All systems monitored — view status

AI safety, security and trust at CaptionHub

How we protect your video, captions and translation data. Certifications, policies and documentation for your security and procurement teams.

Padlock protecting data
Compliance

Certifications

AICPA SOC 2 logo

SOC 2 Type II

Verified

Independently audited against the AICPA Trust Services Criteria for security, availability and confidentiality. The current attestation is available on request under NDA.

Request SOC 2 report
ISO 27001 logo

ISO 27001

Certified

Certified information security management system covering the CaptionHub platform and supporting infrastructure. The current certificate is available on request.

Request ISO 27001 certificate
Responsible AI

AI, models and trust

CaptionHub is an embedded AI platform — it integrates third-party speech recognition and machine translation rather than training its own models. How we source, govern and oversee AI is set out in our Responsible AI policy and the FAQs below.

Read the Responsible AI policy
Human and robot hands reaching towards each other

AI models and sourcing

Does CaptionHub build or train its own AI models?
No. CaptionHub is an embedded AI platform, meaning it integrates third-party foundational technologies to provide AI-enabled services such as automatic speech recognition and machine translation. CaptionHub does not design, develop or train its own artificial intelligence models.
How are third-party AI services approved?
Use of third-party AI services is permitted only after a review and approval by the CEO and CTO or CCO. Any approved third-party AI service is added to the CaptionHub Sub-Processor Register to maintain transparency and compliance with data processing regulations.
Where can I find a list of the AI services CaptionHub uses?
All integrated AI services are listed in the CaptionHub Sub-Processor Register. For information relating to the individual models themselves, we always recommend referring to the individual AI suppliers.
How does CaptionHub vet its AI suppliers?
Where the product incorporates third-party AI models or infrastructure, CaptionHub conducts due diligence to satisfy itself that those providers operate in a manner consistent with its own compliance obligations. Details of material third-party AI components are available on request.

EU AI Act compliance

How is CaptionHub classified under the EU AI Act?
CaptionHub has assessed its AI system against the risk classification framework in Regulation (EU) 2024/1689 (the EU AI Act). The system falls within the limited risk category as defined under Article 50. It does not meet the criteria for high-risk classification under Annex III, nor does it constitute a general-purpose AI (GPAI) model as defined under Article 3(63).
How often is this risk classification reviewed?
The classification is reviewed on a regular basis, and in particular whenever material changes are made to the system's functionality, use cases, or deployment context.
What transparency obligations does CaptionHub meet?
As a limited-risk AI system, CaptionHub is subject to the transparency obligations of Article 50. In practice, this means users are informed when they are interacting with an AI system where this is not already evident from context, the system is never deployed in a manner designed to deceive users as to its nature, and appropriate disclosure mechanisms are in place where the system generates content that could be mistaken for human-produced output.
Does the EU AI Act apply to customers outside the EU?
Whilst the EU AI Act does not have direct legal force in the United Kingdom, CaptionHub has adopted its principles as the baseline standard for its global operations. It monitors developments under the UK government's AI regulation framework and will update its practices as statutory obligations emerge. For customers in the United States and other markets, this reflects a voluntary commitment to responsible AI development in the absence of equivalent binding regulation.

Data privacy and training

Is my data used to train AI models?
CaptionHub only integrates AI services where there is either an option to opt out of data being used for AI training purposes, or an alternative service for a particular process (such as ASR). Where an opt-out is available, CaptionHub will always choose to opt out, in line with its commitment to protecting data and client privacy.
How do I know which services have an opt-out in place?
All opt-out options are labelled in the CaptionHub Sub-Processor Register.

Governance and accountability

How is the Responsible AI Policy kept up to date?
The policy is reviewed regularly to ensure it remains aligned with current laws, technological advancements, and best practices in AI.
Are employees trained on responsible AI?
Yes. All employees receive training on the Responsible AI Policy to ensure understanding and compliance. Any violation of the policy may result in disciplinary action, up to and including termination of employment.
What is CaptionHub's overall commitment to responsible AI?
CaptionHub is committed to developing and deploying AI responsibly, prioritising transparency, fairness, and accountability in its AI-driven localisation solutions. It actively engages with industry best practices and continuously refines its technology to align with evolving ethical guidelines, fostering human-AI collaboration to empower users with accurate, inclusive, and responsible AI solutions.

Further information

Who do I contact about AI compliance?
Customers seeking further information about CaptionHub's EU AI Act compliance position, or who require supporting documentation for their own procurement or regulatory processes, should contact compliance@captionhub.com. CaptionHub is happy to discuss specific requirements and, where appropriate, provide additional written confirmation.

Human oversight

Is there human oversight of AI outputs?
Yes. The product includes an optional human-in-the-loop mechanism, enabling customers to introduce human review and approval at key stages of AI-assisted workflows. CaptionHub actively encourages the use of this feature, particularly in contexts where outputs may inform significant decisions. Documentation on configuring human oversight is available in the product knowledge base.
Documentation

Resources

Data processing

Sub-processors

Third parties that process customer data on our behalf. The live register below is maintained at app.captionhub.com/page/subprocessors.

Having trouble viewing? Open the register in a new tab
Support

Frequently asked questions

Deployment and hosting

Can I install my own instance of CaptionHub behind my firewall?
Yes. For our Enterprise customers, CaptionHub can be deployed in a variety of ways. Please contact us for more details.
Where is CaptionHub hosted?
For a cloud install, CaptionHub typically hosts our applications and your data with Amazon Web Services (AWS), an industry leader providing a highly scalable, secure cloud computing platform.
Does my data exist alongside other users?
It depends on your install. For our multi-tenant customers, it does. CaptionHub is extremely well tested to ensure that users don't see each other's data, but if you require absolute separation, then we'd recommend you opt for our Single Tenant or On Premise installation options.
Where is personal data stored?
Personal data is stored in the EU (Ireland).

Certifications and compliance

What certifications does CaptionHub hold?
CaptionHub has full ISO27001:2013 certification and has achieved SOC II Type 2. Our system of continual improvement is compliant with international security standards including ISO27001, the Cloud Security Alliance's CAIQ and SOC II.
How does CaptionHub handle international data transfers?
We ensure compliance with GDPR and other cross-border regulations when transferring data via EU Standard Contractual Clauses (SCCs) plus the UK Addendum, and the UK's International Data Transfer Agreement (IDTA) where appropriate.
Who oversees security governance?
A Security Working Group chaired by our CEO oversees information risk and security management. Our Information Security Policy is reviewed annually by the Security Working Group, and also upon significant changes.

Encryption

Is data encrypted in transit?
Yes. Traffic to and from the browser is encrypted via SSL/TLS (TLS 1.2 with SHA256 certificate).
Is data encrypted at rest?
Yes, using 256bit encryption via Amazon's SSE-S3. Cryptographic controls are governed by central policies covering key generation, renewal, and storage throughout their lifecycle.
How are secrets managed?
Application secrets are stored in AWS secrets manager and encrypted using 256-bit AES keys. Customer secrets are stored in the CaptionHub database and encrypted using 256-bit AES keys.

Authentication and access control

How does CaptionHub handle authentication?
We use Auth0 to manage authentication, which enables multi-factor authentication, password strength management, and so on. For SSO, we use WorkOS. Custom integration with your own authentication schemes is available for our on-premise customers.
What happens if my credentials are leaked in a third-party breach?
Via Auth0, CaptionHub protects and notifies users if and when their credentials are leaked by a data breach of a third party. CaptionHub prevents access until the user has reset their password.
What access does a new user have by default?
None. By default, a new user for CaptionHub has no access – permission needs to be explicit, and given for each and every project.
Can you produce an audit trail which logs who has accessed what?
By default a user can't see anything in CaptionHub, they have to be manually given access to a project before they can view it. We track user login times and IP address, and we log various forms of activity: handover, download, assignment, etc.
Who can see my information?
Access to data is limited to CaptionHub account administrators and developers. From time to time, CaptionHub also employs third party developers, who are strictly contractually bound regarding any confidential information.
Do CaptionHub employees have access to customer data?
We operate under the least access principle – employees only receive the minimum access required for their role. Few CaptionHub employees have access to customer data; front line support staff do not, unless explicitly given access by our customers.
What additional security measures are available to Enterprise customers?
Enterprise customers benefit from additional security measures, including IP whitelisting, 2 factor authentication, SSO / custom authentication, and watermarking encoded media.
How is content protected from unauthorised downloads and screen captures?
Expiring URLs mean that it's difficult to download linked media, even if access is granted, and the logged in user's email address is superimposed over video, making screen captures traceable.

Testing and threat detection

How often is CaptionHub tested for vulnerabilities?
We run an application vulnerability scan every week using Detectify with the latest attack vectors, carry out application and network vulnerability threat assessments on an ongoing basis, conduct penetration testing and code review at least annually (or after a major architectural change), and review and test our security control framework annually.
How are containers and infrastructure monitored for threats?
We scan all containers for vulnerabilities as part of the build process using Trivy. Our containers are built to be immutable, and no additional software is installed on deployment. Running services are scanned regularly for vulnerabilities using Detectify, and our AWS infrastructure is monitored for threats using Guard Duty.
What malware protection is in place?
We scan our network and systems for vulnerabilities nightly using RKHunter, ClamAV and AIDE. Virus signatures are updated daily, and applications are regularly kept up to date.
Is there a Web Application Firewall?
Yes. All requests go through a Web Application Firewall to filter traffic from known malicious IPs or with patterns that look like common attacks.

Development practices

How is code secured before deployment?
Rules for software and system development are established and applied, covering system design, development environments, secure testing, and development principles. All code is QA'd before deployment, and a security analysis is an explicit part of that process.
Are development and production environments separated?
Yes. Development, testing, and operational environments are separated into Staging, Live and Development environments within AWS to reduce risks of unauthorised access or changes.
Can developers access running containers?
No SSH or password access to running containers is possible. If necessary for a developer to connect to a container, this is done using AWS Session Manager (SSM). Developer AWS keys are stored locally using aws-vault, and for production access require two-factor authentication.

Personnel

Are employees screened before joining?
Yes. CaptionHub enforces pre-employment screening for all staff including reference checks for the last 3 years, criminal background checks, CV verification, and a 3 month probation period.
Do employees receive security training?
All employees receive regular security awareness training, which new employees are also required to complete.
Are contractors bound by confidentiality agreements?
Contractors and third-parties must sign NDAs before employment. Information security policies and procedures must be read, understood and signed-off before any access is given to any information system.
How is remote working secured?
Remote employees use VPN technology with encrypted protocols (IPsec/SSL) and two-factor authentication. We maintain clear desk and clear screen policies with appropriate training.
What happens when an employee leaves?
When an employee's contract ends, access to all systems is revoked immediately and methodically to ensure no residual access remains, and information assets are removed from personal devices during termination.

Continuity and backups

How is CaptionHub backed up?
We take hourly backups of our database to Amazon S3. We don't back up video data, but we do back up caption data/work so that it can be restored in due course. Video data is also stored on S3, which has a durability rating of 99.999999999%.
Is there a single point of failure?
No. CaptionHub is configured in a High Availability pattern, with no single point of failure. We use infrastructure-as-code to seamlessly scale out services, as required.
Is there a business continuity plan?
Yes. We have developed and enforced a business continuity policy and plan based on information security requirements, with ongoing testing (e.g., power failure, DDoS) and review to capture necessary changes.

Incidents and third parties

What about incident response and data breaches?
CaptionHub maintains comprehensive incident response procedures with 24/7 monitoring via AWS CloudWatch and Slack alerts. We have formal breach notification procedures and post-incident analysis processes to reduce the likelihood or impact of future incidents.
How do you handle supplier and third-party security?
We enforce comprehensive supplier management policies including due diligence, risk assessment, and regular security reviews. All supplier contracts include security and data protection clauses, and we regularly assess suppliers for compliance.
Is my data shared with third parties?
Depending on how CaptionHub is configured and used, you may choose to share your data with third parties. Auto-transcription and machine translation are examples where CaptionHub uses third parties to deliver aspects of our service. Your data is only shared following an explicit action from you, and we have strict contracts with all third party providers, with extensive non-disclosure clauses.
How is data disposed of securely?
We implement formal procedures for secure disposal including approved third-parties for physical equipment, secure erasure by Information Asset Owners for logical data, and shredding for hard copies.

Timbra (live captioning)

How are captions for public live video secured?
Captions are served via a publicly visible URL containing a unique, hard to guess identifier for the stream. This identifier can be rotated on request.
Can Timbra be locked down to authorised access only?
Yes. Timbra projects can be configured to only allow authorised access. In this mode, all public endpoints are disabled, and access to caption output is only possible via the API using valid API credentials.
Can Timbra be evaluated privately?
Yes. Timbra can be evaluated in private mode, where no data is publicly available.
What low-latency input methods are supported?
Customers can choose RTMP, which is unencrypted, but secured with an unguessable stream key, or SRT, which has built-in AES encryption. Optionally RTMPS (secured RTMP) can be used.
How long is caption data retained?
All transcription and caption data is kept within the CaptionHub system. Captions are no longer available for archived and deleted projects. For transcription, customers can opt to use a private install of our transcription engine.