Loslegen

Security at Punkto

Technical overview for DPOs, security teams, and anyone who wants to understand exactly how Punkto handles meeting data. No marketing copy — just the architecture.

The audio promise

Audio is never persisted to the database. It is processed in memory during transcription (a few minutes at most) then destroyed. The transcript and the AI summary are encrypted with AES-256 in a European database. The full chain, infrastructure included, lives in Europe. No provider subject to the US Cloud Act has access to your audio. If a failure interrupts processing, the raw audio is preserved on disk for at most 24 hours so it can be recovered, then automatically purged.

Encryption

Transcripts at restAES-256-GCMServer-managed key per deployment
In transitTLS 1.2+All connections, no HTTP fallback
E2E file sharingAES-256-GCMClient-generated key in URL fragment, never transmitted
PasswordsArgon2idVia Better Auth, never stored in plaintext

Audio & transcript handling

Audio retentionZeroAudio held in memory during transcription only, then garbage-collected
Audio storageNoneNo write to disk, S3, or any persistent store
Transcript storageEncryptedAES-256-GCM, stored in EU database
AI summary storageEncryptedSame encryption as transcript

Infrastructure

HostingEUHetzner data centre, European jurisdiction
DatabaseSelf-hosted EUPostgreSQL, European region, no US subprocessor
Real-time syncSelf-hosted EUYjs WebSocket server, EU VPS
Video/audio roomsSelf-hosted EULiveKit + coturn, EU VPS
AI transcriptionEU-routedGroq primary (EU data processing agreement available)

Access controls

AuthenticationEmail + 2FA TOTPBetter Auth, 2FA available to all users
Session dataOwner-onlyTranscripts and summaries accessible only to the session host
Board privacy modesStandard / Ephemeral / E2EEphemeral = nothing persisted; E2E = files encrypted client-side
Row-level securityEnabledPostgreSQL RLS on all tables, enforced at DB layer

Compliance

GDPRCompliantEU controller, EU processing, DPA available
Data Processing AgreementAvailableArticle 28 DPA for Enterprise customers
Data residencyEUNo data transfer to third countries without adequacy decision
SubprocessorsEU-primaryFull list available on request
Breach notification72hGDPR Article 33 compliance

Zero audio retention — how it works

The audio pipeline is designed so that audio cannot be persisted, by architecture:

  1. Audio arrives as a multipart upload, held in a Node.js memory buffer.
  2. The buffer is streamed to the speech-to-text API over TLS.
  3. Transcript text is returned. The buffer is dereferenced.
  4. The Node.js garbage collector reclaims the memory.
  5. Transcript and AI summary are written to the encrypted database. The audio is not.

There is no fs.writeFile, no s3.putObject, no database column for audio path (it is permanently NULL). This is verifiable in the codebase.

FAQ

Can Punkto employees read my meeting transcripts?

Transcripts are stored encrypted. Access requires decryption, which is limited to automated processes (delivery of the summary to the host, webhook dispatch). No employee accesses customer transcript content as part of normal operations. Access for support purposes requires explicit customer consent.

What happens to my data if I delete my account?

Account deletion triggers cascade deletion of all associated boards, recordings, transcripts, and summaries. The deletion is hard — not soft-deleted. Backups are overwritten on a rolling 7-day window. After 7 days, no recoverable copy of your data exists on our infrastructure.

Is the Lean Coffee board content (cards, chat) also encrypted?

Board cards, chat, and action items are stored in plaintext in our EU-hosted PostgreSQL database, protected by row-level security (only you and invited participants can access them). Full end-to-end encryption for collaborative board content is on our roadmap. Files shared in E2E (private) sessions are encrypted client-side.

How does the E2E file sharing work technically?

When you start an E2E (confidential) session, the board generates an AES-256-GCM key client-side. The key is placed in the URL fragment (the #k=... part), which browsers never send to the server. Files are encrypted in the browser before upload. The server stores ciphertext only. Even a complete database dump would not expose file contents.

What is your incident response process?

Security incidents are triaged within 4 hours of detection. Affected customers are notified within 72 hours per GDPR Article 33, or sooner if the incident affects data confidentiality. We maintain an incident log and post-mortems for significant events.

Questions or security reports

Security disclosures and DPA requests go to contact@punkto.app. We respond to security reports within 24 hours.

Enterprise & compliance detailsZero audio retention deep dive