Hedy App Security Checklist
in progress
f
f
Team, as we all expand the use of Hedy in our professional lives, it would be important to understand and improve overall app security and data privacy policies.
- How / what personal info being synched in the cloud, specifically with audio files, if/how can one opt in or out for it
- if and what encryption is being used and who has/could have access to personal data, and under what circumstances
- If, what and how data is being used to train any models, and if so how can one opt-out
f
f
Thanks, Julian I wasn’t able to access this documentation before, what you shared is extremely helpful. It definitely addresses many of my points.
Here are a few comments and questions based on the documentation provided. As this is truly more of a journey, rather than a issue, I think it would be great to add these into the roadmap as well
- Cloud Sync security
Is content encrypted client-side before upload or only “at rest” on GCP?
What key-management model is used (KMS, HSM, ...)? would you consider adding/supporting a customer-managed keys model?
user set retention cap is great, but could not find this option. same thing for AI analysis. Are backups purged on the same timeline?
2 Third-Party & Cross-Border Processors
Consider publishing a full sub-processor list? specifically what is data retention period for raw or derivative data (and potential implications of that)
Consider offering EU region storage or a signed SCCs/DPA with SCC Module 2 and 3 language (GDPR)
- Authentication/security
consider TOTP/Passkey MFA; add anomaly-based login alerts
consider publishing a formal SOC 2 Type II / ISO 27001 attestation covering vendor risk and change management
add HIPAA/HITECH reqs mentioned into the roadmap. Consider CCPA/CPRA and GDPR
Julian
in progress
Julian
Thanks for the questions, f! We agree that these are really important details. Therefore we documented them in our help docs:
Please take a look and let me know if you think we missed something.