Security and Confidentiality

Descript treats your security, privacy, and data confidentiality as top priorities.
Security

We know you care about your privacy and confidentiality, and we do too. We wrote this page to answer your questions about your data: how we use it, store it, share it, and delete it.

Here is a summary of our policies, followed by a detailed Q&A:

How does Descript use my data?

Descript stores your Project Information — which includes the files you upload to Descript, the transcripts of those files, and other metadata included inside a Project — on our servers. This allows us to offer you features such as live collaboration, full version history of your Projects, and access to your Projects from any computer.

We don't use your Project Information for anything other than providing the service we offer — e.g. we don’t sell it; we don’t use it for marketing; we don’t use it for advertising.

Your Project Information is even confidential from us. The exception is if you specifically ask us to look at a Project for the purpose of customer service, or if you explicitly opt-in to sharing Project Information (e.g. the results of your automatic transcriptions) with us for the purpose of improving the quality of the algorithms we use to provide our service.

We use the services of third party suppliers such as Google, Amazon, and Stripe. We list exactly what we share and why below.

Name, email address, password and billing details

Name. We use your name to make the experience of using Descript more personal. That is, we’ll say “Hi, Johnny,” not “Hi, User.” If you collaborate on a Project in Descript, your collaborators will also see your name when you interact with them by doing things like leaving a comment or sharing a Project.

Email. We use your email address as your main identifier in Descript and as the primary way to contact you.

Password. When you log in, we use your password to validate your account.

Billing details. When you sign up for a paid account, we collect billing details including your credit card information and billing address. We use this information to collect payments.

Who we share this information with

Auth0 to perform identity verification. Information shared: Name, email address and password hash.

Auth0 is an identity authentication provider that maintains the highest security standards and is trusted by enterprise customers worldwide. This allows us to better manage our users’ login experience and protect their credentials. We share your full name, email address and a hash of your password with Auth0 so you can log in to Descript securely.

Zendesk to provide customer support. Information shared: name and email address.

Zendesk is the customer support platform we use to answer customer questions and manage support tickets. We share your email with Zendesk to manage our customer service interactions with you.

Stripe to process subscription payments. Information shared: name, email address and billing information.

Stripe is our payments processor. Stripe uses your billing details to be able to process your payments and your email address to send payment receipts and to contact you if your payment method stops working.

A paid account is optional. You can try Descript without providing any billing information. Also, if you decide to go for a paid subscription, you may change your mind and cancel your subscription at any time from your Account page.

Customer.io to send emails. Information shared: Name and email address.

Customer.io is the email service provider we use to send emails to our users.

Descript marketing emails — you may opt out

In addition to sending emails about your account, we may also email you information about Descript. You may unsubscribe from these emails at any time by clicking the link in the footer of the email.

Mailchimp to send emails. Information shared: Name and email address.

Mailchimp is an email delivery service that we use to send transactional emails (e.g. when someone leaves a comment in one of your projects in Descript.)

Media files, transcripts, and Descript Projects

We use the audio, video, and transcript files you upload to Descript to create your Descript Projects.

Who we share this information with

Google Cloud Speech-to-Text to provide automatic transcription

Google only accesses or uses your data to complete the automatic transcription service. Shortly after completing the service, Google deletes your data from its servers.

As the only HIPAA-compliant automatic transcription service, Google is an extremely privacy-friendly transcription service.

Rev to provide automatic or human-powered transcription

Rev is a transcription service. If you request a White Glove transcription, we will share your audio files with Rev, which has strict confidentiality agreements with all of its employees.

To improve Descript — you may opt in

You can choose to share your transcription information with Descript to help improve the quality of our service. This option is disabled by default and can only be enabled by you. You can change this setting from your Descript account at any time.

Amazon AWS to store your files

After the initial transcription, Descript stores your audio, video, and transcription data on Amazon AWS, the same service used by the CIA and thousands of other organizations that prioritize security.

Usage Data

We collect usage analytics on how you use the app to detect bugs and ensure that our software is behaving as expected. We do not access or collect information from your confidential Projects or files. Your usage data is deleted if you delete your account.

How we share your usage data

Segment to consolidate and organize it

We use Segment as a data-transfer layer to consolidate and organize usage data so we can analyze it effectively.

Amplitude and Google Analytics to analyze it

We use Amplitude and Google Analytics to help us analyze your usage data to understand if everything is working as expected inside the app and identify ways in which we could improve our product.

Overdub Voices

Creating an Overdub Voice is entirely optional and is not required to use the core functionality of Descript. If you decide to use this feature, here are a few things you should know:

You may only use recordings of 'Consenting Speakers' to create 'Overdub Voices.' As part of the Overdub Voice creation process, Speakers must read a script, designated by Descript, which states the Speaker’s identity and affirms their consent to Overdub synthesizing their voice. No other voice recording can be used for creation of an Overdub Voice.

We train and host your artificial voice using Google Cloud. Also, we use the audio that you shared as 'Training Audio' to improve our service.

After your Overdub Voice is created, Descript generates a series of non-defamatory samples using your Overdub Voice and shares them with Amazon Mechanical Turk so an impartial human can listen to them and assess their quality. Also, Descript employees may listen to samples of your Training or Generated audio for quality assurance purposes.

Other than described above, only you and people you explicitly grant permission to will have access to generating synthesized audio using your Overdub Voice.

How does Descript protect my data?

Auth0 ensures login integrity

We employ Auth0, a best-in-class identity authentication platform, to ensure our users’ login credentials are protected and secure.

We encrypt it

Any data uploaded to Descript is stored in an encrypted database while at rest. Any time your data is “in transit,” it is encrypted over HTTPS, the industry standard for secure internet transactions. This means that the data you send to and from Descript is secure, even if your network is not secure, such as when you’re on a public Wi-Fi network.

We have a Data Protection Officer

At Descript, we have implemented a set of internal policies and procedures related to data protection that all our employees must follow. We have designated a Data Protection Officer who is accountable for enforcing these policies and ensuring that data protection issues are promptly communicated to our CEO.

We map our data inventory

Our Data Protection Officer works closely with our engineering team to ensure that we always know what user data we have, where we’re storing it, and who has access to it.

We have Third Party Service Agreements in place

We only work with third-party suppliers that have strict data protection policies and are willing to commit to data processing agreements that preserve the privacy of our users and their data.

We are working on SOC 2 compliance

We are preparing to have a Certified Public Accounting firm audit our internal measures and controls regarding data protection against the SOC 2 standards. We expect to receive this certification by the end of 2020.

Your rights

As our user you have a number of rights:

Right to access

Most of your personal data in Descript is visible from your account page. To access your account, click on the circle with your initials in the top right corner of Descript. If you want a detailed report, send a Subject Access Request to dpo@descript.com.

Right to be forgotten

When you delete a Project from Descript, we delete it permanently from our servers within 30 days. If you delete your user account, all data associated with your account is permanently deleted.

Right to be informed

You have the right to know all the personal information we have on you and what we are doing with it — that’s why we wrote this page. If you have additional questions, email us at dpo@descript.com.

Right to equal services and price

Descript will not increase the price or decrease the quality of the service for any customer who exercises their rights under these regulations.

Right to withdraw consent

You have the right to withdraw consent for us to process your data. In the section above, we describe the different levels of consent you can agree to and how to give and withdraw consent — for example, you can unsubscribe from some emails, or you can choose to share your transcript data to improve our transcription accuracy. To withdraw your consent completely, simply delete your Descript account.

Right to portability

You have the right to obtain all of the personal data Descript has on you in a structured and commonly used format. We will gladly prepare this for you at your request. To initiate this request, send us an email at dpo@descript.com.

Right to correction

Most of your personal data can be modified from your Descript account page. To access your account, click on the circle with your initials in the top right corner of Descript. If you would like us to make any modifications for you, just send us a request at dpo@descript.com.

Right to object

We only use your personal data for the purpose of providing you with our service. If you think we are not honoring this, send an email describing the issue to dpo@descript.com and we will start an investigation right away.

Right to stop automated decision-making

Our system doesn't do any automatic profiling to make decisions. If for any reason you believe that we are making automatic decisions and you would like us to stop, email dpo@descript.com describing the issue and we will start an investigation right away.

Right to stop processing and right to stop third-party transfer

If you’d like Descript to stop processing your personal data or stop third party transfers, simply delete your Descript account. By doing so, all your data will be permanently deleted.

Where can I ask other questions about data protection?

If you have any questions or comments regarding how Descript protects your data or about our compliance with any of the regulations mentioned above, you can email our Data Protection Officer at dpo@descript.com.