MyntloMyntloAboutTermsPrivacyUsageSecurity
Trust & Security

Security

Last updated: May 2026  ·  Questions? support@myntlo.com

Meeting recordings often contain sensitive conversations. We take that seriously. This page explains how Myntlo protects your data — from how you log in, to how recordings are uploaded and stored, to how AI providers handle your content, to what happens when you delete your account.

01Authentication

Myntlo uses a secure, session-based authentication system built on NextAuth.js with JWT tokens. Passwords are hashed with bcrypt before storage — plaintext passwords are never stored or logged.

  • Email verification: new accounts require email confirmation before access is granted.
  • Two-factor authentication (2FA): users may enable TOTP-based 2FA using any compatible authenticator app. Backup codes are generated at setup and stored hashed.
  • Account lockout: repeated failed login attempts trigger a temporary account lockout to defend against brute-force attacks.
  • Session management: authenticated sessions are stored as signed JWTs. Users can review and terminate active sessions from their account settings.
  • Password resets: reset links are single-use, time-limited tokens sent to the verified email address on the account.

02Secure File Uploads

Meeting recordings are never sent through Myntlo's application servers. Instead, we use a presigned URL pattern:

  • The client requests a short-lived, pre-signed upload URL from Myntlo's API (valid for 15 minutes).
  • The client uploads the file directly to private cloud storage using that URL. Myntlo servers never see the raw bytes.
  • File type (MIME) and size are validated server-side before the presigned URL is issued. Only audio and video formats up to 500 MB are accepted.
  • After upload, the client calls a completion endpoint. A processing job is enqueued and the upload URL is discarded.

This design limits exposure: if the application layer were ever compromised, it could not access the raw audio files in transit.

03Storage

Meeting recordings and associated files are stored in private cloud object storage (such as AWS S3 or Cloudflare R2). Files are:

  • Private by default:no public URLs are generated. All access requires a signed, time-limited download URL generated by Myntlo's backend.
  • Org-scoped paths: files are stored under paths that include the organization ID, preventing cross-organization access even in the event of a misconfiguration.
  • Encrypted at rest: storage providers encrypt data at rest using AES-256 by default.
  • Encrypted in transit: all transfers use HTTPS/TLS.

04Access Controls

Myntlo enforces strict access controls at every API boundary:

  • Organization isolation: all data is scoped to an organization. Users can only access meetings, transcripts, decisions, and action items belonging to organizations they are members of.
  • Role-based access: organizations have Admin and Member roles. Only Admins can invite or remove members, edit organization settings, and delete the organization.
  • Server-side enforcement: access checks are performed on the server for every request. Client-side UI state is never trusted as an access control mechanism.
  • Audit logging: key actions — such as uploads, exports, share link creation, and member management — are recorded in an audit log.
  • Shared links: meeting share links use unpredictable UUID tokens. Shared views are read-only and show only summary content. Links can be revoked at any time.

05Data Retention

We retain data only as long as needed for the service and our legal obligations:

  • Meeting recordings: kept until deleted by the user or organization owner, or upon account deletion.
  • Transcripts and insights: kept alongside the meeting record and deleted with it.
  • Account data: kept while the account is active.
  • Error and application logs: typically retained for up to 90 days. Logs do not contain meeting audio content, raw transcripts, or authentication secrets.
  • Billing records: retained as required for tax, accounting, and legal compliance, even after account deletion.
  • Waitlist entries: retained until the user unsubscribes or requests deletion.

06Data Deletion and Export

Users have meaningful control over their data. From your account settings you can:

  • Delete individual meetings: permanently removes the recording, transcript, insights, decisions, and action items.
  • Export your data: request a personal data export in JSON format, including account information, meeting metadata, transcripts, summaries, and action items.
  • Delete your account: a short grace period is applied before permanent deletion to prevent accidental loss. During the grace period your account is locked. After it, personal data is deleted or anonymized.

We honor rights under applicable privacy laws, including GDPR (right to erasure, right to access, right to portability) and CCPA/CPRA (right to delete, right to know). To submit a data request, contact support@myntlo.com.

07AI Processing Providers

Myntlo uses third-party AI services to process meeting content:

  • OpenAI Whisper— transcribes audio recordings. Audio is sent to OpenAI's API over HTTPS. We use API access, not the consumer products, and have agreed to OpenAI's data processing terms. OpenAI does not use API-submitted content to train its models by default.
  • Anthropic Claude— extracts summaries, decisions, action items, and insights from transcripts. Transcripts (not audio) are sent to Anthropic's API. Anthropic does not use API-submitted content to train its models by default.

We do not use your meeting content to train Myntlo-owned AI models unless we explicitly ask for your permission.

Organizations with data residency or compliance requirements should contact us to discuss options.

08Error Logging

Myntlo uses Sentry for application error monitoring. Error reports may include stack traces, request metadata, browser information, and user/session identifiers to help diagnose and fix bugs. Error reports do not contain meeting audio, transcript content, or plaintext passwords. Sentry data is retained for up to 90 days. Sentry is configured to scrub common sensitive field patterns automatically.

09Secret and API Key Handling

All secrets, API keys, and credentials are managed as environment variables and are never:

  • Committed to version control
  • Exposed in client-side JavaScript bundles
  • Returned in API responses
  • Logged in application or error logs

Server-side routes validate authentication and authorization before accessing any secrets or performing privileged operations. The application enforces a strict boundary between public (unauthenticated) routes and protected routes.

10Responsible Disclosure

If you discover a security vulnerability in Myntlo, please report it responsibly by emailing support@myntlo.com with a description of the issue and steps to reproduce it. We will acknowledge your report within 72 hours and work to remediate confirmed vulnerabilities promptly. We ask that you give us reasonable time to address the issue before public disclosure, and that you avoid accessing, modifying, or exfiltrating data that is not your own during your research.

We appreciate responsible security researchers and will give credit where it is wanted.

© 2026 Myntlo. All rights reserved.