Ctrl handles work context that can include meetings, messages, email, calendar information, tasks, summaries, and integration metadata. The controls below describe the current security posture for the website and product. They are written plainly so customers can evaluate the service without relying on vague trust language.
Security principles
- Capture is user controlled, not hidden background surveillance.
- Access to production systems is limited to people who need it.
- Data is protected in transit with HTTPS/TLS.
- Hosted infrastructure and provider controls are used for operational security.
- AI processing is scoped to requested product outputs.
- Identifiable data is tokenized or redacted before LLM processing where supported by the product flow.
Current controls
| Area | Control |
|---|---|
| Transport security | The public website is served over HTTPS. HSTS is enabled at the hosting layer. |
| Application hosting | The marketing site runs on Vercel with CDN, deployment, and infrastructure controls provided by Vercel. |
| Access control | Internal access is limited based on role and operational need. Access is removed when it is no longer needed. |
| Product content | Meeting and work context is processed to produce user-requested summaries, tasks, reminders, and references. |
| AI processing | Model providers may process selected product content to generate requested outputs. Sensitive identifiers are tokenized or redacted where supported. |
| Analytics | Website and product analytics are used to understand reliability, conversion, and product usage. Analytics are not intended to expose user work content. |
| Vendor review | Providers are selected for operational need, security posture, and fit for the data they process. |
| Incident handling | Security reports are reviewed, investigated, and escalated based on impact. |
Subprocessors and providers
Ctrl uses providers for hosting, email delivery, consent tooling, analytics, payment processing, integrations, and AI functionality. The website currently references Vercel, Resend, Google Analytics, Google Tag Manager, PostHog EU, and GetTerms. Product features may also rely on user-authorized integration providers and AI model providers.
Meeting capture and consent
Ctrl is built around intentional capture flows. Users are responsible for providing legally required notice and obtaining legally required consent before recording, transcribing, or processing a conversation or third-party content. Ctrl should not be used to capture conversations secretly or process information the user does not have the right to provide.
Data deletion and retention
Product content is retained only as long as needed to provide the service, comply with legal requirements, resolve disputes, maintain security, and preserve legitimate business records. Users can request deletion by contacting hello@usectrl.ai.
Compliance status
Ctrl does not currently claim SOC 2, ISO 27001, HIPAA, PCI DSS, or other formal certification on this website. If certifications, enterprise agreements, or dedicated compliance commitments become available, this page should be updated with the exact scope and date.
Report a security issue
Send security reports to hello@usectrl.ai with a clear description, affected URL or feature, reproduction steps, and any relevant logs or screenshots. Please do not access, change, delete, or share data that does not belong to you.