svara

Security

How we protect your data and credentials at every layer.

Transport Security

All communication with the Svara API is encrypted using HTTPS with TLS 1.3. We do not support unencrypted HTTP connections. All HTTP requests are redirected to HTTPS. Older TLS versions (1.0, 1.1) are disabled.

API Key Security

API keys are hashed at rest using SHA-256. We never store your API key in plaintext — your key is shown once at creation and cannot be retrieved afterward. If you lose your key, you can rotate it from your dashboard, which invalidates the old key and generates a new one.

API keys should be stored as environment variables or in a secrets manager. Never commit API keys to version control or include them in client-side code.

Audio Processing

Audio files are processed entirely in memory. Generated audio is never written to persistent storage. After delivery to the target platform, audio data is immediately purged from memory. The entire lifecycle — generation, encoding, delivery, deletion — completes within 60 seconds.

Platform Credentials

When you pass platform credentials (LinkedIn session cookies, Telegram bot tokens, etc.) to the Svara API, those credentials are passed through to the target platform and never stored. Credentials exist in memory only for the duration of the API request and are discarded immediately after the voice note is delivered.

We do not log, cache, or persist platform credentials in any form. Your session tokens are used exactly once for the delivery request and then garbage collected.

Webhook Signatures

All webhook payloads sent from Svara include an HMAC-SHA256 signature in the X-Svara-Signature header. You should verify this signature on your server to confirm the webhook originated from Svara and hasn't been tampered with.

Your webhook signing secret is available in your dashboard. Rotate it at any time if compromised.

Infrastructure

  • Hosted on isolated cloud infrastructure with network-level segmentation
  • Database connections encrypted in transit
  • Automated security patching for all dependencies
  • Access to production systems restricted to key personnel with MFA

Compliance

GDPR

Fully compliant. UK-based company operating under UK GDPR and the Data Protection Act 2018. Data processing agreements available on request.

SOC 2

On our roadmap. We are implementing the controls and processes required for SOC 2 Type II certification. Contact us for our current security posture documentation.

Responsible Disclosure

If you discover a security vulnerability in the Svara API or website, please report it responsibly. Contact us at hello@svarapi.io. We will acknowledge your report within 24 hours and work with you to resolve the issue.

Please do not publicly disclose vulnerabilities before we've had a chance to address them.

Contact

For security-related inquiries: hello@svarapi.io

Ask Svara

Hey! I'm the Svara assistant. Ask me anything about integrating voice notes into your product.

Powered by Svara