Agent, Read-only). Optional SSO via Google Workspace, Okta, or any SAML 2.0 provider. Mandatory 2FA for all Praatbox staff with production access.
Compliance
GDPR-compliant by design. SOC 2 Type II audit in progress (expected Q3 2026). HIPAA-eligible architecture available on request — contact security@praatbox.com.
Reporting a vulnerability
We run a private bug bounty. Email security@praatbox.com with reproduction steps. We acknowledge within 24 hours and patch critical issues within 7 days.