Security Architecture

How Parrot Scribe protects your data at every layer.

Parrot Scribe uses a layered encryption architecture designed to protect your transcripts even if your Mac is compromised.

🔒

Encryption at Rest

Every transcript and audio file is encrypted using AES-256-GCM. We don't just encrypt the database; we use per-entity keys for every individual entity, ensuring that even a partial compromise is contained.

🛠️

Hardware-Protected Master Key

The root of trust is a P256 elliptic curve key generated and stored inside your Mac's Secure Enclave. This key never leaves the hardware security module and is required for every session access.

🧬

Encryption Hierarchy

We use HKDF (HMAC-based Key Derivation Function) to derive unique, per-session encryption keys from the hardware-protected master secret. This architecture ensures that keys are never stored on disk and are only derived in memory when needed.

🧨

Cryptographic Deletion

When you delete a session, its unique encryption key is destroyed. Because the data was encrypted with AES-256-GCM, the remaining ciphertext becomes mathematically impossible to decrypt, even with physical access to the storage.

Privacy by Architecture

We don't just promise privacy; we architect for it. Your data stays on your Mac because the app is designed that way. No cloud transcription and no speech data leaves your device for transcription.