Security for Call Centers and Enterprise

Found a bug ? We got a bug bounty program ! Please refer to our Responsible disclosure policy

Information Security Program

Krisp’s Information Security Program is designed to ensure the highest level of protection for all data entrusted to us. We take a proactive and comprehensive approach to secure our applications, infrastructure, and associated services. Krisp employs information security policies and there is an executive-level commitment to implement and follow the policies throughout the organization. The Information Security program is led by the Head of Security @ Krisp.

SOC-2 Type II Audit

SOC 2 Type II report demonstrates our commitment to strong security and privacy practices to our customers, business partners, and other stakeholders. SOC 2 (Service Organization Control 2) is a widely recognized auditing standard developed by the American Institute of CPAs (AICPA) that focuses on the evaluation of a service organization’s controls over security, availability, processing integrity, confidentiality, and privacy.

You can download Krisp’s SOC-2 Type II audit executive summary from here. Please contact [email protected] if you would like to review the full report.

Customer Data

Krisp (Windows, Mac, Linux, ChromeOS) is a desktop app which provides AI-powered Voice Productivity AI (remove background noise, translate accent, convert speech to text) to enterprise employees while they are doing calls, video meetings, making recordings or podcasts using their favorite apps (TalkDesk, Genesys, Five9, Zoom, MS Teams, etc.). Krisp is designed as a virtual microphone and speaker and hence can plug into any other app.

Krisp processes all voice audio data on the end user’s machine (even when doing speech to text). User’s voice audio data NEVER leaves the user’s machine, except in AI Live Interpreter product (see below section).

Krisp stores the following customer data in its cloud:

  • Email addresses (if the customer is using email-based signup). No email addresses will be stored if the customer is using device-based authentication.

  • Team names

  • Payment history and invoices (credit card numbers are stored at Stripe)

  • Analytics data

    • Application name which Krisp has been used with (e.g. Zoom, Skype)

    • Microphone, speaker names which Krisp is being used with (e.g. AirPod)

  • Call metadata

    • Time and duration when Krisp has been used

    • Total time the user has been speaking in the call

AI Noise cancellation

Krisp performs noise cancellation directly on the end user’s device, ensuring that voice audio data NEVER leaves end user’s machine.

AI Accent localization

Krisp performs accent localization directly on the end user’s device, ensuring that voice audio data NEVER leaves end user’s machine.

AI Live Interpreter

AI Live Interpreter transmits customer audio data to Krisp’s secure cloud infrastructure for speech to speech translation. Customer data is always encrypted in transit and NEVER stored in the cloud, ensuring the highest standards of data security and privacy.

AI Agent Copilot

AI Agent Copilot generates the transcript on end user’s device and further transmits the transcript to Krisp’s secure cloud infrastructure for AI summarization. Customer data is always encrypted in transit and NEVER stored in the cloud, ensuring the highest standards of data security and privacy.

When PII redaction mode is enabled, personally identifiable information (PII) is removed directly on the device, ensuring that PII is not accessible at any subsequent stage of the processing pipeline.

Encryption

  • Data in transit is secured by enforcing TLS 1.2 throughout all our services (no exception).

  • Data at rest (all production databases and customer data) is encrypted with AES-256 (no exception).

Authentication

Krisp supports three authentication methods for users:

  1. Google sign-in (OAuth 2.0)

  2. Email verification based sign-in (a random magic code is sent to the user’s email every time)

  3. SAMLv2 based SSO (for team plans)

Krisp backend doesn’t store passwords.

GDPR and Data Retention

Customers can delete all their data by sending an email to [email protected]. Customers can request all their data by sending an email to [email protected]. Once a user account is deleted, all associated data (account settings, etc.) are removed from Krisp systems. This action is irreversible.

Data Access and Segregation

Account data is gated at the application layer. Account data is not physically segregated at the database or storage layers.

3rd Party Data Sharing

This document provides the full list of authorized Krisp Sub-processors and describes the process of receiving notifications on sub-processor changes.

Internal Krisp Team Data Access

Only a few of our key engineering leads have access to customer data. Granting key engineering access to customer data is a common practice to facilitate product development, support, and troubleshooting. All other engineers do not have access to customer data unless granted permission for debugging purposes.

Infrastructure Availability

Krisp app operates locally on the users’ machines and most of the time doesn’t need to connect to its backend. When it detects that it can no longer connect to the backend it stops operating. Our backend infrastructure is entirely hosted on AWS, it’s fully automated and monitored by continuous functional tests to detect any sort of downtime.

Production and Datacenter Security

Krisp backend is entirely hosted on AWS and leverages all the security benefits (physical security, key management, redundancy, scalability, etc) that AWS provides. The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 • SOC 2 • SOC 3 • FISMA, DIACAP, and FedRAMP • DOD CSM Levels 1-5 • PCI DSS Level 1 • ISO 9001 / ISO 27001 • ITAR • FIPS 140-2 • MTCS Level 3. In addition, Krisp backend is security-hardened by:

  • Using the least privilege principle for limiting internal communication between its hosts

  • Closing all unused ports (including SSH) with AWS’s built-in firewall

  • Only allowing HTTPS communication with AWS’s most recommended TLS settings

  • Using best and modern practices for secure programming

Krisp Backend doesn’t use passwords which makes it very lightweight from a security perspective. Instead, it relies on Google Sign-in, SSO and email code verification for all user sign-in events. Krisp Backend is leveraging Stripe for payments and therefore it doesn’t store credit cards.

Regular PenTests and Security Scans

Krisp Backend is regularly scanned with industry-standard scanning tools for monitoring and detecting vulnerabilities. In addition, twice a year we do a thorough and detailed pentest using 3rd party pentest companies.

Responsible Disclosure

We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. Please do the following:

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability

  • Do not reveal the problem to others until it has been resolved,

  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and

  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

  • Submit a vulnerability report by clicking the button below, or email your findings to [email protected].

What we are seeking: On our frontend applications – security bugs that are results of improper deserialization of input data which could lead to vulnerabilities like dom xss on the web, various kinds of overflows, incorrect memory handlings, and anything else that could lead to user account, machine, private data compromise. On the backend side – security bugs that are results of improper user input handling, security misconfiguration, improper access control and anything else that could lead to user account, private data compromise, information disclosure, various kinds of abuses, server compromise.

What is in scope:

  • *.krisp.ai (except for whatsnew.krisp.ai, help.krisp.ai, jobs.krisp.ai but we are eager to hear vulnerabilities from those 3rd parties and helping them resolving those issues),

  • Krisp windows application,

  • Krisp macOS application.

What we promise:

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date,

  • If you have followed the instructions above, we will not take any legal action against you in regard to the report,

  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,

  • We will keep you informed of the progress towards resolving the problem,

  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us and has a reasonable level of severity. The amount of the reward will be determined based on the severity of the leak and the quality of the report.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Security 101 for Krisp Team

All members of our team go through a Security 101 training for increased security awareness

Contact

If you have any questions about this doc please contact us at: [email protected]