Data Security & Encryption

Last updated: April 17, 2026

Available on: Mac, Windows, iOS, Android

Wispr Flow encrypts your voice data and transcriptions at every stage — in transit, at rest, and within the app. Here's how your data stays private and secure.

What it is

Wispr Flow's security architecture protects your data through multiple layers: encrypted communications, cloud-provider encryption at rest, application-level controls, and organizational policies. These protections work together to ensure your voice data and transcriptions remain private and secure.

How it works in Flow

Encryption in transit

All data transmitted between your device and Wispr Flow's servers is encrypted using Transport Layer Security (TLS). This includes:

  • Voice audio sent for transcription

  • Transcription results returned to your device

  • All API communications

  • Authentication and session data

TLS encryption ensures that data cannot be intercepted or read by unauthorized parties during transmission over public networks.

Note: On desktop, TLS certificate validation loads system CA root certificates (macOS Keychain / Windows Root Store) alongside built-in roots, ensuring compatibility with enterprise or custom Certificate Authorities.

Encryption at rest

Wispr Flow relies on cloud-provider default encryption-at-rest capabilities. This is infrastructure-level encryption managed by the cloud provider.

Application-layer security controls

The application implements multiple security controls:

  • Rate limiting: Applied per-endpoint using separate rate limiters with identifiers such as user ID (with IP fallback), IP address, or email address (with IP fallback). Some endpoints apply multiple independent rate limiters simultaneously. Email signup has two layers: per-email (3 per hour) and per-IP (10 per 60 seconds). Password reset is separately limited to 3 attempts per 30 minutes.

  • Input sanitization: Protection against XSS and HTML injection.

  • Content Security Policy: Enforced on desktop in production builds only.

  • Electron security hardening: Base Electron security hardening (node integration disabled, context isolation enabled, WebGL and WebSQL disabled) is applied in all builds. CSP, permission blocking, and navigation prevention are additionally enforced in production builds only.

Access controls

Strict access controls limit who can access your data:

  • Role-based access control (RBAC): Users only access what they need. Three enterprise roles are supported: SuperAdmin, Admin, and Member.

  • MFA enforcement: Required for production system access.

  • Unique credentials: No shared accounts.

  • Regular access reviews: Access revoked for departed employees.

  • Enterprise SSO enforcement: When enabled, non-SSO logins for the domain are rejected. SSO enforcement requires an active enterprise subscription — if the subscription lapses, SSO enforcement is suspended even if the setting remains enabled. SSO enforcement is designed to fail-open: if an unexpected error occurs during SSO verification, login is permitted rather than blocked, to prevent locking out all users.

  • SCIM directory sync: Enterprises can delegate user provisioning to their Identity Provider; manual management is blocked when SCIM is active. SCIM-provisioned users are assigned the Member role by default. Admins can still change roles through the Wispr Flow interface (role updates are not delegated to the Identity Provider).

  • API token management: Individual revocation and expiry — revoked or expired tokens are rejected even if the JWT signature is valid.

  • Enterprise data retention: Organizations can enforce data retention policies on desktop clients that automatically delete local transcripts and polish history. When an organization sets this to "Never store data locally," the setting is fully locked for individual users. When set to "Auto-delete local data every 24 hours," users can still choose the more restrictive "Never store data locally" option but cannot choose less restrictive settings.

  • Enterprise invitations: Expire after 180 days with Admin or Member role assignment.

  • Enterprise domain access restriction: Organizations can block login for non-members from their email domain. Domain access restriction also requires an active enterprise subscription — if the subscription lapses, the restriction is not enforced. Like SSO enforcement, it is designed to fail-open on unexpected errors.

  • SCIM domain protection: New account signups from SCIM-managed domains are blocked through the normal signup flow — users must be provisioned through the identity provider.

Data isolation

Customer data is isolated through authentication and authorization controls. API access requires valid credentials (user JWTs, platform API keys, or client tokens depending on the endpoint). Organization membership is verified before any org-scoped data is returned. Role-based access controls restrict data visibility based on user roles. The platform supports Admin and Member roles for organization-level access. Enterprise organizations additionally support a SuperAdmin role for administrative hierarchy.

Privacy controls

Wispr Flow provides multiple user-facing privacy controls:

  • Privacy Mode: Zero data retention, available on desktop, iOS, and Android, with enterprise-wide enforcement option. Privacy Mode can be locked ON by signing the HIPAA BAA or by enterprise ZDR (zero data retention) enforcement. On desktop, each shows a distinct explanation to the user. On iOS, only the HIPAA lock shows a specific enforcement message. When an organization has enforced Privacy Mode (via ZDR or HIPAA BAA), the privacy choice during onboarding is also locked — users see a notice that their organization has disabled data usage for model improvement.

  • HIPAA BAA: In-app signing on desktop and iOS; permanently enforces Privacy Mode once signed (irreversible). On desktop, enterprise users on a Business plan are directed to the admin portal to sign the BAA at the organization level. On iOS, all users sign in-app regardless of enterprise status. An individual BAA locks Privacy Mode on directly. At the enterprise level, Privacy Mode is locked by the organization's zero data retention (ZDR) enforcement setting, which is automatically enabled when an enterprise-level BAA is signed. On iOS, either an individual or enterprise-level BAA being signed locks Privacy Mode.

  • Context Awareness toggle: Controls whether surrounding text is used to improve transcription (desktop only). For enterprise users, this toggle may be turned off and locked by their organization's admin — when that's the case, the toggle displays a message that it is managed by the organization.

  • Local data storage: On desktop, go to Settings > Data and Privacy to control how transcripts and polish history are stored locally. Three options are available: Store data locally (default, keeps transcripts as usual), Auto-delete local data every 24 hours (automatically removes transcripts and polish history older than 24 hours), and Never store data locally (immediately deletes all existing transcripts and polish history and prevents future storage). Switching to either deletion option shows a confirmation before applying. Switching back to Store data locally takes effect immediately without a confirmation prompt. For enterprise users, this setting may be locked by their organization's admin. Enterprise admins can also set a minimum policy level (e.g., auto-delete every 24 hours) that restricts available options without fully locking the setting — users can choose a more restrictive option but not a less restrictive one.

  • Enterprise privacy controls: Organizations can lock Privacy Mode on for all members, disable Context Awareness for all members, and set local data storage policies for all members. These enterprise privacy controls are available on the Enterprise plan only. Once a HIPAA BAA is signed at the enterprise level, Privacy Mode cannot be disabled by org admins. Additionally, Wispr support can lock the Privacy Mode setting so that even admins cannot change it.

  • Onboarding privacy choice: Users choose between "Help improve Flow" and "Privacy Mode" during setup.

Logging

Logging capabilities include:

  • Error reporting: Application errors reported via Sentry. On desktop: severe errors and first-occurrence errors are always captured; repeat errors are sampled at 0.05% (dynamically adjustable via feature flag). Identical errors are debounced within 5-minute windows — only the first occurrence passes through; duplicates within the window are suppressed. On iOS: critical errors (app hangs, fatal errors, severe errors, and MetricKit diagnostic events) are always captured; non-critical errors are sampled at 1%. Non-critical errors are also debounced with a 60-second window per unique error, further reducing duplicate reports.

  • Desktop logs: Local log files stored via electron-log. Warn, error, and severe-level logs are always forwarded to Sentry for remote tracking. Info-level logs are forwarded to Sentry in production builds only. Sensitive-level logs are never transmitted. Recent logs (up to 30,000 bytes) are attached as context to Sentry error events.

  • iOS logs: On-device logs auto-purged after 7 days.

  • Backend logging: Console output (stdout) plus remote structured logging via Logtail/Better Stack. Sentry error reporting with PII stripping (request headers, cookies, body, and user email/name removed before transmission). Error events sampled at 1%, with backend trace errors from client spans captured at 100%.

Vulnerability management

Organizational vulnerability management policies include:

  • Automated scans: Monthly vulnerability scans of infrastructure and applications.

  • Remediation: Critical and high-severity vulnerabilities addressed following the incident response plan.

  • Penetration testing: Regular testing by qualified third parties.

  • Patch management: Automatic updates for critical security patches.

Organizational security policies

For Wispr Flow team members accessing production systems, organizational policies include:

  • Multi-factor authentication: Required for administrative access.

  • Endpoint protection: Security software deployed on all devices.

  • Security updates: Regular patch management processes.

  • Device encryption: Required for company equipment.

FAQs

Is my voice data encrypted?

Yes. Voice audio is encrypted using TLS during transmission and protected by cloud-provider encryption at rest.

Can Wispr Flow employees access my data?

Access to production systems requires MFA and follows role-based access controls. Regular access reviews ensure only authorized personnel can access customer data.

What happens if I enable Privacy Mode?

Privacy Mode enables zero data retention — your voice and transcription data is not stored after processing. See Privacy Mode & Data Retention for details.

Can I control how long my transcripts are kept on my device?

Yes, on desktop. Go to Settings > Data and Privacy and choose a local data storage option: keep data normally, auto-delete anything older than 24 hours, or never store data at all. The setting takes effect immediately. If the option is grayed out, your organization's admin has set this policy for your account.

Limitations and notes

  • Privacy Mode is available on Mac, Windows, iOS, and Android.

  • Local data storage controls (Store data locally, Auto-delete local data every 24 hours, Never store data locally) are available on desktop only.

  • Context Awareness toggle is available on desktop only. On Enterprise plans, admins can disable Context Awareness for all users in their organization — affected users see the toggle locked with a notice that it is managed by their organization.

  • CSP and Electron security controls are enforced in production builds only.

  • For more details, see Security Overview, Privacy Mode & Data Retention, and Incident Response & Breach Notification.