Security & Compliance

Effective: September 23, 2025

We take the security and privacy of your data seriously. This page explains how ResearchCast is hosted, how we protect your data, and which compliance measures and user controls we provide.

Hosting & Core Providers

Our application runs on reputable cloud infrastructure with industry-standard security controls.

Application & edge: Vercel.
Database, auth, object storage: Supabase (managed Postgres, authentication, storage).
Observability & alerting: Vercel Analytics (edge or runtime metrics).
Transactional & marketing email: Resend (EU region where available), with SPF, DKIM, and DMARC configured for our domain, one-click List-Unsubscribe headers, and bounce or complaint handling via webhooks.

Providers may change as our architecture evolves; material updates will be reflected here.

Data Residency & Sub-processors

Primary data location: EU regions where supported by our providers.

Encryption: TLS in transit; at-rest encryption is provided by our managed platforms (database and block or object storage).

Sub-processors: We maintain a current list of sub-processors (name, purpose, region) and will provide notice of material changes as required.

Cross-border transfers: Where applicable, we use EU Standard Contractual Clauses (SCCs) with sub-processors outside the EEA.

Resend: email delivery (transactional and marketing); processes recipient identifiers, message headers or subject, and delivery events; EU region where available; SCCs cover any extra-EEA transfers.

Authentication & Session Management

Primary sign-in: email plus password.
Password security: Argon2id hashing with per-user salts; minimum length and complexity checks; online rate-limiting and progressive backoff for failed attempts; temporary account lock on brute-force patterns.
Sessions: secure, HTTP-only cookies; SameSite=Lax (or Strict on sensitive flows); rotation on login, privilege changes, and suspected compromise; short-lived signed media URLs for playback.
2-Factor Authentication (2FA): not yet supported (on roadmap).
Server-side enforcement: middleware requires authentication on every request to protected routes and sets standard security headers (HSTS, X-Content-Type-Options, Referrer-Policy, frame-ancestors CSP).

Authorization & Access Control

Least-privilege access for services and staff; production access requires just-in-time elevation and audit logging.
Row-Level Security (RLS) is enforced at the database layer to restrict access to user-owned rows.
Secrets management: stored in provider secret managers or environments with restricted scope; rotated on role changes and incident signals.

Private Media & Link Security

Private by default: episodes are private to the owner's account unless you explicitly enable public visibility.
Delivery: media is served via short-lived signed URLs (default TTL about 10 minutes), bound to the requesting session or device where possible.
No "unlisted" links: we do not offer "anyone with the link" sharing in private mode.

Generative AI Use & Transparency

We use LLMs to draft episode scripts and text-to-speech to produce audio. We send only the minimum necessary snippets to providers.

Where supported, we disable provider data retention or training on customer content. We do not use customer content to train our own models.

Transparency: all episodes are labeled as AI-generated, and we embed machine-readable indicators (for example, audio metadata tags).

Content Sourcing, TDM & Licensing Compliance

Lawful access and robots or TDM: our crawler and ingestion services respect robots.txt, site terms, and machine-readable Text-and-Data-Mining (TDM) reservations. If a source signals a TDM opt-out, we do not perform automated analysis.

Temporary copies: we create ephemeral working copies strictly for automated analysis and delete them after the processing purpose is fulfilled (subject to minimal backup retention).

Attribution and quotes: episodes are paraphrased summaries. Where quotation is necessary, we limit it to short excerpts with clear citation in the episode notes.

arXiv usage: we harvest metadata (via API or OAI where available) and link full-text back to arXiv; we do not mirror full-text content.

Visibility Modes (Security Posture)

Private (default): only the owner's account can access the episode.
Invite-only ("friends"): named account invites only; no re-share and no unlisted links. May be disabled where the source license (for example, ND or NC or arXiv non-exclusive) does not allow further distribution.

Weekly Digest (Email Compliance)

Consent: double opt-in for subscription emails.
Unsubscribe: one-click List-Unsubscribe headers and footer links are included in every message.
Tracking: open-tracking pixels are avoided by default; if enabled, they are used only with explicit consent.
Links: digest items route through our own redirect endpoints for aggregate counting without client-side identifiers.

Logging, Monitoring & Incident Response

Application and access logs: minimization by default; typical retention about 30 days for access logs and 7 days for processing logs.
Media access telemetry: aggregated counters only; no persistent personal identifiers in play URLs.
Alerting: monitoring for abnormal auth failures, token reuse, TDM opt-out violations, and policy breaches (for example, excessive verbatim overlap).
Incident response: triage, containment, customer notification (where legally required), and post-mortem review. We maintain playbooks for takedowns, credential compromise, and data-access anomalies.

Backups & Retention

Database and storage backups: managed by Supabase per platform policy; encrypted at rest; access is restricted.

User deletion: when you delete your account, we delete your profile and request purge of user-owned storage. Residual backups may persist for a limited time solely for disaster recovery; they roll off automatically per provider retention schedules.

Working copies: temporary analysis artifacts are deleted after the processing purpose is fulfilled.

GDPR / DSGVO: User Controls & Notices

Lawful basis: consent for marketing email; legitimate interests or contract for core service operations; consent for non-essential cookies or trackers.
Cookie banner: essential cookies only by default; non-essential categories are opt-in.
Consent records: we store versioned consent text, timestamp, and (where permitted) truncated IP to evidence consent.
Data export and portability: available via the product interface.
Account deletion: initiates deletion of the profile and user-owned storage as described above.
DPO or contact: support@research-cast.com.
Sub-processor list: available on request or at [link].

Illegal Content & EU DSA Notice-and-Action

Report channel: send notices to support@research-cast.com (or use the in-product form). Include the URL, your rationale, your contact details, and a good-faith statement.
Our process: we acknowledge receipt, review without undue delay, and may disable, remove, or delist content or adjust visibility. We provide affected users a Statement of Reasons and an internal complaint path.
No general monitoring: we do not conduct general monitoring; we act on valid notices and clear violations of our terms.

Music, Voices & Third-Party Assets

Music or jingles: only licensed or rights-cleared assets (for example, GEMA or GVL licensed or royalty-free libraries).
Voices: we use neutral synthetic voices by default; we do not imitate identifiable real-person voices without consent.

Change Management

We review this page when we materially change hosting, providers, data flows, or compliance posture. The Effective date reflects the latest update.

Reporting Security Issues (Vulnerability Disclosure)

If you believe you have found a vulnerability, email support@research-cast.com. Please include a description, reproduction steps, and impact. We review and respond to good-faith reports and coordinate disclosure. Do not test in ways that could harm service availability or data integrity.

Last reviewed: September 23, 2025.