Enterprise-Grade Security & Compliance

Authentication & Identity Management

Secure authentication with enterprise SSO support and multi-factor authentication options.

• Enterprise SSO: Single sign-on support with email/password, social login, and enterprise identity providers
• Automatic User Provisioning: Seamless user provisioning and organisation synchronisation
• Secure Session Management: Industry-standard session handling with secure token management
• Multi-Factor Authentication: Configurable per organisation with support for industry-standard MFA methods

Multi-Tenancy & Data Isolation

Database-level security ensures complete tenant isolation and prevents cross-tenant data access.

• Row-Level Security: Database-level policies enforce tenant isolation, preventing any cross-tenant data access
• Automatic Access Control: Tenant-scoped data access enforced at the database level
• Session-Based Isolation: Tenant context automatically enforced for all database operations
• Hierarchical Access Control: Tenant → Projects → Teams → Folders with cascading permissions

Authorisation & Access Control

Granular role-based access control with hierarchical permissions for projects, teams, and folders.

• Role-Based Access: Tenant admin, project owner, team member, and user-level permissions
• Project-Level Access: Includes access to team folders within projects
• Team-Level Access: Includes access to team folders
• User-Level Folders: Private folders with explicit permissions

Data Protection & Encryption

End-to-end encryption protects your data at rest and in transit with enterprise-grade key management.

• Encryption at Rest: All sensitive data encrypted with AES-256-CBC encryption
• Per-Tenant Encryption Keys: Each tenant's data encrypted with unique keys managed by cloud KMS
• BYO KeyVault Support: Use your own AWS KMS or Azure Key Vault for complete key control
• Envelope Encryption: Industry-standard envelope encryption pattern for sensitive data
• Encryption in Transit: All communications protected with HTTPS/TLS encryption
• Key Management: Cloud-agnostic key management supporting AWS KMS and Azure Key Vault

PII Protection & Privacy

Automatic detection and redaction of personally identifiable information to meet compliance requirements.

• Automatic PII Redaction: Real-time detection and redaction during transcription processing
• Configurable PII Types: Support for SSN, bank accounts, credit cards, emails, addresses, names, phone numbers, dates, and more
• Flexible Output Options: Choose redacted only or both redacted and unredacted versions
• Cloud Service Integration: Integrated with leading cloud transcription services for comprehensive PII detection
• Data Retention Policies: Configurable retention periods with automatic deletion after expiration
• Retention Extension: Extend retention periods when needed with full audit trail
• Deletion Management: Administrators can view and manage scheduled data deletions

Audit Logging & Compliance

Comprehensive audit trails for compliance, security monitoring, and accountability.

• Comprehensive Audit Trail: Complete logging of user actions including upload, view, export, delete, permission changes, and resource access
• Request Context Tracking: IP address and user agent information captured for security analysis
• Tenant-Isolated Audit Logs: Complete separation of audit data by tenant for security and compliance
• Advanced Filtering: Filter audit records by user, action, resource type, and date range
• Administrator-Only Access: Audit logs accessible only to tenant administrators for security
• Immutable Audit Records: Audit logs cannot be modified or deleted, ensuring compliance and integrity

Input Validation & Sanitisation

Multiple layers of input validation and sanitisation prevent common security vulnerabilities.

• Comprehensive Input Validation: All user inputs validated with strict rules and type checking
• Real-Time Validation: Client-side and server-side validation for immediate feedback and security
• SQL Injection Prevention: Parameterised queries prevent SQL injection attacks
• XSS Prevention: Automatic output escaping prevents cross-site scripting attacks
• File Upload Security: Strict validation of file types, sizes, and content for all uploads

CSRF Protection

Automatic protection against cross-site request forgery attacks.

• Automatic CSRF Protection: All forms and state-changing requests protected with CSRF tokens
• Secure Session Configuration: Sessions configured with industry best practices for security

Subscription & Access Control

Subscription-based feature access with usage tracking and monitoring.

• Active Subscription Enforcement: Access to features requires an active subscription
• Feature Gating: Subscription-based feature access control ensures users only access features included in their plan
• Usage Tracking: Comprehensive monitoring of transcription, storage, and processing usage

BYO Credentials Security

Secure handling of customer-provided cloud credentials with tenant-specific encryption.

• Tenant-Specific Encryption: Each tenant's cloud credentials encrypted with unique keys
• Key Rotation Support: Automated key rotation processes ensure credentials remain secure over time
• Customer KeyVault Support: Use your own KeyVault for complete control over credential encryption

Webhook Security

Secure webhook endpoints for external integrations and third-party services.

• Authenticated Webhooks: All webhook endpoints protected with authentication mechanisms
• Signature Verification: Webhook signature validation ensures requests are authentic and unmodified
• Secure Webhook Endpoints: Protected routes for external integrations with access controls

Infrastructure Security

Cloud-agnostic architecture with secure configuration and database security.

• Cloud-Agnostic Architecture: Portable security architecture across AWS and Azure cloud platforms
• Secure Configuration Management: Credentials and sensitive configuration managed securely through environment-based configuration
• Database Security: Enterprise-grade database with row-level security, encrypted connections, and strict access controls

Compliance Features

Built-in compliance features to meet regulatory requirements and industry standards.

• Data Residency Support: Region-based data processing controls to meet data residency requirements
• GDPR Compliance: Comprehensive data retention, deletion, and audit trail capabilities for GDPR compliance
• SOC 2 Ready: Architecture designed with comprehensive audit logging, access controls, and encryption for SOC 2 compliance

Security Best Practices

Security-first approach with multiple layers of protection and secure defaults.

• Principle of Least Privilege: Users only access the data and features they need for their role
• Defense in Depth: Multiple security layers including database-level policies, application-level controls, and network security
• Secure Defaults: All configurations default to secure settings, requiring explicit changes to reduce security
• Regular Security Updates: Continuous monitoring and updates to address security vulnerabilities and maintain compliance

Security Contact & Reporting

We take security seriously and encourage responsible disclosure of security vulnerabilities.

• Security Contact: Report security vulnerabilities to security@lingua.com.au
• Responsible Disclosure: We follow responsible disclosure practices and ask researchers to provide reasonable time for remediation before public disclosure
• Vulnerability Response: We acknowledge security reports within 48 hours and provide regular updates on remediation progress
• Security Reports: Include detailed information about the vulnerability, steps to reproduce, and potential impact to help us address issues quickly

Technical Security Details

Comprehensive technical security measures protecting your data and infrastructure.

• TLS Requirements: All connections require TLS 1.2 or higher, with TLS 1.3 preferred for optimal security
• Certificate Management: SSL/TLS certificates managed with automated renewal and monitoring to prevent expiration
• Backup Encryption: All backups encrypted with the same encryption standards as production data, stored in geographically distributed locations
• Disaster Recovery: Comprehensive disaster recovery plan with regular testing, ensuring RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets are met
• Security Monitoring: 24/7 security event monitoring with automated alerting and SIEM integration for threat detection and response
• Intrusion Detection: Network and host-based intrusion detection systems monitor for suspicious activity and potential security threats
• DDoS Protection: Multi-layered DDoS protection at network and application levels to ensure service availability
• Rate Limiting: Comprehensive rate limiting on API endpoints and authentication attempts to prevent abuse and brute-force attacks
• API Security: RESTful APIs protected with OAuth 2.0 authentication, API key management, and request signing for secure integrations

Security Assessments

Regular security assessments and third-party audits ensure our security posture remains strong.

• Penetration Testing: Annual third-party penetration testing conducted by certified security professionals to identify and remediate vulnerabilities
• Vulnerability Scanning: Continuous automated vulnerability scanning of infrastructure and applications with regular remediation cycles
• Third-Party Security Audits: Regular independent security audits by certified third-party firms to validate our security controls and practices
• Code Security Reviews: Regular security code reviews and static analysis to identify and fix security issues during development
• Security Assessment Reports: Security assessment reports available to enterprise customers under NDA upon request