Legal
This page is limited to backend third-party components whose licenses stand out in this codebase because they can create stronger obligations than the usual permissive-license housekeeping. It does not list MIT, BSD, or Apache-style components that typically only require notice retention in redistributed copies or other distribution artifacts.
The review is based on the backend dependency set, the runtime execution path, and the deployment artifacts used to run and package the service. MIT, BSD, Apache-2.0, and similar permissive licenses are not listed here because they generally do not require a dedicated public webpage notice on a hosted product. This page does not replace the full upstream license texts or legal terms.
The current backend flow works like this:
For the direct browser upload path, source audio is written to managed object storage and treated as temporary source storage. The backend marks uploaded source audio as available for up to 1 day after job creation, and completed result JSON as available for up to 7 days after completion.
The storage infrastructure we use is backed by providers that publicly maintain SOC 2 Type II and ISO 27001, ISO 27017, ISO 27018, and ISO 27701 compliance programs, along with GDPR support, data localization controls, and encryption in transit and at rest.
Processing runs on managed compute infrastructure. Uploaded or remote audio is materialized onto isolated workers, processed there, and temporary worker-local audio files are removed at the end of the job. Completed transcript results are then written back to managed object storage and exposed through the 7-day result-retention window described above.
The processing infrastructure we use is backed by providers that publicly state SOC 2 Type II coverage, encryption in transit and at rest, GDPR-aligned controls, and additional security governance options such as HIPAA support and business associate agreements on eligible plans.
Most backend dependencies in this repository have permissive licenses that do not require a standalone public web notice page. The items below are the concrete exceptions worth surfacing because they are either copyleft components used in live backend code paths or GPL-licensed binaries that are packaged into deployed backend artifacts.
Keyword extraction used by insights features.
Project: https://github.com/INESCTEC/yake
Notice requirement: If a modified version of the covered software is made available for public network interaction, users must be offered the corresponding source of that modified version and the AGPL notice must be preserved.
Audio-duration fallback used by the backend when ffprobe is unavailable.
Project: https://github.com/quodlibet/mutagen
Notice requirement: Because this library is used in a live backend code path and can be conveyed inside distributed backend artifacts, GPL notice preservation and corresponding-source obligations should be treated as in-scope for distributed copies.
Static ffprobe binary downloaded by the packaging script.
Project: https://johnvansickle.com/ffmpeg/
Notice requirement: The packaging flow pulls from John Van Sickle's GPLv3 static FFmpeg builds. Because that binary is repackaged and published as a deployment artifact, the GPLv3 license notice and source-availability obligations should be treated as applicable.