Data Security

Last Updated: November 20, 2025

Our Commitment to Security

At Influence Craft, we take data security seriously. We employ industry-leading security practices and technologies to protect your personal information, voice recordings, and content from unauthorized access, disclosure, alteration, or destruction.

Our security framework is designed to safeguard your data across all stages: collection, processing, storage, transmission, and deletion.

Security Measures

1. Encryption

  • Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS). This includes voice recordings, transcripts, and payment information.
  • Data at Rest: All data stored in our database is encrypted at rest using AES-256 encryption, including your personal information, voice transcripts, and generated content.
  • Password Security: User passwords are hashed using bcrypt with strong salting, making them virtually impossible to reverse-engineer.

2. Authentication & Access Control

  • Secure Authentication: We use industry-standard authentication protocols with JWT (JSON Web Tokens) for session management.
  • Email Verification: All accounts must verify their email address before accessing paid features.
  • Password Requirements: Strong password policies are enforced to prevent unauthorized access.
  • Multi-Factor Authentication: Coming soon - additional security layer for account protection.
  • Role-Based Access: Our admin systems use strict role-based access controls to ensure only authorized personnel can access sensitive data.

3. Infrastructure Security

  • Secure Hosting: Our application is hosted on Replit, which provides enterprise-grade infrastructure security, including DDoS protection and network isolation.
  • Database Security: PostgreSQL database hosted with Neon, featuring automatic backups, point-in-time recovery, and encryption at rest.
  • Rate Limiting: We implement rate limiting to prevent brute force attacks and API abuse using Upstash Redis.
  • Regular Updates: Our infrastructure and dependencies are regularly updated to patch security vulnerabilities.

4. Third-Party Security

We work only with trusted, security-certified service providers:

  • Stripe (Payment Processing): PCI DSS Level 1 certified. We never store your full credit card information on our servers.
  • OpenAI (Whisper API): SOC 2 Type II certified. Audio files are processed securely and not used for model training.
  • Anthropic (Claude API): SOC 2 Type II certified. Your data is processed securely and not used for model training.
  • Resend (Email Delivery): Secure transactional email service with TLS encryption.

5. Application Security

  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS).
  • CSRF Protection: Cross-Site Request Forgery protection is enabled on all forms and state-changing operations.
  • Content Security Policy: We implement strict CSP headers to prevent XSS and data injection attacks.
  • Secure Session Management: Session tokens are cryptographically secure, httpOnly, and automatically expire.

Data Retention & Deletion

Automatic Data Cleanup

  • Voice Recordings (Audio Files): Automatically deleted from our servers within 30 days after successful transcription.
  • Voice Transcripts: Retained while your account is active. Automatically deleted 90 days after account closure.
  • Generated Content: Retained while your account is active. Automatically deleted 90 days after account closure.
  • Session Tokens: Automatically expire after 7 days of inactivity.
  • Password Reset Tokens: Expire after 24 hours and are deleted after use.

Secure Data Deletion

When you delete data or close your account, we ensure secure deletion:

  • Immediate removal from production databases
  • Overwriting of deleted data to prevent recovery
  • Removal from all backups within 90 days
  • Third-party data processors (OpenAI, Anthropic) do not retain your data after processing

Compliance & Certifications

  • GDPR Compliance: We comply with General Data Protection Regulation (GDPR) requirements for EU users, including the right to access, rectify, and delete personal data.
  • CCPA Compliance: California Consumer Privacy Act (CCPA) compliant for California residents.
  • SOC 2 Type II: Our infrastructure providers (Replit, Neon) maintain SOC 2 Type II certification.
  • PCI DSS Compliance: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified.

Incident Response

In the unlikely event of a security breach, we have a comprehensive incident response plan:

  • Immediate Detection: Automated monitoring and alerting systems detect suspicious activity in real-time.
  • Rapid Response: Our security team is on-call 24/7 to respond to security incidents.
  • User Notification: Affected users are notified within 72 hours of discovery, as required by law.
  • Transparent Communication: We provide clear information about the nature of the breach, affected data, and remediation steps.
  • Post-Incident Review: We conduct thorough reviews to prevent future incidents.

Your Security Responsibilities

While we implement comprehensive security measures, we recommend that you also take steps to protect your account:

  • Use a strong, unique password for your Influence Craft account
  • Never share your password with anyone
  • Log out when using shared or public computers
  • Keep your email account secure (it's used for account recovery)
  • Report suspicious activity to our support team immediately
  • Review your account activity regularly

Monitoring & Auditing

  • Activity Logging: We maintain comprehensive logs of system access and user activities for security auditing.
  • Anomaly Detection: Machine learning algorithms monitor for unusual patterns that may indicate security threats.
  • Regular Security Audits: We conduct periodic security assessments and penetration testing.
  • Vulnerability Scanning: Automated tools scan for known vulnerabilities in our codebase and dependencies.

Data Privacy by Design

Security is built into our product from the ground up:

  • Minimal Data Collection: We only collect data necessary to provide our services.
  • Purpose Limitation: Data is used only for the purposes you've consented to.
  • User Control: You can delete your voice notes, content, and account at any time.
  • Transparency: Clear information about what data is collected and how it's used.
  • AI Consent: Explicit consent required before sharing voice data with AI processors (OpenAI, Anthropic).

Contact Us

If you have questions about our security practices or would like to report a security concern, please contact us:

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@influencecraft.com. We appreciate your efforts to help us maintain the security of our platform and our users' data.

Updates to This Policy

We regularly review and update our security practices to address emerging threats and comply with evolving security standards. Any material changes to our security measures will be communicated through:

  • Email notification to registered users
  • Updates to this Data Security page
  • In-app notifications for significant changes

Last updated: November 20, 2025