— Security

Built to be trustworthy, not just trusted.

Last updated · April 22, 2026

TL;DR

Voice dictation sits between your microphone and every text field on your computer. That's an enormous amount of trust. This page is our answer: what we do, what we don't, and what you can verify yourself.

Our principles

  • Default to local. Anything that can run on your Mac should.
  • Store nothing we don't need. Especially not audio or transcripts.
  • Encrypt everything in motion and at rest. No exceptions.
  • Make it auditable. The dictation engine is open source. You can read it.
  • Fail closed. If something is wrong, rekody stops — it doesn't silently ship your audio somewhere unexpected.

Local-first by design

The rekody CLI — the open-source core — runs entirely on your Mac. Audio capture, voice activity detection, transcription, optional cleanup, and text injection all happen in-process. There is no phone-home, no silent telemetry, no background task that sends data out.

rekody Pro is a desktop app built on the same engine. It adds cloud features for premium engines and managed infrastructure. When you use Pro, we act as a thin forwarder between your Mac and the AI provider. See zero retention for exactly what happens to that traffic.

Zero retention for audio and transcripts

When you dictate through Pro, audio is streamed to our servers over TLS, immediately forwarded to the transcription provider, and the transcript is streamed back to your Mac. Audio lives in memory only for the duration of the request — never written to disk, never logged, never replicated. Transcripts pass through the same way and are dropped the moment the stream ends.

We log the timestamp of the request, the engine used, the duration (for metering), and an opaque request ID. We do not log the audio, the transcript, the partial result, or any content derived from either.

We select upstream AI providers that contractually commit to not training on our traffic, and we choose zero-retention options where the provider offers them. Where a provider does not offer zero retention for a specific engine, we disclose that in the app before you enable it.

Encryption

In transit: all traffic between the app and our servers uses TLS 1.3 with modern ciphers (HSTS enabled, only TLS 1.2+ accepted, weak cipher suites disabled). Certificates are issued via Let's Encrypt or our CDN provider and rotated automatically.

At rest: all data stored in our databases, object stores, and backups is encrypted with AES-256 by our hosting provider. Keys are managed by a hardware-backed KMS and rotated on a schedule.

On your Mac: API keys and license tokens are stored in the macOS Keychain, not plaintext config files. The service identifier is com.rekody.voice so you can inspect what's there with security find-generic-password -s com.rekody.voice.

Authentication

We use a dedicated authentication provider for login. Passwords are salted and hashed with a memory-hard algorithm (Argon2id or bcrypt, per our provider's current default). We support Sign in with Google and Sign in with Apple; we do not use passwordless magic links for account creation because they introduce account-takeover paths we haven't fully characterized yet.

Two-factor authentication (TOTP) is available for all paid accounts. We strongly recommend enabling it.

Licensing

Pro uses short-lived cryptographically signed license tokens bound to your account, re-validated regularly when your device is online. Devices tolerate reasonable periods offline without losing access, so airplane time doesn't lock you out.

Signing keys are held in hardware-backed key management and never touch application servers. If a key is ever suspected compromised, we rotate it and all devices revalidate on their next online check. Revocation is eventually consistent.

Infrastructure

rekody Pro runs on a small set of reputable cloud providers. We keep the vendor count minimal on purpose — every sub-processor is another place your data could sit, so we add them carefully.

Key practices:

  • Production secrets live in a secrets manager, not in code, not in env files.
  • Production access is restricted to named operators, gated by hardware-key MFA.
  • Databases are isolated in private subnets and never reachable from the public internet.
  • All production changes flow through code review and a deploy pipeline — no one SSHes into a box and edits a file.
  • Logs are structured, ship to a dedicated log store, and carry no user content. Retention is 30 days.
  • Automated backups run daily with a 30-day retention and are encrypted at rest.

Code signing and updates

Every rekody Pro release is:

  • Built in a clean, ephemeral CI environment from a tagged git commit.
  • Signed with an Apple Developer ID certificate.
  • Notarized by Apple and stapled before distribution.
  • Shipped with the macOS hardened runtime enabled and entitlements restricted to what the app actually needs (Microphone, Accessibility, Network).

Auto-update uses Tauri's signed-update mechanism: updates are verified against an Ed25519 public key embedded in the app before they are applied. We cannot ship a malicious update to your Mac even if our release server were compromised — the signature check happens on your machine.

Supply chain

The Rust workspace uses pinned dependencies via Cargo.lock, which is checked into the repo. CI runs cargo audit on every build to flag known vulnerabilities in our dependency tree, and cargo deny enforces our license and source policies.

We minimize the dependency count deliberately. Every new crate is weighed against what we'd have to write ourselves, because every dependency is a supply-chain surface.

Open source means auditable

The entire dictation engine — audio capture, VAD, STT adapters, LLM adapters, text injection, hotkey handling — is MIT-licensed and published at github.com/rekody/rekody. You can read the code that listens to your microphone. You can compile it yourself. You can run it air-gapped.

The closed-source surface in rekody Pro is small: the account, licensing, billing, and proxy layer. Everything that touches your voice is open.

Reporting a vulnerability

If you think you've found a security issue, email security@rekody.com. Please do not open a public GitHub issue for security reports.

What we ask:

  • Give us a reasonable window to investigate and fix before public disclosure — typically 90 days, earlier if the issue is fixed sooner.
  • Don't test against other people's accounts or data.
  • Don't run denial-of-service or volumetric tests against our infrastructure.

What we commit to:

  • Acknowledge your report within 3 business days.
  • Keep you updated as we investigate.
  • Credit you in release notes when the fix ships, if you want the credit.
  • Not pursue legal action against good-faith researchers who follow this policy.

We don't currently run a paid bug bounty. We may introduce one later.

Incident response

If we experience a security incident that affects your data, we will notify affected users by email within 72 hours of confirming the impact, publish a post-incident writeup on our blog, and — where required by law — notify the appropriate data-protection authority.

Given our zero-retention stance on audio and transcripts, the most sensitive data we hold is billing-adjacent metadata (email, plan, usage counts) and authentication state. Our incident playbook reflects that threat model.

Compliance posture

rekody is a small, early-stage product. We have not completed a SOC 2 audit yet. We follow the control areas a SOC 2 Type II audit covers — access control, change management, monitoring, backup, vendor management — and we plan to pursue formal certification once our customer base calls for it.

For GDPR, UK GDPR, and California CCPA/CPRA, see the privacy policy. We honor data subject rights globally regardless of your location.

Contact

Security disclosures: security@rekody.com
Privacy questions: support@rekody.com
General support: hi@rekody.com

We plan to publish a PGP key for encrypted security reports as the disclosure channel matures. Until then, reach us at security@rekody.com and we'll coordinate a secure channel if your report requires one.