MS
MinuteSmith
Privacy PolicyTerms of Service

Security & Responsible Disclosure

Last updated: May 8, 2026

Overview

MinuteSmith handles sensitive governance information for HOA, condo, and nonprofit boards. This page documents the specific protections that are actually in place — not aspirations and not certifications we have not earned.

For a single procurement-grade reference (architecture, vendor handling, controls, limitations) see the Trust Center.

Core Security Practices

  • HTTPS/TLS for all traffic between your browser and the Service
  • Encryption at rest provided by our infrastructure (Postgres on Supabase, object storage on Supabase Storage)
  • Per-board access controls enforced at the database layer (Postgres Row-Level Security policies on all customer tables)
  • Authentication safeguards, including session invalidation when credentials change
  • Audit logging for sensitive actions (document downloads, exports, member changes)
  • Principle of least privilege for service-role access
  • Cron jobs authenticate via a shared secret and fail closed in production if the secret is misconfigured

AI Privacy

MinuteSmith uses commercial APIs from Anthropic (Claude) and OpenAI (Whisper for transcription, text-embedding-3-small for retrieval). Under both vendors’ commercial API agreements, customer data submitted via the API is not used to train their models. Vendor trust-and-safety retention (up to 30 days) applies; we are not currently on either vendor’s zero-retention enterprise plan.

The Ask AI pipeline (“RAG” — retrieval-augmented generation):

  1. Your question is sent to OpenAI to generate a search embedding (a numeric vector).
  2. The embedding is matched against pre-computed vectors of your meeting content in our database. The vector search function enforces a board_id = ANY(...) filter at the SQL level — not just in application code.
  3. Relevant meeting excerpts from your boards are assembled as context.
  4. Your question + the excerpts are sent to Anthropic’s Claude to synthesize an answer.

Additional protections:

  • No customer’s data is used as prompt context for another customer’s request
  • A redaction layer strips emails, phone numbers, SSNs, payment-card patterns, and bank/routing identifiers from prompts before they reach AI vendors; it is enabled by default and can be disabled via ENABLE_AI_REDACTION=false
  • Production logs do not contain prompt bodies, transcript content, or signed URLs

Full Ask AI architecture, vendor data handling, and limitations →

Logging

Production logs do not contain prompt bodies, transcript content, signed download URLs, authorization headers, or session tokens. Application errors are captured as metadata only (status code, message, duration) — never the upstream request body. Internal helpers actively redact bearer tokens, JWTs, and SDK keys from log lines.

Document & Recording Access

Files in board document and meeting recording buckets are never public. Every download requires a short-lived signed URL (currently capped at one hour) generated only after the request is authorized against your board membership. Document downloads are written to a per-board audit log.

Data Retention

Boards may opt in to retention windows for recordings, transcripts, and AI-generated artifacts. The default behavior is to retain data indefinitely — nothing is auto-deleted until an operator explicitly enables a retention policy. When retention is enabled:

  • Eligible items are first staged in a pending-deletion queue for review
  • Approved minutes that the policy marks “preserve permanently” are never deleted
  • Imported historical meetings are protected from automatic deletion
  • Deletion happens in two phases (soft-delete first, hard-delete after a grace window) with an audit log entry at each step

What We Do Not Claim

In the interest of accuracy:

  • MinuteSmith is not SOC 2, ISO 27001, FedRAMP, or HIPAA-certified, and we do not currently sign HIPAA Business Associate Agreements
  • We do not provide end-to-end encryption — AI processing inherently requires server-side decryption of content
  • We have not undergone an external penetration test
  • We do not currently buy enterprise zero-retention SKUs from our AI vendors; vendor 30-day trust-and-safety retention applies

We will update this list as protections change. We prefer documenting what we actually do over making claims we cannot verify.

Reporting a Vulnerability

If you believe you have identified a security vulnerability, please report it to:

[email protected]

What to Include

Please include:

  • A clear description of the issue
  • Steps to reproduce
  • Any relevant screenshots or proof-of-concept

Guidelines

When investigating and reporting issues, please adhere to the following:

  • Do not access or modify data that does not belong to you
  • Do not perform destructive testing
  • Do not degrade service availability
  • Do not attempt social engineering or phishing attacks

Bug Bounty & Recognition

We do not operate a public bug bounty program and do not guarantee compensation for reported issues. However, we may provide discretionary recognition for valid reports at our sole discretion.

Our Commitment

We review all reports and prioritize issues that could impact the confidentiality, integrity, or availability of customer data.

Privacy Policy →Terms of Service →