Security at Slide Practice
One-to-one sessions hold some of the most private things a person will say. Here is how Slide protects that, in plain words: what we encrypt, when we ask for consent, where your data lives, and how you take it with you. We tell you what is true today and label what is still being built.
Last reviewed July 4, 2026. We update this page whenever our practices change.
Three rules we hold to.
Nothing records without a yes
The client agrees on screen before any recording starts. No quiet capture, no buried default.
Your data stays yours
Export your clients, recaps, and records at any time. No lock-in, and no holding your work hostage.
Audio does not linger
Session audio is deleted automatically after 30 days, or sooner if you delete it yourself.
The details, written for practitioners, not a lawyer.
This is the working picture of how Slide handles your data today.
- Encryption in transit
Every connection to slidepractice.com and to the app runs over HTTPS with TLS, so the link between your browser and Slide is encrypted. API requests are authenticated and rate limited.
- Encryption at rest
Your records sit in an encrypted PostgreSQL database. Session audio is held in private, encrypted object storage that is not publicly reachable.
- Consent before recording
When Auto-Join records a session, the client sees a clear consent step and agrees before anything is captured. Recording is off by default on every plan. You stay responsible for getting every consent the law requires from each participant, and for following the one-party or all-party recording rules where you and your client are located, before you record. You can read the full recording consent policy.
- Audio retention and deletion
Session audio is kept for 30 days by default and then deleted automatically. You can delete audio earlier from your dashboard whenever you want. The recaps you keep stay in the client portal until you or your client remove them.
- Your data and export
Your clients, recaps, and records belong to you. You can export everything at any time, and you can delete your account and its data. Nothing about leaving is designed to be hard.
- Access and least privilege
Practitioners see only their own practice. Clients see only their own portal. Access to production systems is limited to what is needed to run the service, and authentication is handled by a dedicated identity provider with two-factor available on every account.
- Payments and card data
Paddle is the Merchant of Record for Slide. Your card details are entered with and handled by Paddle, not stored by Slide. We keep a reference to your subscription, not your card number. And Slide takes no commission, on any plan, ever.
Hosting and the companies behind it, named honestly.
Slide does not run its own data centers. We build on a small set of well-known infrastructure providers, and we tell you who they are. Your databases are hosted in Tokyo, and the application that serves them runs in Singapore.
Each company below handles a specific job. We sign agreements with them and review what we share. These are the vendors that handle your practice data, including the three that touch session audio. The complete, dated list, which also covers our operational and analytics providers and says what each one processes and where, lives on the sub-processors page.
| Vendor | What it does |
|---|---|
| Recall.aiMeeting capture | Joins and records a Zoom, Meet, or Teams call, only when you turn on Auto Join and your client agrees on screen. Recorded in Tokyo. |
| OpenAISpeech to text | Turns session audio into a transcript. Instructed not to train on your content. |
| AnthropicRecap drafting | Drafts the recap and action items from the transcript. Instructed not to train on your content. |
| SupabaseDatabase and storage | Holds the encrypted database and private audio storage. Hosted in Tokyo. |
| ClerkSign in and identity | Handles sign in and account recovery. Sees your identity, never your session content. |
| FlyApplication hosting | Runs the Slide application. Hosted in Singapore. |
| VercelMarketing site hosting | Serves slidepractice.com and its public profile and directory pages. |
| ResendEmail delivery | Sends recap follow-ups and account email on your behalf. |
| PaddlePayments, Merchant of Record | Handles subscription billing and card data. Slide does not store cards. |
| PlausiblePrivacy-first analytics | Counts page visits without cookies or cross-site tracking. |
AI transcription and recap drafting are handled by enterprise providers under contracts that prevent your audio or transcripts from being used to train their models. These are named on the sub-processors page.
What we claim, and what we do not.
Slide is built and run by a team led from Manila by Vikrant Singh. We will not claim a certification we do not hold. Slide is not SOC 2 certified and not HIPAA compliant today. If your practice sits under HIPAA or a similar rule, please weigh that before recording sessions in Slide.
What we do is apply the practices on this page from day one, and document them plainly. As Slide grows, formal security work will follow, and we will report it here honestly rather than ahead of time. If you have a specific requirement, write to me and I will tell you straight where we stand.
One more honest thing: no method of storing data or sending it over the internet is ever perfectly secure. We work hard to protect your data using the measures described above, but no service can promise absolute security, and we do not. The service is provided on an "as is" and "as available" basis, as set out in our Terms.
Found a security issue? Tell us.
If you spot a vulnerability in Slide, please report it privately so we can fix it before it can be misused. We read every report and we are glad you took the time.
- Email the details to the address on the right.
- Give us a fair window to investigate and fix before going public.
- Please do not access or change data that is not yours while testing.
Our machine-readable contact is at /.well-known/security.txt.
Use the subject line "Security report". A real person reads this inbox. We aim to acknowledge reports within one business day.
Prefer the standard file? See security.txt.
The rest of the fine print, in plain language.
Privacy
What we collect, why, and the choices you have over it.
Recording consent
How the client agrees before any session is recorded.
Sub-processors
The current, dated list of companies that help run Slide.
Questions about any of this reach me directly at support@slidepractice.com.