Compliance & privacy
Shunya treats voice as the sensitive PII it is. Every audio file is encrypted in flight and at rest, deleted on completion of processing, and never used to train models. This page lays out the controls in detail.
Certifications
Audited security, availability, processing integrity, confidentiality, and privacy controls over a 6-12 month window. Report available under NDA.
Accredited Information Security Management System. 2022 revision adds modern controls for cloud, threat intelligence, and data protection.
Business Associate Agreement executed for US covered entities. Zero STT Med is the model cleared for PHI.
EU data subject rights honoured: access, rectification, erasure, portability. EU endpoints available on Enterprise.
California Consumer Privacy Act rights supported. Do-not-sell preference honoured.
India BFSI deployments use on-prem to meet RBI data localization requirements.
Encryption
| State | Control |
|---|---|
| In transit | TLS 1.3 with strong ciphers. HSTS enabled. No TLS 1.0/1.1. |
| At rest | AES-256-GCM. Envelope encryption with AWS KMS (or HSM for on-prem) for data keys. |
| In processing | Audio is encrypted in memory between service tiers; deleted after transcription completes. |
Data retention
- Audio: encrypted during processing, deleted on transcription completion. No permanent storage of audio.
- Temp files: purged within 24 hours.
- Transcripts: returned to your request and not retained by Shunya in the default configuration.
- Usage stats: anonymized, non-identifiable. Retained for billing and capacity planning.
- User deletion: honoured on request. No soft-delete beyond the legal minimum.
Access control
- RBAC on the management plane. Least-privilege defaults.
- MFA enforced for admin and support personnel.
- Audit logging on every privileged action; logs shipped to an immutable store.
- Privilege reviews performed regularly; access revoked on role change or departure.
- 24/7 monitoring via SIEM with alerting on anomalous patterns.
API key hygiene
- Keys are hashed at rest, Shunya can't recover a forgotten key.
- Create separate keys per environment (dev/staging/prod).
- Rotate on a quarterly schedule or immediately on suspected compromise.
- Revocation takes effect in under 60 seconds globally.
- Enterprise customers can use SCIM / SSO for key lifecycle automation.
Redaction & masking features
Two built-in redaction primitives reduce the blast radius of any transcript leak:
enable_profanity_hashingGemini-based profanity detection. Masks offensive language with ****. Works across languages.
hash_keywordsDeterministic regex-based masking. Pass a JSON list, ["account number","card number","OTP","aadhaar"]: and matches are replaced with **** in-place.
Subprocessors
Shunya uses a minimal set of subprocessors for hosting, payments, and observability. The full list is part of the DPA (Data Processing Agreement) supplied to Enterprise customers. Any change to subprocessors is notified in advance.
Asking for specific assurances
- SOC 2 Type II report, available under NDA. Request via Enterprise sales.
- ISO 27001 certificate, public; available on the dashboard.
- HIPAA BAA, standard template, Shunya-initiated; your counsel can redline.
- Penetration test summary, annual third-party test; summary under NDA.
- Data Processing Agreement, standard GDPR-aligned template.
- Sub-processor list, shared with every DPA.
- Vulnerability reports, security@shunyalabs.com. 24-hour acknowledgement under Shunya's responsible-disclosure policy.
- Privacy / data subject requests / general questions, privacy@shunyalabs.com.
Both addresses are listed on Shunya Labs' public Security policy page, note the shunyalabs.com domain.