Transport
Every connection between our apps, our website, and our backend runs over TLS 1.2+ with HSTS enforced for one year. Edge termination ensures strong cipher negotiation before traffic touches any origin server.
Security at CLASSEVE
We treat your audio, transcripts, and credentials as the most sensitive things we handle. This page explains how — and how to report a problem.
Authentication
Authentication uses industry-standard JSON Web Tokens validated on every request with algorithm whitelisting and explicit issuer and audience checks. Refresh tokens are individually revocable. Signing out on the website ends the browser session; to sign out a paired phone or desktop, use the Devices section of your dashboard — each device can be revoked separately, or all at once.
Local credential storage uses the strongest mechanism available on each platform: Android EncryptedSharedPreferences (AES-256-GCM via the Android Keystore), Windows DPAPI, and Linux libsecret (GNOME Keyring or KDE Wallet). If the platform keyring is unavailable, the apps fail closed rather than writing plaintext tokens to disk.
Audio & transcripts
Lven Instant (flagship): Audio is captured and transcribed entirely on your device by a speech model that ships inside the app. The audio never leaves your machine. Transcription history is stored locally on each device — nothing is sent to or stored by ClassEve. We physically cannot read what you dictated because we never receive it.
Lven Cloud (legacy server-side build): Audio is captured locally and uploaded over TLS to our transcription subprocessor (Groq) for the duration of the request only. Once the text is returned, the audio is discarded — never stored on the server. Cloud transcripts are saved in your account so the history view syncs across devices. You can export or delete them at any time from your account dashboard.
earslate (live translation on Android): Ambient audio streams in real time over an encrypted WebSocket to Google's Gemini Live API only while you hold the translation tile. Audio is processed in flight and discarded by Google; we never receive it ourselves.
Payments
All payment processing is performed by Paddle, a PCI-DSS Level 1 certified Merchant of Record. We never receive or store full card numbers. Billing webhook signatures are verified with HMAC-SHA256 and a 5-minute replay window, plus event-ID deduplication at the edge.
Your data, on request
You can export every record we hold for your account — profile, transcription history, paired devices — from the dashboard at any time, or by emailing security@classeve.com. Account deletion is atomic: your profile, transcripts, and device pairings are removed in a single transaction.
Reporting a vulnerability
If you find something we should fix, please report it directly to security@classeve.com rather than opening a public issue. We’ll acknowledge within 72 hours and work with you on a coordinated disclosure timeline.
Our machine-readable contact lives at /.well-known/security.txt.