Skip to main content
FeaturesPricingDocsBlogAbout
Download for Mac

Security & Privacy

Meeting data is among the most sensitive information in any organization. Karnyx is built from the ground up with security and privacy as core architectural principles.

Security Overview

SOC 2 Type II

Building toward SOC 2 Type II certification. Our security controls align with the five trust service criteria. Current status: in progress.

GDPR & CCPA

Fully compliant with EU GDPR and California CCPA privacy regulations.

Encryption at Rest

All meeting data encrypted with AES-256-GCM before being written to disk.

TLS 1.3

All data in transit encrypted with TLS 1.3 using strong cipher suites.

Encryption

Data at Rest

All sensitive data is encrypted before being written to storage:

  • Audio files: AES-256-GCM with unique keys per file
  • Transcripts: Encrypted at the database column level
  • Summaries and action items: Encrypted at rest in PostgreSQL
  • Participant data: PII fields encrypted with envelope encryption

Data in Transit

All network communication uses TLS 1.3:

  • Mac app to backend API: HTTPS with certificate pinning
  • Backend to third-party services (Deepgram, Anthropic): TLS 1.3
  • Database connections: Encrypted with TLS and mutual authentication
  • Redis connections: TLS with authentication required

Key Management

Encryption keys are managed using AWS KMS with automatic rotation every 90 days. Keys are never stored in application code or logs.

Access Control

Role-Based Access Control (RBAC)

Karnyx implements fine-grained RBAC at the organization and workspace level:

RolePermissions
OWNERFull administrative control including billing and member management
ADMINManage workspace settings, members, and all meetings
MEMBERCreate and edit own meetings, view workspace meetings
VIEWERRead-only access to workspace meetings and participants

Single Sign-On (SSO)

Enterprise plan includes SSO via SAML 2.0 and OIDC:

  • Okta, Google Workspace, Microsoft Entra ID (Azure AD)
  • Just-in-time (JIT) user provisioning
  • SCIM 2.0 for automated user lifecycle management
  • Enforce SSO for all organization members

Compliance & Certifications

SOC 2 Type II

We are building toward SOC 2 Type II certification. Our security controls align with the five trust service criteria. Current status: in progress. Security documentation is available to Enterprise customers under NDA.

GDPR Compliance

We comply with the EU General Data Protection Regulation (GDPR):

  • Data Processing Agreements (DPA) available for all customers
  • Right to access, rectify, delete, and export personal data
  • Data residency options (US, EU) for Enterprise customers
  • Data breach notification within 72 hours

CCPA Compliance

California Consumer Privacy Act (CCPA) rights supported: access, deletion, and opt-out of data sales (we never sell user data).

HIPAA (Coming Soon)

HIPAA compliance for healthcare customers is in development. Contact sales for timeline.

Data Retention & Deletion

You control how long your data is retained. Configure retention policies per workspace or organization-wide.

Retention Options

  • 30 days: Automatically delete recordings and transcripts after 30 days
  • 90 days: Standard retention period for most teams
  • 1 year: Longer retention for compliance or archival purposes
  • Forever: Retain indefinitely (default)

Manual Deletion

Delete individual meetings or bulk delete:

  1. Select meetings to delete from the dashboard
  2. Click Delete and confirm
  3. Data is moved to a soft-delete state for 7 days (recoverable)
  4. After 7 days, data is permanently deleted and unrecoverable

Permanent Deletion

Once data is permanently deleted (after 7-day grace period), it cannot be recovered. This includes audio files, transcripts, summaries, and all associated metadata.

Consent Management

Karnyx provides tools to help you manage recording consent in compliance with local laws.

Consent Banner

For Bot Mode meetings, the bot announces itself and the meeting platform displays a recording notification.

Consent Tracking

Enterprise plan includes:

  • Automatic logging of who attended recorded meetings
  • Participant consent tracking (opt-in/opt-out)
  • Audit trail of consent decisions

Legal Responsibility

You are responsible for ensuring your use of Karnyx complies with applicable laws in your jurisdiction. Many regions require all-party consent before recording. Consult legal counsel if unsure.

Audit Logs

Enterprise plan includes comprehensive audit logging for security and compliance:

Events Logged

  • User logins, logouts, and authentication failures
  • Meeting creation, updates, and deletions
  • Member additions and removals from workspaces
  • Permission changes and role assignments
  • Data exports and API key creation
  • Settings changes (workspace, organization)

Log Retention

Audit logs are retained for 1 year and can be exported in JSON or CSV format.

Security Contact

If you discover a security vulnerability, please report it responsibly:

Email: security@karnyx.ai

PGP Key: Download Public Key

We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours.

WorkspacesAPI Reference