Found a bug ? We got a bug bounty program ! Please refer to our Responsible disclosure policy
Krisp’s Information Security Program is designed to ensure the highest level of protection for all data entrusted to us. We take a proactive and comprehensive approach to secure our applications, infrastructure, and associated services. Krisp employs information security policies and there is an executive-level commitment to implement and follow the policies throughout the organization. The Information Security program is led by the Head of Security @ Krisp.
SOC 2 Type II report demonstrates our commitment to strong security and privacy practices to our customers, business partners, and other stakeholders. SOC 2 (Service Organization Control 2) is a widely recognized auditing standard developed by the American Institute of CPAs (AICPA) that focuses on the evaluation of a service organization’s controls over security, availability, processing integrity, confidentiality, and privacy.
Krisp is a desktop app and online service for providing AI meeting assistance (background noise removal, capturing meeting transcriptions, enabling collaboration, etc) while the user is doing calls, video meetings, making recordings or podcasts using their favorite apps (Zoom, Skype, Loom, Squadcast, etc). Krisp desktop app is designed as a virtual microphone and speaker and hence can plug into any other app.
Krisp stores the following customer data in its cloud:
Payment history and invoices (credit card numbers are stored at Stripe)
Application name which Krisp has been used with (e.g. Zoom, Skype)
Microphone, speaker names which Krisp is being used with (e.g. AirPod)
Time and duration when Krisp has been used
Total time the user has been speaking in the call
Calendar data *
User’s meetings data (meeting name and other info including participants emails)
Date and time of meetings
Meeting transcription *
Meeting metadata (participants emails, time)
Meeting transcription (who said what)
Meeting recordings *
Meeting recording audio
Collaboration data *
Any comments and notes added by team members and their emails
Integrations data *
Any data obtained from 3rd party integrations explicitly enabled by the user (Notion, Slack, Jira, etc)
* this information will be collected only if user opts-in for Meeting Assistant features (see below for more information).
Only after the Meeting Notes feature is enabled and the user explicitly opts-in for storing the data in Krisp cloud, Krisp will store the meeting information (transcripts, recording and summaries) in its cloud.
Transcripts and meeting notes are stored encrypted with strictly limited access. Any access to user data is possible only in “break-the-glass’ ‘ situations by duly trained Krisp employees who are bound by a duty of confidentiality for Krisp and Krisp customer data. These situations are monitored through automated means. This is a security standard practice in the industry.
Meeting transcripts are generated on the user’s machine. Generated meeting transcripts, recordings and summaries belong to the user. Krisp stores meeting transcripts and summaries only in connection with providing these services to the user. Krisp doesn’t use this data for any other purposes.
In case the user decides to delete call transcripts or meeting summaries, they are completely wiped from Krisp’s infrastructure (we use the “hard-delete” method which safeguards user data from being recovered after demolition).
Krisp uses in-house speech to text technology on the end user’s device to generate meeting transcripts. In addition, Krisp uses Microsoft Azure services to generate meeting summaries from meeting transcripts. Microsoft Azure is ISO 27001:2013, GDPR, and HIPAA compliant. Microsoft Azure doesn’t use customer data for their internal training. More information on how Azure uses customer data is available via this link.
Krisp has implemented industry-standard security best practices to ensure the highest level of security around user data, particularly:
Data Minimization: We only send the minimum necessary data to Microsoft Azure.
Encryption in Transit and at Rest: We use strong encryption protocols (TLS) to secure the data while it’s being transmitted to Microsoft Azure. Additionally, we ensure that data at rest (when stored on servers) is also encrypted using the AES-256 algorithm.
Access Control: A strict access control is implemented on both (Microsoft Azure’s) and Krisp’s sides. Only authorized personnel (a few security and privacy-trained engineers) have access to the transcripts, and their access is limited to what’s necessary for their roles.
Vendor Security Assessment: We evaluate the security practices of our third-party solution providers. We check their certifications, audits, and compliance with relevant data protection regulations.
Audit Logs and Monitoring: We have implemented a comprehensive Security Information and Event Management (SIEM) to track who accesses the transcripts and when. This helps detect any unauthorized access or suspicious activities.
Contingency Planning: We have a plan in place for responding to possible data breaches or security incidents, including notification procedures for affected users.
Data in transit is secured by enforcing TLS 1.2 throughout all our services (no exception).
Data at rest (all production databases and customer data) is encrypted with AES-256 (no exception).
Krisp supports three authentication methods for users:
Google sign-in (OAuth 2.0)
Email verification based sign-in (a random magic code is sent to the user’s email every time)
SAMLv2 based SSO (for team plans)
Krisp backend doesn’t store passwords.
At Krisp, we prioritize user experience by offering convenient and flexible authentication methods.
We have implemented 2FA to provide an additional layer of security that significantly reduces the risk of unauthorized access to your Krisp account. Enabling 2FA strengthens the overall safety of your Krisp account and ensures the protection of your sensitive information.
Check out our helpdesk article on how to enable/disable 2FA.
Customers can delete all their data by sending an email to [email protected]. Customers can request all their data by sending an email to [email protected]. Once a user account is deleted, all associated data (account settings, etc.) are removed from Krisp systems. This action is irreversible.
Account data is gated at the application layer. Account data is not physically segregated at the database or storage layers.
This document provides the full list of authorized Krisp Sub-processors and describes the process of receiving notifications on sub-processor changes.
Only a few of our key engineering leads have access to customer data. Granting key engineering access to customer data is a common practice to facilitate product development, support, and troubleshooting. All other engineers do not have access to customer data unless granted permission for debugging purposes.
Krisp app operates locally on the users’ machines and most of the time doesn’t need to connect to its backend. When it detects that it can no longer connect to the backend it stops operating. Our backend infrastructure is entirely hosted on AWS, it’s fully automated and monitored by continuous functional tests to detect any sort of downtime.
Krisp backend is entirely hosted on AWS and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS provides. The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3. In addition, Krisp backend is security-hardened by:
Using the least privilege principle for limiting internal communication between its hosts
Closing all unused ports (including SSH) with AWS’s built-in firewall
Only allowing HTTPS communication with AWS’s most recommended TLS settings
Using best and modern practices for secure programming
Krisp Backend doesn’t use passwords which makes it very lightweight from a security perspective. Instead, it relies on Google Sign-in, SSO and email code verification for all user sign-in events. Krisp Backend is leveraging Stripe for payments and therefore it doesn’t store credit cards.
Krisp Backend is regularly scanned with industry-standard scanning tools for monitoring and detecting vulnerabilities. In addition, twice a year we do a thorough and detailed pentest using 3rd party pentest companies.
We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. Please do the following:
What we are seeking: On our frontend applications – security bugs that are results of improper deserialization of input data which could lead to vulnerabilities like dom xss on the web, various kinds of overflows, incorrect memory handlings, and anything else that could lead to user account, machine, private data compromise. On the backend side – security bugs that are results of improper user input handling, security misconfiguration, improper access control and anything else that could lead to user account, private data compromise, information disclosure, various kinds of abuses, server compromise. What is in scope:
What we promise:
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
All members of our team go through a Security 101 training for increased security awareness
If you have any questions about this doc please contact us at: [email protected]