Summary
Quick summary 1. Security model 2. When the app talks to a network 3. Secrets, auth, and licensing 4. Team and workspace security 5. Shared responsibility 6. Security contact

Security

Last updated: May 15, 2026

Vocalype keeps a local-first core, but some modern product features rely on remote services. This page explains the security shape of the product as it exists now: local dictation, optional remote AI, account-backed licensing, and server-backed team features.

Quick summary

Audio does not need to be uploaded to Vocalype for local dictation to work. Remote traffic happens for account, license, billing, workspace, updates, model downloads, and any AI feature that uses Vocalype Cloud or another connected provider.

1. Security model

Local core

Core desktop workflows can run locally on your machine, including transcription with local engines and local storage of your settings and history.

Remote layers

Account, subscription, licensing, workspace sync, and some AI features are backed by network services and should be understood as remote components of the product.

  • HTTPS is used for supported remote communications.
  • Authentication tokens are stored in the OS secure store when supported.
  • License state can be cached locally to support offline-valid periods.
  • Machine identifiers used for backend licensing are hashed before transmission.

2. When the app talks to a network

Network activity can occur in several product areas:

  • sign in, token refresh, account management, and subscription status checks
  • license issuance, refresh, entitlement validation, and billing portal access
  • workspace membership and shared asset sync for team plans
  • Vocalype Cloud post-processing, summaries, agent actions, and related AI calls
  • requests to user-configured providers such as Gemini or another compatible API
  • update checks when update checking is enabled
  • first-use download of the meeting diarization model from Hugging Face
  • requests to localhost-based runtimes such as Ollama when you enable local provider integrations

Whether data leaves your device depends on the feature path you use. Some sessions can stay entirely local; others intentionally invoke remote providers.

3. Secrets, auth, and licensing

  • passwords are not intended to be stored in plaintext by Vocalype systems
  • session and provider secrets are stored in OS-backed secure storage when available
  • the app binds license state to a machine identifier and supports online-valid and offline-valid license states
  • billing and payment operations are delegated to Stripe or another designated processor

If you connect third-party providers, the security of those credentials and the provider environment also matters.

4. Team and workspace security

Team plans can store shared templates, snippets, dictionaries, membership data, support contacts, billing contacts, and workspace configuration on remote services. That data is available to authorized members of the workspace according to their role.

If your team enables shared assets or region-based processing settings, that content is part of the workspace service layer and is not purely local.

5. Shared responsibility

We secure the application and service layers we control, but users still need to protect their own devices and accounts.

  • keep your operating system and Vocalype up to date
  • protect your email, password, and payment access
  • review whether a workflow is local, remote, or team-shared before processing sensitive information
  • understand the privacy and security posture of any third-party provider you connect

6. Security contact

For security, privacy, compliance, or responsible disclosure questions: security@vocalype.com.