Security at Jalapeño

Meeting recordings are stored in Azure Blob Storage with server-side encryption enabled by default, using Microsoft-managed keys. All database content (transcripts, action items, account data) is encrypted at rest in PostgreSQL by the cloud provider.

Encryption is enforced at the storage layer, so even direct access to underlying disks would not yield readable customer data.

When you connect Slack, Google, Microsoft, Linear, Jira, or any other integration, the resulting access and refresh tokens are encrypted at the application layer using AES-256-GCM before they ever touch the database.

Tokens are never returned to the browser, including in integration settings responses. Decryption only happens server-side at the point of use, ciphertexts carry a key version so keys can be rotated, and the encryption key lives in environment variables outside source control.

Sessions are backed by signed JWTs delivered in HttpOnly, Secure cookies for sessions. There are no tokens in localStorage and no auth state accessible to client-side JavaScript.

Login attempts are rate-limited to 10 attempts per 15 minutes per IP. Password storage uses bcrypt with per-user salts, and changing or resetting your password immediately invalidates every other active session for the account.

Incoming webhooks from Linear and Jira are verified with HMAC-SHA256 signatures against per-integration secrets. Recall.ai webhooks are verified with Svix signatures, including timestamp checks that reject replayed requests. In production, requests that fail verification are rejected before any handler executes.

Webhook secrets rotate independently per integration so a compromise in one source does not affect others.

Every API origin is protected by a 100 requests per minute global ceiling. AI extraction (including reprocessing) is capped at 10 requests per user per hour, uploads at 20 per user per hour, and login attempts at 10 per 15 minutes per IP.

Limits are enforced in middleware before requests reach application logic.

All traffic is served over HTTPS, and responses carry HTTP Strict-Transport-Security so browsers never downgrade. Hardened HTTP middleware sets a Content Security Policy with frame-ancestors 'self' against clickjacking, plus Referrer-Policy: no-referrer and nosniff headers to limit leakage.

Cloudflare sits in front of every origin for TLS termination, DDoS protection, and edge filtering.

Transcription and reasoning run on Azure OpenAI under Microsoft's enterprise agreement. Customer data is not used to train OpenAI models, and the default retention for prompts and completions is zero days.

Today, Jalapeño workspaces run in a single region. EU/US data residency selection is on our roadmap as we onboard regulated industries.

The full list of vendors that touch customer data lives on a dedicated page. Current sub-processors include Azure OpenAI, Recall.ai, Cloudflare, Loops, Google Analytics, and Contentsquare.

Material changes are announced 30 days in advance via email to workspace administrators.

We are actively working toward SOC 2 Type II, with a target audit window in 2027. Roadmap items also include HIPAA-aligned controls for healthcare customers and a customer-facing audit log.

If your team needs a specific control to evaluate Jalapeño, get in touch and we will tell you exactly where it sits on our roadmap.