Security & Trust

Your privacy and data security are fundamental to our design.

Security Posture: TL;DR

  • Your videos never leave your Mac; all processing is 100% on-device.
  • The app is strictly confined using the mandatory macOS App Sandbox.
  • Our servers never store, process, or have access to your video content.
  • Database access is restricted with Supabase Row Level Security (RLS) on every table.

On-Device Data Flow

SwiftyClip's entire analysis pipeline runs locally. Your file is processed in memory and never transmitted.

Video → AVFoundation → WhisperKit/SpeechAnalyzer → Vision → MLX → Export

What Reaches Our Servers

  • Account Data: Your email and subscription status.
  • Anonymous Usage Events: Aggregated, non-identifiable events to improve the product.
  • Scheduled Post Payloads: Content for scheduled posts is held temporarily and deleted within 24 hours.

Sandbox Entitlements

  • com.apple.security.app-sandbox
    Enables the app sandbox, the core security container.
  • com.apple.security.files.user-selected.read-only
    Allows read-only access to videos you explicitly select.
  • com.apple.security.network.client
    Permits network requests for licensing, updates, and analytics.
  • com.apple.security.device.audio-input/camera
    Allows access to the microphone and camera for recording (with permission).
  • com.apple.developer.icloud-container-identifiers
    Identifies the iCloud container for settings sync (optional).
  • com.apple.developer.icloud-services
    Enables iCloud Key-Value store for preferences sync.

Transport Security

  • All API and web communication is HTTPS-only, enforced with HSTS and preload lists.
  • Connections require TLS 1.3 with modern, secure cipher suites.
  • A strict Content Security Policy (CSP) is configured via next.config headers to prevent XSS.

Vendors

  • Supabase: User authentication and database (US-East).
  • Stripe: Payment and subscription processing.
  • PostHog: Product analytics.
  • Resend: Transactional email.
  • Sentry: Error reporting.
  • Apple App Store Connect: App distribution.
  • Apple CloudKit: Optional settings sync.

Responsible Disclosure

Found a security vulnerability? Please email us at security@swiftyclip.com. We offer a 30-day response SLA and changelog attribution for valid reports.

Independent Reviews

Coming soon. We are working towards a SOC 2 audit and an independent penetration test. Reports will be published here.