Logo
  • Home
  • About us
  • Services
    • Agentic AI Solutions
    • Cloud Adoption & Migration
    • Data Platforms & Analytics
    • Cloud Security
    • Encryption & Key Management
    • Blockchain
  • Products
    • i42 – Secretary42
    • i42 – Unimatrix-OI
    • i42 – Unimatrix OI InheritanceVault
  • Insights
  • Careers
  • Contact us
  • EN
    • DE
  • EN
    • DE
Contact us
Security

Security Policy — Secretary42

Last updated: 30 June 2026

Secretary42 is a desktop dictation application published by insight 42 UG (haftungsbeschränkt). We take the security and privacy of our users seriously and welcome coordinated disclosure of security issues.

This document describes our vulnerability-handling process. Statutory and contractual rights (including the security-update obligations in our Terms of Service and under applicable law) are set out in the Terms of Service; this page explains how to report issues and what we commit to operationally.

Scope

This policy covers:

  • The desktop application — the Electron app, its main/preload/renderer code, the local Whisper transcription pipeline, and the offline licence-token verifier.
  • The licence-minter service — the backend that mints PII-free Ed25519 licence tokens from Paddle webhooks.

Out of scope: third-party services we integrate with but do not operate (e.g. Paddle as Merchant of Record, the Sentry ingestion endpoint) — report those to their respective vendors. Findings that require a jailbroken/rooted device, physical access, or social engineering of our staff are generally out of scope.

Reporting a vulnerability

Please report security issues privately. Do not open a public issue, pull request, or discussion for a suspected vulnerability.

  • Email: security@insight42.com
  • If you do not receive an acknowledgement within a few business days, follow up to support@insight42.com.
  • If you wish to encrypt your report, request our PGP key at the address above.

What to include

  • A clear description of the issue and its security impact.
  • Step-by-step reproduction (proof-of-concept, affected version/commit, OS/arch).
  • Any relevant logs or screenshots with secrets and personal data removed (see below).

Please do NOT include secrets or third-party data

Do not send us, paste into a report, or attach: API keys, tokens, signing keys, webhook secrets, SMTP credentials, or Redis URLs (yours or anyone else’s); raw licence tokens, audio, or transcript content; personal data of third parties, or data obtained by attacking systems you do not own. Redact credentials before sharing logs — if a credential was exposed, tell us that it was and where, not its value.

Our commitment

When you report in good faith under this policy:

  • We will acknowledge receipt and begin triage on a best-effort basis (target: a few business days).
  • We will keep you informed of remediation progress and coordinate a disclosure timeline. We prefer coordinated disclosure and ask for a reasonable window to ship a fix before any public write-up.
  • We will not pursue or support legal action against researchers for good-faith research that respects this policy and applicable law, avoids privacy violations and service degradation, and does not access or modify data beyond what is needed to demonstrate the issue.

We do not currently operate a paid bug-bounty program.

Supported versions and security-update period

We provide security updates for each supported major version of Secretary42 for at least five (5) years from that major version’s release, free of charge. These security updates remain available to you for a supported version whether or not your subscription is active during that period. (An active subscription is required to use transcription and to receive feature updates and support; it is not required to receive a security patch for a supported version.) The latest stable release on the active update channel is the supported release; users of older versions can upgrade to the latest supported release free of additional security-update charge.

VersionSecurity updates
Latest stable release (active channel)✅ supported
Earlier releases within their 5-year window✅ supported until the version’s end-of-support date
Versions past their end-of-support date / pre-release builds❌ upgrade to a supported release

Concrete per-major-version release dates and end-of-support dates will be listed here as GA versions are released; each major version is supported for at least five years from its release.

Security & privacy posture (context for reporters)

By design, Secretary42 minimises the attack and data surface:

  • Local-only transcription — audio and transcripts are not transmitted to insight 42; there is no cloud-transcription fallback.
  • Offline, account-less authorisation — product use is unlocked by an offline Ed25519 licence token verified locally with no network call; the token payload is PII-free by construction and the raw token is never logged or exposed to the renderer.
  • No Paddle API key in the app — the desktop app stores no Paddle customer/subscription/transaction identifiers; payment runs through Paddle as Merchant of Record.
  • Opt-in diagnostics — Sentry is off by default and is not initialised before explicit consent; events are sanitised (no tokens, keys, emails, full paths, audio, transcript, or Paddle identifiers).
  • Hardened Electron — context isolation on, Node integration off in renderers, a narrow preload bridge, IPC sender-origin validation, and navigation/window-open guards.

If you find a case where one of these properties does not hold, that is precisely the kind of report we want.

insight 42 UG (haftungsbeschränkt) · security@insight42.com · Impressum · Terms of Service · Privacy Notice
Logo
Company

Insight 42 empowers businesses with innovative technology solutions, driving efficiency, security, and growth.

Quick Links
  • Home
  • About us
  • Insights
  • Contact Us
Services
  • Agentic AI Solutions
  • Cloud Adoption & Migration
  • Data Platforms & Analytics
  • Cloud Security
  • Encryption & Key Management
  • Blockchain
Contact us
insight42 UG
Barelli Str. 6
85049 Ingolstadt
Germany
+49 (0)841 96 911 766
support@insight42.com 
© insight42.com 2025. All rights reserved.
Terms Imprint Data Protection Cookie Policy Privacy Policy








    Manage Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}