Information Security
Caption.Ed Compliance and Security
Data Storage and Subprocessors – Where does my data go?
We store all recording data on Google Cloud Platform (GCP), and we’ve configured it to use only UK-based data centers. For other data types, like emails, we work with a handful of trusted subprocessors. They’ve all been thoroughly audited to ensure they meet our strict security standards.
Here’s our list of subprocessors:
- Customer.io – Customer communications (customer.io)
- Google Cloud – Infrastructure provider (cloud.google.com)
- HubSpot – CRM & email (hubspot.com)
- MailerSend – Transactional email (mailersend.com)
- Chameleon – In-app guides (chameleon.io)
- Speechmatics – Speech-to-text engine (speechmatics.com)
- Stripe – Payment processing (stripe.com)
Data Protection and Privacy – How are you protecting my data?
We do collect some basic PII (Personally Identifiable Information), like your email address, to set up your account. Depending on what you’re recording, your session data might also contain PII.
Your data is stored indefinitely, but you’re always in control. You can delete your recordings and sessions in the app at any time. We also support Data Subject Access Requests and can provide a full data export upon contract exit for admin-level requests.
Our Terms & Conditions and Privacy Policy govern all data usage, and you can review them at any time.
How do we know you take this seriously?
We’re committed to keeping your data secure, and we have the certifications to prove it. Caption.Ed is ISO 27001 certified, and all of our audits are aligned with these controls. We also take a proactive approach with penetration testing. We have third-party specialists conduct annual tests, and we run automated weekly scans to catch any potential vulnerabilities. Executive summaries of these tests are available upon request.
The scope of our audits is comprehensive, covering all systems, services, and teams that handle confidential data.
ISO certified and award-winning assistive technology
Can you tell us what controls you have in place?
We protect our systems and your data with multiple layers of security. Our infrastructure is secured with firewalls and intrusion prevention systems, and we use vulnerability scans to regularly check for weaknesses. We manage access to data with strict controls, ensuring that only authorised personnel can access sensitive information. Your data is also logically separated from other users in our database.
Finally, we encrypt all your data both at rest and in transit. We use strong encryption standards to keep your data secure whether it’s stored on our servers or being sent over the internet.
Security Layers
- ▸ Firewalls, Intrusion Detection & Prevention (IDS/IPS)
- ▸ SIEM via GCP Log Analyzer
- ▸ Regular scans via Intruder.io
Access Control
- ▸ Role-based access control (RBAC)
- ▸ Principle of Least Privilege (PoLP)
- ▸ Multi-tenant DB with logical separation by unique keys
Encryption
- ▸ At rest: AES-256 using GCP KMS
- ▸ In transit: TLS 1.2 or higher
- ▸ Key management: Google Cloud KMS (no customer-managed keys currently)
Learn more about
how we protect your data
Still have questions?
We know how important compliance and security are when choosing the right tools for your organisation. If you’ve got more questions about how Caption.Ed keeps your data safe, we’re here to help.