Trust & Transparency
How we handle your data and our limitations
Trust is not built by claiming to be trustworthy. It is built by being transparent about what the system does, how it works, and where its limits are.
Data handling
How your data is stored, protected, and processed.
Data in transit
All connections use TLS 1.3. No data is transmitted over unencrypted channels.
Data at rest
Database encrypted at rest. Row-level security (RLS) ensures users only access records within their own workspace.
Infrastructure
Hosted on Supabase (EU region) and Vercel. Both operate SOC 2 Type II certified infrastructure. See our subprocessors list for full vendor disclosure.
Audio files
Audio files are processed to generate SHA-256 fingerprints. Processed files are deleted within 24 hours of fingerprint extraction. Fingerprints are stored, not the original audio.
Access logging
All admin actions are logged to an immutable audit table. Logs cannot be modified or deleted once written. This applies to Audiverify staff as well as workspace admins.
Timestamps
Certificate timestamps are generated server-side at record creation. They are not adjustable by users or staff after issuance.
Evidence integrity
The design principle behind every technical decision in Audiverify is to make falsification significantly harder and leave detectable inconsistencies if attempted.
Cryptographic fingerprinting
SHA-256 hashes are mathematically deterministic. The same file always produces the same hash. Any modification — even a single bit — produces a completely different hash. This makes it impossible to substitute a different audio file and claim it matches an existing certificate fingerprint.
Immutable timestamps
Certificate timestamps are generated server-side at the moment of record creation. They are stored in the database and reflected in the public verification record. Timestamps cannot be backdated, adjusted, or modified by any party — including Audiverify staff.
Immutable audit logs
Every significant action in the system — certificate creation, admin actions, status changes — is written to an append-only audit log. The log table has database-level policies that prevent modification or deletion of existing entries.
GDPR & data rights
We operate under EU and UK data protection frameworks. The following rights apply to personal data we hold about you.
Right to access
SupportedYou can export your workspace data from your account settings.
Right to rectification
PartialProfile and contact data can be updated. Certificate records cannot be modified after issuance — this is intentional for integrity.
Right to erasure
SupportedAccount deletion removes personal data. Note: certificate records may be retained in anonymised form for verification integrity.
Right to data portability
SupportedCertificate data is available in JSON and PDF formats for export.
Right to object
SupportedYou can contact us to object to specific processing activities. See our privacy policy for lawful bases.
To exercise any of these rights, contact us via the contact page. See the full Privacy Policy for lawful bases and retention periods.
What Audiverify does not do
These limitations are not disclaimers added by lawyers. They are fundamental to what documentation infrastructure is. Understanding them is part of using the system correctly.
- Audiverify does not verify ownership, authorship, or copyright status of submitted works.
- Audiverify does not provide legal advice and is not a substitute for qualified legal counsel.
- Certificates are documentation records, not legal instruments.
- Audiverify cannot guarantee that a certificate will be accepted as evidence in any specific legal proceeding.
- Audiverify does not monitor submitted content for third-party rights infringement.
Key subprocessors
These vendors have access to data as part of normal platform operation.
Supabase
Database & authentication
Vercel
Application hosting
Resend
Transactional email
Stripe
Payment processing
Upstash
Rate limiting & caching
Spotify
Release detection API