Trust Center: Security, Compliance & Human-First Quality

Independent Penetration Test (VAPT) Results

Our platform is assessed by OSCP/CREST-certified third-party testers using OWASP and PTES methodologies. The most recent evaluation (Sept 2025) reported 0 Critical/High issues, and priority findings were remediated and verified in re-testing. Request access to the current Executive Summary and full VAPT report (available under NDA).

Version 1.2 — 07 Jan 2025

Access Control & Authentication Standard (SSO/MFA & Least Privilege)

A rigorous enterprise access-management standard covering SSO + MFA by default, bastion-only admin, quarterly entitlement reviews, SIEM monitoring, secrets in vault with scheduled rotation, and zero-trust endpoint/network safeguards. Built for ISO 27001/NIST controls, audit evidence, and least-privilege enforcement across cloud, SaaS, and endpoints.

Version 1.2 — 07 Jan 2025

Security Program & Control Framework (ISO/NIST Aligned)

Overview of GoTranscript’s ISMS: ISO 27001/27002/27017/27018 and NIST CSF alignment, risk governance, classification/retention model, incident management (72-hour breach window), IT Ops hardening, and secure SDLC. Ideal for due diligence, RFPs, and auditor desk reviews.

Version 1.2 — 07 Jan 2025

Workforce Security & Training Policy

Enterprise people-security: automated joiner/mover/leaver access via SSO + MFA, 90-minute induction, U.S. DoD PII training within 30 days, monthly micro-lessons, quarterly phishing tests, and 4-hour leaver off-boarding SLA with immediate secrets rotation. Evidence-ready for audits and BAAs.

Version 1.2 — 07 Jan 2025

Security Incident Response & Malware Defense Standard

Formal IR playbook (Preparation→Detection→Containment→Eradication→Post-Incident), 15-minute reporting rule, ICO/GDPR 72-hour notice guidance, 7-year evidence retention, and a hardened EDR/AV stack (Defender, CrowdStrike, ESET, GuardDuty) with upload scanning and quarterly EICAR tests. Built for regulated environments.

Revision 4 — 27 Sep 2025

Corporate Information Security Policy

The governing policy for confidentiality, integrity, and availability across the company: classification, third-party handling, secure storage/disposal, change management, incident response, continuity, and compliance. Clear scope/definitions for audit readiness and regulator engagement.

Version 1.2 — 07 Jan 2025

Operational Resilience & Business Continuity Framework

Uptime and recovery commitments for enterprise buyers: ≥99.9% availability, RTO ≤1h, RPO ≤15m, multi-AZ design, cross-region encrypted backups with integrity checks, annual failover/tabletops, and IR integration with 72-hour breach notifications where required.

Version 1.2 — 07 Jan 2025

IT Operations Security Controls & KPIs

Day-to-day control ownership and evidence streams for audits: patch SLAs (critical ≤14 days), 100% encryption/MFA/backups, real-time CMDB, IaC change control, KPI dashboards, and training/IR drill cadence. Maps ISMS requirements to accountable ops tasks and reporting.

Last updated — 19 Jan 2025

Human Quality Assurance (Precisa QMS): Vetting & Two-Pass Editing

Enterprise-grade human QA program: selective intake, language-specific testing in 140 Languages, mandatory two-person review on every file, continuous scoring, calibrated editors, and strict NDA/least-exposure handling — designed for HIPAA/GDPR-sensitive workloads.

Version 1.2 — 07 Jan 2025

Security Risk Management Policy (ISO 27001 / NIST CSF)

How we identify, score, treat, and govern risks: quarterly reviews, executive Security Leadership Review, residual-risk sign-off, control mapping to ISO 27001/27017/27018, NIST CSF, PCI DSS and OWASP ASVS; integrates with access control, continuity, classification, and incident response.

Version 1.2 — 07 Jan 2025

Human-Only Processing (Zero-AI, If needed) Policy

A clear customer-assurance stance: no AI systems process client data. Network and endpoint blocks, software allow-listing, monthly audits, onboarding/annual training, and disciplinary enforcement via the ISMS incident process. Ideal for regulated and privacy-sensitive engagements.