Straight answer first: we don't have a SOC 2 badge yet β we're an early-stage product and pretending otherwise would tell you more about our marketing than our security. Here is what we actually do, so you can judge for yourself.
Founded by a cybersecurity professional β this page is written by someone who reviews these pages for a living.
All traffic runs over TLS. Live video and audio use WebRTC with DTLS-SRTP β encrypted in transit between every participant and our media infrastructure (LiveKit).
Every table is protected by Postgres Row-Level Security: hosts can only ever read their own events, attendees, transcripts and intent data β enforced at the database layer, not just in app code.
Accounts run on Supabase Auth (the auth layer used by hundreds of thousands of apps): passwords are bcrypt-hashed, sessions are short-lived JWTs, and Google sign-in is available. We never see or store your password.
We donβt store card numbers β during early access there is no billing at all. When billing arrives, payments will be handled by a PCI-DSS compliant processor (Stripe); card data will never touch our servers.
Every email sent through Showrunner carries the senderβs identity, why the recipient is receiving it, and a working unsubscribe link feeding a global suppression list that hosts cannot bypass. List invites require an explicit lawful-basis confirmation and are rate-capped.
API keys are scoped to one account, rotatable in one click, and validated inside the database. Public pages use anonymous keys that can only do what RLS policies allow. Admin actions are role-gated with self-promotion blocked at the database level.
Recording is always host-initiated and visibly indicated (REC badge for every participant). Recording links are long random URLs; access-controlled storage is on the near-term roadmap.
Hosting on Vercel, database and storage on Supabase (AWS), media on LiveKit Cloud, email via Resend β all SOC 2 audited vendors with their own security programs underneath us.
Private access-controlled recording storage Β· data-region choice Β· audit log for workspaces Β· SOC 2 Type I when the company size justifies the audit rather than the logo.
Security question or a vulnerability to report? asaf@linkedotter.com β reports get a human answer within 48 hours.