The security model
Sipura uses a local-first architecture for private archive content. Recordings, transcripts, notes, and story structure stay on your device unless you explicitly invoke a cloud-backed feature — publishing, backup, AI processing, or collaboration.
The public publishing boundary
- Publishing is an explicit, user-initiated export.
- Public pages render from a sanitized snapshot — never from the live private archive.
- Unlisted pages are excluded from indexing but remain reachable by direct URL.
- Republishing updates the public snapshot only. It doesn't expose the archive behind it.
Infrastructure providers
- Supabase — backend data and authentication.
- OpenAI — AI-assisted processing when you invoke an AI feature.
- RevenueCat — subscription and entitlement handling where billing applies.
- Sentry — crash and stability monitoring when enabled.
Security contact
For security or abuse reports, email contact@glasrocks.com. Include the affected URL, screenshots, and any reproduction details that can help us verify the issue quickly.