This page is written for security reviewers, compliance officers, DPA teams, and legal counsel. It states exactly what data Osora processes, where it lives, how secrets and personal data are handled, and who our sub-processors are. For the countersigned legal instruments, see the DPA, Privacy Policy, and Terms.
Last reviewed: July 2026
Hosting region
United States (AWS us-east-1)
Encryption
TLS 1.2+ in transit · AES-256 at rest
Model training
Anthropic & OpenAI don't train on API inputs
Certification
SOC 2 Type I in progress · GDPR & CCPA aligned
Osora is a processor acting on documented customer instructions. Three classes of data flow through the service:
Recording media
Screen video, microphone audio, and periodic vision-frame snapshots captured while a user records a session.
Resides in: Vercel Blob (US), served only through an ownership-gated proxy
Derived company memory
The compiled process, transcript, extracted entities and facts, and their embeddings — what makes memory searchable.
Resides in: Neon Postgres (US-East)
Integration signals
Text pulled from connected tools (e.g. Gmail, Calendar) when a customer enables them — redacted of secrets and PII before storage.
Resides in: Neon Postgres (US-East)
Capture is the most sensitive surface in the product, so redaction is layered — at the endpoint and again on the server — and designed to fail closed. We are candid about the edges: content spoken aloud or shown on screen is processed under the controls below, and residual risk (for example, a secret displayed as static text) is documented rather than hidden.
On-device redaction before upload
In the browser extension, known secrets (API keys, tokens, JWTs) and structured PII (emails, phone numbers, SSNs, card numbers, ID patterns) are detected and redacted at the moment of capture — before any bytes leave the endpoint.
Sensitive-field video curtain
When a high-risk field (password, payment, or government-ID) is focused, the recorded screen is curtained and vision-frame sampling is suspended — on every recorder path — so credentials never enter the video in the first place.
Screenshot masking, fail-closed
Sensitive regions in action screenshots are painted over in the browser before upload. If a mask cannot be rendered, the screenshot is dropped rather than sent.
Server-side defense-in-depth
Transcripts and integration text are scrubbed of secrets and PII again on the server before they are persisted, full-text indexed, embedded, or sent to any AI provider — so redaction does not depend on the client alone.
Consent & a visible recording signal
Recording requires explicit consent, which is logged. A recording indicator is burned into the video itself, so the signal survives even on pages where an on-screen badge cannot be shown.
Tenant-scoped access
Every record is scoped to its organization. Recordings, memory graph, and skills are isolated per tenant and never commingled; media is reachable only via an ownership- or share-token-checked route.
Each sub-processor is engaged under a data-processing agreement. We give advance notice of new sub-processors and an opportunity to object. Enterprise customers may use Bring-Your-Own-Key (BYOK) to keep AI processing within their own provider account.
| Sub-processor | Purpose | Data | Region | Training |
|---|---|---|---|---|
| Neon | Primary application database | Account data, compiled processes, company memory, derived text + embeddings | US — AWS us-east-1 | — |
| Vercel | Application hosting & blob storage | Recording media (screen video, audio, vision frames), screenshots | US | — |
| Clerk | Authentication & user identity | Login identifiers, session tokens | US | — |
| Anthropic | AI processing (default model provider) | Transcripts, vision frames, and event text for process/entity extraction | US | Does not train on API inputs |
| OpenAI | Text embeddings for memory search | Redacted transcript, entity, and integration text | US | Does not train on API inputs |
| Deepgram | Speech-to-text transcription | Recorded / meeting audio | US | — |
| Railway | Meeting-bot worker infrastructure | Meeting audio and vision frames during a live bot session | US | — |
| Sentry | Error monitoring | Application error traces (no recording content) | EU | — |
| Resend | Transactional email | Email address, notification content | US | — |
The service is hosted in the United States (US-East): application compute and the primary database (Neon, AWS us-east-1) are co-located there. Where personal data is transferred from the EEA, UK, or Switzerland, the transfer relies on the European Commission's Standard Contractual Clauses (with the UK and Swiss addenda as applicable). In-region residency for the EU is available to Enterprise customers on request.
Customers set a retention window per organization; when set, sessions and their media blobs are hard-deleted after the window elapses. On request, Osora assists with access, rectification, erasure, and portability. Account deletion removes stored data and its underlying media blobs. On termination, personal data is deleted or returned (default: deletion within 30 days), subject to legal retention requirements. To exercise a right or request a countersigned DPA, email richie@getnolea.com.
Security questions, a vulnerability report, or a completed questionnaire request: richie@getnolea.com. For the marketing overview of our trust posture, see the Security page.
This Trust Center describes controls in effect as of the review date above and is provided for informational purposes; it does not modify any agreement between Osora and its customers. Where this page and an executed agreement differ, the executed agreement governs.