Security for the meetings you record.
Notabium is a cloud service. Your recordings are encrypted, scoped to your account, and yours to delete. Here is exactly how we protect them.
Where your data lives
Recordings, transcripts, summaries, and account data are stored in our cloud infrastructure on Supabase (Postgres and Storage), with Cloudflare handling DNS. Transcription runs through ElevenLabs (with Groq as a fallback) and AI summaries and chat run through Anthropic Claude. We don't use your meetings to train models.
Access control
Every recording is owner-scoped. We enforce row-level security in the database, so a meeting is only ever readable by its owner and the people that owner explicitly shares it with. Authentication is required for all access to your data.
Encryption
- In transit: TLS / HTTPS on every endpoint. HSTS preload on notabium.com. Modern cipher suites only.
- At rest: recordings and files are stored with server-side encryption in Supabase Storage; account data sits in our encrypted Postgres database.
- Secrets: API credentials and service keys are held as managed secrets in our infrastructure, never committed to source or exposed to the client.
Recording disclosure and consent
Notabium is built so the people in a meeting know it is being recorded:
- The Notabium Notetaker joins as a visible participant and announces in the meeting chat that recording is happening. It is passive: it never speaks and never acts on your behalf.
- The web and extension recorder asks the host to confirm that participants have been informed before recording starts.
- We store the consent state per meeting, so there is a record of how recording was disclosed.
Compliance posture
- GDPR aligned: by design. Data minimisation, owner-scoped access, and deletion on request.
- Your data stays yours: we don't sell it and we don't use your meetings to train models. Recordings are retained until you delete the meeting or close your account.
- SOC 2: we build on infrastructure providers (Supabase, Cloudflare) with their own SOC 2 programs, and are developing our own organisational controls.
- HIPAA / BAAs: Notabium is a cloud service and is not HIPAA compliant. We do not offer Business Associate Agreements. Please don't use Notabium to record meetings that contain protected health information.
Responsible disclosure
If you find a security issue, please email notabium@proton.me. We acknowledge within 24 hours and work with you on a disclosure timeline. No bug bounty yet, but we credit reporters in release notes if they want.
Do not disclose publicly until we have shipped a fix. We aim to ship security fixes within 7 days of confirmed reports.