Security at Jalapeño

Meeting recordings are stored in Azure Blob Storage with server-side encryption enabled by default, using Microsoft-managed keys. All database content (transcripts, action items, account data) is encrypted at rest in PostgreSQL by the cloud provider.

Encryption is enforced at the storage layer, so even direct access to underlying disks would not yield readable customer data.

When you connect Slack, Google, Microsoft, Linear, Jira, or any other integration, the resulting access and refresh tokens are encrypted at the application layer using AES-256-GCM before they ever touch the database.

Tokens are never returned to the browser. Decryption only happens server-side at the point of use, and the encryption key lives in environment variables outside source control.

Sessions are backed by signed JWTs delivered in HttpOnly, Secure cookies for sessions. There are no tokens in localStorage and no auth state accessible to client-side JavaScript.

Login attempts are rate-limited to 10 attempts per 15 minutes per IP. Password storage uses bcrypt with per-user salts.

Incoming webhooks from Recall.ai, Linear, and Jira are verified with HMAC-SHA256 signatures against shared secrets. Requests with invalid or missing signatures are rejected at the edge before any handler executes.

Webhook secrets rotate independently per integration so a compromise in one source does not affect others.

Every API origin is protected by a 100 requests per minute global ceiling. AI extraction endpoints carry an additional 10 requests per hour cap to prevent accidental loops and contain abuse.

Limits are enforced at the edge so excess traffic never reaches application code.

TLS 1.3 only, with HSTS preload submitted. A strict Content Security Policy including frame-ancestors 'none' blocks clickjacking. Referrer-Policy: strict-origin-when-cross-origin limits header leakage.

Cloudflare sits in front of every origin for DDoS protection and edge filtering.

Transcription and reasoning run on Azure OpenAI under Microsoft's enterprise agreement. Customer data is not used to train OpenAI models, and the default retention for prompts and completions is zero days.

Today, Jalapeño workspaces run in a single region. EU/US data residency selection is on our roadmap as we onboard regulated industries.

The full list of vendors that touch customer data lives on a dedicated page. Current sub-processors include Azure OpenAI, Recall.ai, Cloudflare, Loops, Google Analytics, and Contentsquare.

Material changes are announced 30 days in advance via email to workspace administrators.

We are actively working toward SOC 2 Type II, with a target audit window in 2027. Roadmap items also include HIPAA-aligned controls for healthcare customers and a customer-facing audit log.

If your team needs a specific control to evaluate Jalapeño, get in touch and we will tell you exactly where it sits on our roadmap.