Security, honestly stated.
What we actually do to protect your data — no badge theatre.
Every Razorpay payment and webhook is HMAC-verified server-side with constant-time comparison. Credits are granted exactly once via idempotent, atomic transactions — the browser can never mint credits.
Balances live on the server with an auditable ledger. Client-side numbers are display only.
No passwords stored. Authentication uses Google OAuth with short-lived, HS256-signed sessions.
Uploads are stored privately outside any web-served directory, with strict ownership checks — one account can never access another's recordings or results. Sonorix never reads call logs or records silently.
HTTPS everywhere via nginx; API docs are closed in production; continuous health monitoring on the live service.
We are not yet SOC 2 or ISO 27001 certified — we won't display badges we haven't earned. Questions: security@sonorixapp.com.