Security isn’t a feature.
It’s the foundation.

Speech-to-text runs on your device

Whisper-base (CoreML, quantized to int4) runs entirely on your iPhone’s Neural Engine. The microphone PCM stream never reaches our servers. Transcripts are decoded chunk-by-chunk into volatile memory and discarded each cycle. No background recording. No idle listening.

Encryption in transit

• TLS 1.3 only · ECDHE+AES-GCM cipher suites · HSTS preloaded
• Certificate pinning in the iOS client for the cue API endpoint
• HTTP→HTTPS upgrade enforced at the edge

What the backend retains

The backend is Cloudflare Workers with Durable Objects for active sessions and Neon Postgres for user accounts only. The only conversation-adjacent data we persist is audit metadata — request ID, timestamp, latency, trigger type, model ID, and the whisper text returned. We retain it for 90 days for billing, model evaluation, and incident response. Then it’s deleted.

Authentication

Clerk handles auth with passkey-first sign-in. Sessions are short-lived JWTs (15 minutes), refreshed silently. Account deletion is one click in the app and propagates to all systems within 24 hours.

Vendor isolation

Each vendor sees the narrowest possible slice. No vendor sees other-party transcripts. Period.

Bug bounty

Email security@hearby.co with reproducible vulnerabilities. We respond within 24 hours, triage within 72, and pay $250–$5,000 for valid reports depending on severity. No 90-day disclosure dance — we patch fast.

Incident response

We have on-call coverage via PagerDuty for the API surface. Public status page lives at status.hearby.co. Material incidents get an email within 72 hours.

What we’ll never do

• Sell or share audit data with advertisers
• Train models on the conversations Hearby observed
• Bypass the on-device STT boundary, ever — it’s a contractual invariant