Data handling
What we store, where, and for how long
BrassTranscripts Legal stores audio with encryption at rest, deletes audio 24 hours after upload via an automated daily cleanup, gives paid customers 10 full days to download and review transcripts before automatic deletion, and never uses customer audio or transcripts for AI model training.
Storage and encryption
BrassTranscripts Legal stores all uploaded audio and processed transcripts with encryption at rest; uploads and downloads transit over TLS via short-lived presigned URLs that expire within one hour of generation.
Customer browsers upload audio directly to object storage via presigned URLs — files do not flow through the BrassTranscripts web server. The same pattern applies to transcript downloads. Presigned URLs are time-bound (1 hour default) and signed with the BrassTranscripts storage access key; only the bearer of an unexpired presigned URL can fetch a specific object.
Retention and deletion
BrassTranscripts Legal runs an automated cleanup cron daily at 03:00 UTC that deletes audio files 24 hours after upload, retains paid transcripts for 10 days after payment before deletion, and deletes unpaid or failed transcripts 48 hours after upload — with corresponding database fields cleared at the point of transcript deletion.
| Data | Retention | Trigger |
|---|---|---|
| Uploaded audio | 24 hours | From upload time |
| Paid transcripts | 10 days | From payment |
| Unpaid / failed transcripts | 48 hours | From upload time |
| Operational logs | ≤ 90 days | Per provider policy |
Logs contain operational metadata (job IDs, request paths, response codes, durations) and never contain transcript content. Filenames may appear in error logs; sensitive filenames should be avoided when uploading.
Why 10 days for paid transcripts? Most law firms need a working window to download, share with co-counsel, run AI prompts, and integrate transcripts into case files. 10 days covers a normal review cycle while still guaranteeing automatic deletion afterward — no long-term server-side copies of privileged material sit around indefinitely.
AI model training
BrassTranscripts Legal does not use customer audio or transcripts for AI model training, fine-tuning, evaluation, or any data-collection program — uploads exist only for the purpose of returning a transcript to the customer who paid for it, and then they are deleted on the schedule above.
Account authentication
BrassTranscripts Legal accounts use a token-in-URL authentication model — no cookies, no passwords; the token is delivered to the customer's verified email address and the server stores only a SHA-256 hash of it, so a database breach does not yield usable account credentials.
Two tokens may be valid simultaneously (current and previous) to support graceful link rotation if a customer requests a new dashboard link. To revoke access, request a new dashboard link via the bulk login flow — this rotates the token immediately.
What BrassTranscripts Legal does not claim
BrassTranscripts Legal does not offer a Business Associate Agreement (BAA), is not HIPAA-compliant, and holds no SOC2 attestation — buyers whose work requires any of those should obtain transcription from a vendor that does.
- No BAA — not suitable for HIPAA-covered protected health information without compensating controls outside our service
- No SOC2 attestation
- No long-term archival — the retention schedule above is enforced; we cannot retrieve files past their deletion date
If your matter requires HIPAA compliance, a BAA, SOC2 attestation, or attorney-client privilege protections beyond contractual deletion guarantees, BrassTranscripts Legal is not the right vendor. Self-selecting out is the right move and we'd rather you do that than discover the gap during a deposition.
Source-of-truth references
Retention timelines reflect the actual cleanup cron implementation. Encryption-at-rest is a platform feature of our object storage provider. If anything on this page proves inaccurate against actual implementation, please flag it via and we'll correct it within one business day.
Frequently asked questions
Why do paid transcripts get 10 days while audio gets only 24 hours?
Audio is deleted aggressively (24 hours) because it is the largest, most sensitive raw file and once a transcript exists most workflows no longer need the audio. Paid transcripts get 10 days because that covers a typical case-prep cycle: download, review, share with co-counsel, run AI prompts, integrate into case files. Both windows guarantee automatic deletion afterward — no long-term server-side copies.
Can I extend retention if I need a transcript longer?
No, the schedule is fixed and enforced via automated cron. Download transcripts to your own matter file system within the 10-day paid window for long-term retention.
Is the audio actually deleted or just marked deleted?
Actually deleted. The cleanup cron issues delete operations to object storage and clears the corresponding database fields. After deletion the file is no longer retrievable via any internal or customer-facing path.
What happens if a transcript fails to generate?
Failed transcripts are deleted on the same 48-hour-from-upload window as unpaid transcripts. The job record is marked failed and the upload audio is deleted on its normal 24-hour schedule. No orphaned audio or partial transcripts persist past those windows.
How is account access secured?
Accounts use a token-in-URL authentication model — no cookies, no passwords. The token is delivered to the customer's verified email address; the server stores only a SHA-256 hash of it. A database breach would not yield usable account credentials.