Trust & Security

Your voice, not our asset.

Voca is built so the audio you speak never lives long enough to be a liability. This page explains the architecture, the controls, and the third parties involved — in enough detail that a security team can sign off, and in plain enough English that you don't need one to understand it.

Last reviewed · 26 April 2026
Audio retained · 0 sec

The ephemeral data flow

When you press the hotkey and start dictating, your audio takes a short, one-way trip. It is captured on your device, streamed over TLS to our API, forwarded to the transcription provider, and discarded the moment the transcript text returns. Nothing is written to disk on our side. Nothing is queued. Nothing is backed up.

01 · Client
Desktop app
Captures audio locally while you hold the hotkey. Encoded as Opus and streamed in chunks.
02 · Voca API
In-memory relay
Receives audio over TLS, holds bytes in memory only, forwards to Groq. No disk writes, no queues, no backups.
03 · Transcription
Groq Whisper
Zero Data Retention is enabled on our account. Audio is processed and dropped — never trained on.
→ TLS 1.3 · audio chunks
→ HTTPS · audio stream
← transcript text
04 · Return
Transcript
Text returns to your client and is pasted at your cursor. Stored on our side only if you opted in.
05 · Audio buffer
Released
The in-memory buffer holding your audio is released as soon as the transcript is returned. Lifetime: seconds.
06 · Metadata
Billing record
Duration, model, timestamp, credits charged. Enough to invoice you. Not enough to reconstruct what you said.
Audio at rest · 0 bytesAudio in flight · TLS 1.3Trained on · never

The single sentence version: your audio is in our possession for the seconds it takes to transcribe it, in memory, and then it is gone.

Security pillars

Encryption
TLS 1.3 in transit

All traffic between the client, our API, and Groq is encrypted with modern TLS. HSTS is enforced on every public hostname.

Authentication
Passkeys & 2FA

Passwords are hashed with bcrypt. WebAuthn passkeys, TOTP, and encrypted recovery codes are first-class. Sessions expire after 120 minutes idle.

Secrets
Encrypted at rest

2FA secrets, recovery codes, and API keys are encrypted at rest with Laravel's app key. Bearer tokens for the desktop app live in the OS credential store.

Hosting
EU infrastructure

Application and database run on Hetzner VPS infrastructure in EU data centres. Backups are encrypted and stay in-region.

Payments
Stripe-only PCI surface

Card data never touches our servers. We see your last four and a Stripe customer ID — that's it. Stripe handles PCI-DSS.

Isolation
Minimal third-party tracking

Google Analytics 4 for aggregate usage stats — no advertising cookies, no session replay, no fingerprinting SDKs. See the privacy policy for what's collected.

What we store, what we don't

DataStored?Where
Raw audioNeverIn-memory only, released after transcription
Transcript textOnly if you opt inEncrypted database column, deletable any time
Account credentialsYesBcrypt-hashed passwords, encrypted 2FA secrets
Usage metadataYesDuration, model, timestamp — for billing only
Payment detailsNo (Stripe holds them)We store last four, brand, customer ID
Server logsYesApplication errors only — no audio, no transcripts

Subprocessors

We use a deliberately small number of vendors. Each one is listed below with the data they receive and the role they play.

Groq · Transcription

Receives the audio stream and a filename, returns the transcript text. Zero Data Retention is enabled on our account, which means Groq does not retain audio after processing and does not use it for model training. Hosted in Google Cloud Platform, United States. Cross-border transfers from the EEA rely on Standard Contractual Clauses.

Stripe · Payments

Receives your name, email, and Voca user ID when a billing record is created. Stripe holds your card details under their own PCI-DSS certification. We never see a full card number.

Hetzner · Hosting

Provides the VPS infrastructure that runs the API and database. EU data centres only. Hetzner does not have access to application data — disks are encrypted and access is keyed to operations staff.

Amazon SES · Transactional mail

Receives your email address and the body of transactional messages (password resets, billing receipts, invitations) for delivery. We send through AWS Simple Email Service in an EU region. No marketing campaigns run through this channel.

Account controls

  • Two-factor authentication. TOTP via any authenticator app, plus encrypted recovery codes you can print and store offline.
  • Passkeys. Register one or more WebAuthn credentials and sign in without a password. Private keys never leave your device.
  • Active sessions. See every browser and desktop session attached to your account. Revoke individually or sign out everywhere.
  • Transcript history toggle. Off by default. When off, no transcript text is ever written to our database.
  • Export. Download your account data and any saved transcripts as JSON.
  • Delete. Erase your account from Settings → Account → Delete. Sessions, tokens, transcripts, usage records, and admin notes are removed immediately.

Operational practices

  • Least privilege. Production database access is restricted to a single operator account with a hardware-key-enforced login.
  • Dependency hygiene. Composer and npm dependencies are tracked with lockfiles and reviewed for advisories on every release.
  • Backups. The application database is backed up nightly, encrypted, and held inside the same EU region. Audio is excluded by definition — there is none to back up.
  • Patching. The host OS, runtime, and framework are kept on supported releases. Critical security patches are applied within 72 hours.
  • Change control. Every change ships through pull request, automated tests, and a staging environment before production.

Reporting a vulnerability

If you believe you've found a security issue, please email [email protected] with the words "security" in the subject. We respond to confirmed reports within two business days. We do not yet run a paid bug bounty programme, but we are happy to credit reporters and we treat reports in good faith.

Please do not test against accounts that aren't yours, do not exfiltrate user data, and give us a reasonable window to fix issues before disclosing publicly. We will do the same in the other direction.

Compliance posture

Voca is operated from the Czech Republic and processes personal data under the GDPR. Our data processing arrangements with subprocessors include the EU Standard Contractual Clauses where required. We are not currently SOC 2 or ISO 27001 certified — if you need a formal questionnaire completed for a procurement review, email [email protected] and we will work through it with you.

Contact

Security reports: [email protected]
Privacy enquiries: [email protected]
Legal entity: Shay Stephan Lee Punter, Korunní 2569/108, 101 00 Praha - Vinohrady, Czech Republic