Privacy Architecture

SumaFlow Minutes · Last updated: May 13, 2026

This page goes into the technical detail behind the privacy claims. It explains how SumaFlow Minutes is built, what runs where, and how you can verify the architecture for yourself. Nothing here is marketing.

1. The architecture in one diagram

The whole product fits in a single diagram. Everything inside the boundary runs on your phone. The only path out is the export button — and only when you tap it.

SumaFlow Minutes data flow A device boundary contains five nodes — audio file, Whisper transcription, transcript, minutes engine, and an encrypted database. One arrow exits the boundary, labeled "User-initiated export only." No arrows enter the boundary from outside. YOUR PHONE Everything inside this boundary runs locally. Audio file AES-256-GCM App-private storage Whisper (FFI) whisper.cpp ARM64 base.en model, bundled Transcript Plain text Saved to encrypted DB Minutes engine Gemini Nano (AICore) or template fallback Encrypted DB SQLCipher Key: Android Keystore (StrongBox where avail.) User export Email, PDF, share sheet, clipboard (you choose) No inbound network calls The INTERNET permission is absent from the v1 manifest. Nothing crosses this boundary inbound.
1

Record

Tap once. The recorder captures audio at 16 kHz mono to an encrypted file on your device. Pause and resume supported.

2

Transcribe

Whisper runs locally via Dart FFI. The base English model ships in the app. No audio is uploaded — there is nowhere to upload it to.

3

Generate minutes

Gemini Nano (via Android AICore) produces structured minutes on-device on supported phones. A deterministic template extractor handles every other device.

4

Optionally export

PDF, email draft, share sheet, or copy to clipboard. Every export shows a confirmation screen and writes an entry to the local audit log.

2. The privacy contract

These promises are the product. They hold in v1 and every subsequent version. A violation is a P0 bug.

  1. Audio never leaves the device.
  2. Transcripts and minutes are stored encrypted at rest.
  3. Zero outbound network calls from the core app — no telemetry, no analytics, no anonymous launch counters.
  4. Exports are user-initiated, one recording at a time, with a confirmation screen showing exactly what will be sent and where.
  5. No account, no cloud sync, no login.
  6. This page exists, in plain English, and stays current.
  7. Privacy-critical code is open source on day one.

3. Data flow, step by step

  1. You tap Record. If your settings request a consent prompt, the app presents it before the recorder starts.
  2. The record library captures audio at 16 kHz mono and writes it to an AES-256-GCM-encrypted file in your app-private storage. A foreground service keeps the recorder alive when your screen is off.
  3. You tap Stop. A second foreground service decodes the AAC audio to PCM and hands 30-second segments to whisper.cpp via Dart FFI. The segments are concatenated into a single transcript and written to the SQLCipher database.
  4. You pick a minutes template. On supported devices the transcript is passed to Gemini Nano via Android AICore through a Pigeon-generated platform channel. On every other device a deterministic Dart extractor produces structured minutes from the transcript. Either way, the resulting minutes are saved to the encrypted database next to the transcript.
  5. You review the minutes, edit if needed, and optionally tap an export. Each export shows a confirmation screen, then writes an entry to the local export audit log before invoking the Android export intent.

4. Encryption details

4.1 Audio files

Audio files are encrypted at rest with AES-256-GCM using the cryptography Dart package. The file format is [12-byte nonce][16-byte MAC][ciphertext]. Nonces are generated per file from a cryptographic random source.

4.2 Database

The SQLite database is encrypted with SQLCipher via sqflite_sqlcipher. The database key is passed via SQLCipher's PRAGMA key on every open. The schema includes meetings, transcripts, minutes, export_audit_log, and settings tables.

4.3 Key management

The master key is a 256-bit random value generated on first launch and stored in the Android Keystore via flutter_secure_storage. On devices with StrongBox-backed hardware (Pixel 3 and later, Galaxy S20 and later, most flagship Android phones from 2020 onwards), the key is protected by a dedicated security chip. An audio-specific subkey is derived via HKDF so that the audio file encryption and the database encryption use different cryptographic material.

4.4 Honest threat-model note

Encryption at rest protects against an attacker who obtains your device when it is locked. If your device is unlocked and SumaFlow Minutes is in the foreground, an attacker with physical access can read what is on screen. Requiring biometric unlock per-meeting was considered and rejected as too much friction for a notes app. If your threat model includes physical-access attackers, this is the right place to know.

5. The network manifest

This is the strongest privacy proof point in the product. The core app's AndroidManifest.xml declares the following permissions: 

<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE_MICROPHONE" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE_DATA_SYNC" />
<uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
<!-- INTERNET intentionally absent -->

The INTERNET permission is absent in v1. Android does not allow an app to make outbound network calls without this permission. The export flow uses Android share/email/PDF intents, which delegate the network call to a different app (the email client, the PDF viewer, etc.) and therefore do not require the originating app to hold INTERNET itself.

You can verify this by inspecting the APK — see "How to verify the claims yourself" below. We consider this the single most important architectural commitment in the product.

Additionally, the manifest sets android:usesCleartextTraffic="false" and points at a strict network-security-config.xml that disallows cleartext traffic to every domain. Even if a future build mistakenly introduced a network call, it would be required to use HTTPS.

6. Open-source modules

The privacy-critical code is published under a permissive license at github.com/SumaFlow-App/sumaflow-minutes-privacy-core. That repository contains:

  • The full AndroidManifest.xml and network security config.
  • The Kotlin recording foreground service implementation.
  • The Dart AES-256-GCM file encryption module.
  • The SQLCipher database open / key management code.
  • The Pigeon platform channel definition for the minutes generation bridge.

The rest of the application is a commercial product and remains in a private repository. What you would need to audit to validate the privacy claims is what we publish.

7. The export audit log

The export audit log is the export side of the architecture. Every time you export a recording, the app writes an entry to a local, append-only table. Each entry contains:

  • UUID of the entry
  • UUID of the source meeting (intentionally not a foreign key — the log survives meeting deletion)
  • Timestamp of the export
  • Destination type (pdf / email / clipboard / share)
  • SHA-256 hash of the exported content
  • App version at time of export

The DAO that fronts this table exposes only insert and query methods; there is no update or delete. A user who wishes to remove a log entry can export the entire log as CSV, then uninstall and reinstall — there is no in-app shortcut.

8. What we protect against, and what we don't

  • Protected: network surveillance of your meetings (we cannot intercept audio we never receive), accidental cloud leakage from a compromised vendor (we have no vendor in the audio path), subpoena of recordings from SumaFlow (there is nothing to subpoena), encryption at rest if your phone is lost while locked.
  • Not protected: physical-access attacks while your phone is unlocked and the app is open, screen-recording malware running on a compromised device, an adversary who compels you to unlock the app. These are device-level threats that no on-device app can address by itself.

9. How to verify the claims yourself

The architecture is designed to be auditable. Treat the steps below as a starter list, not an exhaustive procedure.

  1. Inspect the APK. Download the published APK from Google Play. Use aapt dump permissions or apkanalyzer manifest permissions to list the declared permissions. Confirm that android.permission.INTERNET is not present.
  2. Inspect the manifest. Unpack the APK with apktool. Open AndroidManifest.xml and confirm it matches the manifest published in the open-source privacy-core repository.
  3. Monitor network traffic. Install the app on a rooted test device. Route traffic through mitmproxy or a similar interceptor. Use the app through the full record → transcribe → minutes flow. Confirm that no outbound requests originate from the app's UID.
  4. Read the open-source code. The SumaFlow-App/sumaflow-minutes-privacy-core repository is the canonical source for the recording, encryption, and key-management modules.
  5. Compare hashes. The privacy-core repository ships its own SHA-256 manifest. The published APK's compiled output should match.

10. What's on the roadmap

These items are deliberately not in v1. They will preserve the privacy contract.

  • Speaker diarization — on-device (e.g., pyannote ONNX or Sherpa-ONNX). Adds app size; no architectural concession needed. v1.1 candidate.
  • Encrypted backup to your own cloud — opt-in, end-to-end encrypted, using a passphrase only you hold. Backup destinations would be storage providers you already use (Google Drive, Dropbox). SumaFlow would not hold the keys. v1.1.
  • iOS port — Whisper builds for iOS; the on-device LLM path would use Apple's Foundation Models framework. v2.0.
  • SOC 2 Type 1 — at the point when revenue justifies the audit.

11. Where to send questions

  • Technical or architecture questionshello@sumaflow.app.
  • Privacy questions or data-rights requestsprivacy@sumaflow.app.
  • Security vulnerability reportssecurity@sumaflow.app. We will acknowledge receipt within a reasonable timeframe and respond as quickly as we can. Responsible disclosure is appreciated.

Companion documents: the SumaFlow Minutes privacy policy is the plain-English version of this page, and the privacy-core repository is the source code that backs every claim made here.