Security

Security is structural in blackrim-vox, not a configuration option. The default deployment sends no audio off-device.

OSS security baseline

Local-first by default

The default ASR backend is on-device Whisper. Audio never leaves your machine unless you configure a cloud backend explicitly.

No telemetry

Zero usage telemetry, crash reporting, or analytics. The binary does not phone home. Verify in the source: the network surface is documented in the architecture overview.

BYOK for cloud ASR

When you choose a cloud ASR backend (OpenAI, Deepgram, Replicate, etc.), you supply your own API key. We never see it, store it, or proxy it through our infrastructure in the OSS tier.

Open source audit surface

The full pipeline is Apache 2.0. Inspect every component. Build from source. Run static analysis against your own policy baseline.

Vulnerability reporting

The full security policy (supported versions, disclosure process, and response SLAs) is published in the repository:

SECURITY.md on GitHub ↗

Enterprise controls

The following controls are available on Team and Enterprise tiers only.

Managed audit log

Immutable, append-only event log covering all routing decisions, config changes, and API calls. Retention configurable up to 1 year. SIEM export via webhook.

SSO enforcement

SAML 2.0 SSO (Okta, Azure AD, Google Workspace). Enforce SSO-only login; password auth disabled at the org level. SCIM provisioning.

Network isolation

Private relay endpoints. IP allowlisting. On-premises option with zero egress to Blackrim-Vox infrastructure.

SOC 2 (planned)

SOC 2 Type II audit in scope for the hosted relay and audit-log service. Report will be shared under NDA. Target: Q4 2026.