SipoorAIHome

Trust & Security

Your stories. Your data. Our responsibility.

We've built our infrastructure around three principles: keep your data in Europe, encrypt it with our own keys, and never share content with anyone you haven't approved.

Last updated: May 16, 2026

Where your data lives

All recordings, photos, transcripts, and chapters are stored in AWS Frankfurt, Germany. Our application and database servers run in Hetzner Falkenstein, Germany. Error monitoring (Sentry), product analytics (PostHog), and CDN routing (Cloudflare) all stay within the European Union. Your data does not leave EU jurisdiction.

How your recordings are encrypted

Every audio file, video, and photo is encrypted at rest with a customer-managed key we control. The key lives in AWS's hardware security modules in Frankfurt - its policy is written so only our application servers can decrypt object content. No third-party security scanner, analytics tool, or vendor can read your recordings. Our database disk is LUKS-encrypted; even physical access to the volume would not expose content. All connections to our services use TLS.

Who can read your stories

Only you and the family members you invite. Our application servers process audio with AI (Anthropic Claude via AWS Bedrock EU) to draft chapters - the resulting drafts are visible to your invited family for editing. We've explicitly walled off all third-party tools at the bucket-policy and KMS-key-policy layers - they see configuration metadata, never object content.

Backups & durability

Every database change is archived continuously - we can restore to any point in the last 7 days. A full database snapshot runs nightly. Every file in storage has version history, so accidental overwrites stay recoverable.

Audit & access control

Every system has its own credentials - no master key opens everything. We follow least-privilege access: the backup service can write backups but cannot read them; emergency recovery uses a separate, audited account. Every infrastructure operation is logged via AWS CloudTrail.

What we don't claim

We're a small team. We have not pursued formal certifications - we are NOT SOC 2 certified, NOT ISO 27001 certified, and we don't have a third-party GDPR audit on file. We've followed industry best practices for data residency, encryption, access control, backups, and audit logging. If you have a specific compliance requirement, please reach out.

Our infrastructure partners

  • AWS (Frankfurt) - encrypted storage, encryption keys, audit logging
  • Hetzner (Falkenstein, Germany) - application and database servers
  • Anthropic via AWS Bedrock EU - AI processing (Claude)
  • Sentry (Germany) - error monitoring
  • PostHog (EU) - product analytics
  • Cloudflare (EU IDC) - DDoS protection, caching
  • Sola Security - continuous security posture monitoring (read-only, walled off from object content)

Security questions?

Found a vulnerability or have a security concern? Reach out at [email protected]