Swell Security Overview

Last updated: June 15, 2026
Contact: hello@tryswell.co

PRODUCT SUMMARY

Swell is a native macOS application that provides real-time coaching during sales discovery calls. During an active coaching session, the app:

  1. Captures the user's microphone and system audio (meeting audio from Zoom, Google Meet, etc.) with explicit user permission

  2. Transcribes speech in real time via Deepgram

  3. Sends transcript text to Swell's coaching service for AI-generated suggestions

  4. Displays coaching suggestions to the user during the call

Swell is designed for individual account executives evaluating the product on company-managed Macs. The Service is currently offered as an early access release.

Operator: San Gregorio Labs Inc.

ARCHITECTURE AND DATA FLOW

Mac App (Swell)

  • Mic and system audio (local; macOS permissions)

  • wss://api.deepgram.com — speech-to-text (short-lived JWT from Swell API)

  • wss://coach.tryswell.co — real-time coaching (authenticated WebSocket)

  • https://api.tryswell.co — auth, profile, session APIs, app updates

Swell Backend

  • Vercel (api.tryswell.co) — REST API, WorkOS auth proxy, scheduled jobs

  • Railway (coach.tryswell.co) — WebSocket coaching relay

  • Convex — user profiles and session storage

AI subprocessors (server-side only; Mac connects directly to Deepgram for STT only)

  • Deepgram — speech-to-text

  • OpenAI — real-time coaching trigger

  • Anthropic — coaching suggestion generation

Key points for reviewers:

  • Raw audio is not stored by Swell. Audio is streamed for transcription only.

  • Transcript text and coaching metadata are stored temporarily (default 24 hours), then automatically purged.

  • Authentication tokens are stored in the macOS Keychain on the user's device.

For firewall allowlists, see IT Network Requirements:
https://tryswell.co/security/network

MACOS PERMISSIONS

Microphone — Transcribe the account executive's speech
System Audio Recording — Transcribe meeting and prospect audio (macOS 14.2+)

Permissions are requested during onboarding. The app cannot capture audio without explicit user consent.

Distribution note: App Sandbox is disabled, which is required for system audio capture. Swell is distributed as a notarized DMG outside the Mac App Store, signed with an Apple Developer ID certificate.

Minimum OS: macOS 15.0

AUTHENTICATION AND ACCESS CONTROL

Identity — WorkOS AuthKit (Google OAuth or email)
OAuth flow — PKCE; authorization in system default browser
Session tokens — Stored in macOS Keychain
API access — WorkOS JWT required on protected REST endpoints and coaching WebSocket
Deepgram access — Short-lived grant JWT (~60s default TTL); master API keys never embedded in the Mac app
Rate limiting — Upstash Redis on token mint and LLM-cost paths (when configured)

ENCRYPTION

In transit — TLS 1.2+ on all client and server connections
At rest — Convex and cloud provider-managed encryption
Local secrets — macOS Keychain for auth tokens

TLS certificate pinning: Not used. Swell relies on the macOS system trust store so the app works on corporate-managed Macs with SSL/TLS inspection (Zscaler, Netskope, etc.).

DATA RETENTION

Raw audio — Not retained by Swell
Call transcripts and coaching suggestions — 24 hours (default), then automatically purged via scheduled job
Account information (email, user ID) — Until account deletion is requested
Optional sales framework preferences — Until user deletes or account is closed
Crash diagnostics (Sentry) — Per Sentry retention; default PII collection disabled in app
Server logs — Operational retention per hosting provider defaults

Transcript retention is configurable server-side (default 24 hours).

APPLICATION DISTRIBUTION AND UPDATES

Package format — Notarized DMG
Code signing — Apple Developer ID Application
Updates — Sparkle framework; appcast hosted at api.tryswell.co
Runtime — Hardened Runtime enabled

SUBPROCESSORS

Swell uses third-party services to operate the product. A full list with purposes and security links is at:
https://tryswell.co/security/subprocessors

CERTIFICATIONS AND COMPLIANCE POSTURE

San Gregorio Labs Inc. is an early-stage company and does not currently hold SOC 2 Type II or ISO 27001 certification.

We select subprocessors with established security programs (e.g. Deepgram SOC 2, WorkOS security documentation). Enterprise customers requiring a DPA or security questionnaire should contact hello@tryswell.co.

PRIVACY AND TERMS

Privacy Policy: https://tryswell.co/privacy
Terms of Service: https://tryswell.co/terms

REPORTING SECURITY ISSUES

Email hello@tryswell.co with:

  • Description of the issue

  • Steps to reproduce (if applicable)

  • Your contact information

We aim to acknowledge reports within 3 business days. Please do not publicly disclose unresolved vulnerabilities without coordinating with us.

DOCUMENT HISTORY

June 15, 2026 — Initial public security overview