Security and Trust

Your work and your data, kept safe.

Security is part of how the product is built, not an afterthought. This page explains, in plain language, how we protect your account, your payments, and the files you trust us with.

Encryption in transit and at rest

Every connection to our website and our API runs over HTTPS. Your uploads, your account details, and everything in between travel over an encrypted channel.

We also enforce HSTS (HTTP Strict Transport Security) on both the site and the API, so browsers are told to only ever connect over a secure connection.

The files you upload and the subtitles we generate are also encrypted at rest, using AES-256.

Accounts and passwords

Passwords are never stored as plain text. We hash them with Argon2, a modern algorithm built specifically to resist password cracking.

You can also sign in with Google instead of a password. To slow down brute-force attempts, our login and registration endpoints apply per-IP rate limiting, so an attacker cannot try thousands of passwords in a row.

Payments

All payments are handled by Stripe, a PCI-DSS compliant payment provider trusted by millions of businesses.

Your card details go straight to Stripe and are never sent to or stored on our servers. We only keep a reference to the transaction, never the card number.

Where your data lives

Our platform runs entirely on Amazon Web Services in the European Union, in the Paris (eu-west-3) region.

  • Your uploaded media and generated files are stored in Amazon S3 in Paris.
  • Your account data is stored in a managed PostgreSQL database in Paris, backed up automatically every day.
  • Subtitle generation and burn-in run on AWS compute in the same region.

Your data and deletion

We store the media you upload and the subtitles and transcripts we generate from it, so you can come back and download or edit your work.

You stay in control. You can delete your own media at any time from your My Videos page. If you would like your account and all associated data removed, contact us and we will take care of it.

For full details on what we collect and how we use it, see our privacy policy.

Application hardening

Beyond encryption, we apply a number of standard protections across the platform:

  • Security response headers, including X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.
  • A scoped CORS policy that only allows our own applications to call the API, rather than any website.
  • A database that is never exposed to the public internet. It can only be reached from inside our private network.

Enterprise and compliance

For enterprise engagements we are happy to support your review process. We can complete a security questionnaire, walk you through how the platform is built, and arrange a penetration test on request.

We do not make compliance claims we cannot back up. If your organization requires a formal certification such as SOC 2 or ISO 27001, get in touch and we will discuss your requirements.

Reporting a security issue

If you believe you have found a security vulnerability, we want to hear from you. Email security@subtitling.net with the details and we will look into it. We ask that you give us a reasonable amount of time to respond before sharing it publicly.

We will not pursue legal action against anyone who reports an issue in good faith, as long as you avoid privacy violations and do not disrupt the service for others.

You can also find our security contact at /.well-known/security.txt.

Last reviewed June 2026.