Security

This page explains how Cleft protects your data: what stays on your device, how everything is encrypted, where it lives, and how to report a security concern. It restates, in one place, the security substance of our Privacy Policy and AI Usage page. Consistent with our current Privacy Policy.

Encryption

Your notes are encrypted at rest with AES-256-GCM and in transit with TLS (1.2 or higher). Encryption is applied everywhere your data is stored or moved, not just in selected places.

On-device by default

The most sensitive step happens on your device. When you record, Cleft transcribes audio using the Whisper speech model running entirely on-device on your iPhone, iPad, or Mac, with no external service calls. Your audio is never sent to our servers or to any third party. Temporary audio files are deleted after a successful transcription unless you turn on Keep Audio.

Where your data lives

Cloud data is hosted in the EU (Ireland) under a zero-access architecture: we minimise what we store and design so that your private note content is not casually accessible. See the Privacy Policy for the full data-handling detail and your rights under GDPR.

On-device storage protection

In the native apps, your notes are stored as files on your own device and protected by the platform’s own security:

• Credentials in the Keychain. Authentication tokens and sync credentials are held in the system Keychain, accessible only when the device is unlocked (and never synced off that device).
• iPhone and iPad: files are written with Apple Data Protection (NSFileProtection), so they are encrypted with your passcode at rest.
• Mac: protection comes from FileVault, the App Sandbox, and the Hardened Runtime.

Cloud AI processing

Turning a raw transcript into a clean note is optional and opt-in. When you use it, Cleft sends transcript text only, never your audio, to a provider (OpenAI, with Groq as a backup). These providers are bound by Data Processing Agreements, with Standard Contractual Clauses for any US transfer, that prohibit training on your content. The full, always-current list of providers is on our vendor transparency page, and the detail of what is sent is on the AI Usage page.

Access and accountability

• Authentication. Access to your account is gated by email-based authentication; session credentials live in the Keychain, not in plain storage.
• Sub-processors. We use a small set of vetted vendors, each under a DPA. Who they are and what they handle is public on the vendor transparency page.
• Data minimisation. We collect only what is needed to make Cleft work. No tracking, no ads, no data brokers.

Reporting a vulnerability

If you believe you have found a security vulnerability, please tell us before disclosing it publicly. Email security@cleftnotes.com with the details and steps to reproduce. We will acknowledge your report, keep you updated as we investigate, and we will not pursue good-faith researchers who follow responsible disclosure.

If something goes wrong

In the event of a personal-data breach, we follow our GDPR obligations: we assess the incident, notify the relevant supervisory authority within 72 hours where required, and inform affected users without undue delay when there is a high risk to their rights. See the Privacy Policy for the full commitment.

Your controls

• Keep transcription local. Use on-device Whisper and skip cloud formatting entirely.
• Keep Audio is off by default. Temporary audio is deleted after transcription unless you choose otherwise.
• Export and delete. Your notes, transcripts, and audio are portable and removable at any time, the rights set out in the Privacy Policy.

Questions

For security reports, email security@cleftnotes.com. For anything about how we handle your data, contact our Data Protection Officer at dpo@cleftnotes.com. For the wider picture, see our Privacy Policy, AI Usage page, and vendor transparency page.