Security

Our Commitment to Security

At OpenMultiTTS, operated by SoloGeek, security is fundamental to our platform. We implement industry-leading security practices to protect your data, API keys, and ensure the integrity of our text-to-speech services. As a trusted intermediary between you and multiple TTS providers, we take our security responsibilities seriously.

Data Encryption

Encryption in Transit

• TLS 1.3: All API communications use TLS 1.3 encryption
• HTTPS Only: Our website and API endpoints enforce HTTPS connections
• Certificate Validation: We use valid SSL certificates from trusted authorities
• Perfect Forward Secrecy: Session keys cannot be compromised even if long-term keys are exposed

Encryption at Rest

• AES-256 Encryption: All stored data is encrypted using AES-256
• Database Encryption: Database files and backups are encrypted
• API Key Storage: API keys are hashed and encrypted before storage
• Secure Key Management: Encryption keys are managed through secure key management systems

Authentication & Authorization

• API Key Authentication: Secure API keys for programmatic access
• Password Requirements: Strong password policies enforced
• Password Hashing: Passwords hashed using bcrypt with individual salts
• Session Management: Secure session tokens with automatic expiration
• Two-Factor Authentication (2FA): Available for enhanced account security
• Role-Based Access Control: Granular permissions for team accounts

API Security

Request Protection

• Rate Limiting: Automatic throttling to prevent abuse
• Request Signing: HMAC signatures for API request verification
• IP Whitelisting: Optional IP restrictions for enterprise accounts
• Request Validation: Input sanitization and validation on all endpoints

API Key Management

• Secure Generation: Cryptographically random API keys
• Key Rotation: Support for rotating API keys without service disruption
• Key Revocation: Instant invalidation of compromised keys
• Usage Monitoring: Real-time monitoring of API key usage patterns

Infrastructure Security

Cloud Infrastructure

• Enterprise Cloud Hosting: Hosted on enterprise-grade cloud infrastructure
• DDoS Protection: Advanced DDoS mitigation at network level
• Firewall Protection: Web Application Firewall (WAF) to block attacks
• Isolated Environments: Production, staging, and development environments are isolated

Network Security

• Private Networks: Internal services communicate over private networks
• Network Segmentation: Logical separation of different service layers
• Intrusion Detection: Automated monitoring for suspicious activity
• Access Control: Principle of least privilege for all systems

Data Privacy & Retention

Data Handling

• Minimal Data Collection: We only collect data necessary for service delivery
• Temporary Processing: Text inputs are processed and not permanently stored
• Automatic Deletion: API request logs deleted after 30 days
• No Audio Storage: Generated audio is not stored on our servers

Third-Party Provider Security

• Secure Transmission: All data sent to TTS providers is encrypted in transit
• Provider Selection: We only partner with security-certified providers
• Compliance: Our providers maintain SOC 2, ISO 27001, and other certifications

Monitoring & Incident Response

Continuous Monitoring

• 24/7 Monitoring: Automated monitoring of platform health and security
• Log Analysis: Centralized logging with automated anomaly detection
• Alert Systems: Real-time alerts for security incidents
• Performance Tracking: Continuous monitoring of API performance

Incident Response

• Response Team: Dedicated security incident response team
• Response Plan: Documented procedures for various security scenarios
• User Notification: Prompt notification of security incidents affecting users
• Post-Incident Analysis: Thorough review and improvement after incidents

Compliance & Certifications

• Data Protection: Compliant with applicable Indian data protection regulations
• GDPR Considerations: Implementing GDPR-aligned practices for EU users
• Industry Standards: Following OWASP Top 10 security guidelines
• Regular Audits: Periodic security audits and assessments
• Penetration Testing: Annual penetration testing by third-party security firms

Security Best Practices for Users

Protect Your API Keys

• Never commit API keys to version control (use .env files)
• Store keys securely in environment variables or secret management systems
• Use different API keys for development, staging, and production
• Rotate API keys regularly and after any suspected compromise
• Revoke unused or old API keys immediately

Account Security

• Enable two-factor authentication (2FA) on your account
• Use strong, unique passwords (12+ characters with mixed case, numbers, symbols)
• Don't share account credentials with team members; create sub-accounts instead
• Review account activity logs regularly
• Log out from shared devices

Integration Security

• Always use HTTPS when calling our API
• Validate and sanitize user inputs before sending to our API
• Implement rate limiting on your end to prevent abuse
• Don't expose API responses directly to end users without filtering
• Keep your SDK/libraries updated to the latest versions

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue:

• Email us at [email protected] with subject "Security Vulnerability"
• Provide detailed information about the vulnerability
• Allow us reasonable time to address the issue before public disclosure
• Do not exploit the vulnerability beyond what is necessary to demonstrate it

We commit to acknowledging reports within 48 hours and providing regular updates on remediation efforts.

Security Updates

This page is regularly updated to reflect our current security practices. For the latest security information or to report security concerns, please contact us at [email protected].

Last reviewed: March 08, 2026

Contact Security Team