Posts Archive
Technical and litigation notes
Audio Data Security — Voice Notes in Transit and at Rest
the WhatsApp AI agent downloads voice notes from Meta's media API, stores them as temp files on the Raspberry Pi, transcribes them with Whisper, and then links the transcript to workspace records. At each step, the voice data is both sensitive (potentially privileged legal communications) and at risk.
Security & ComplianceSSH Key Management in Production Systems
The www-data SSH key used by the webhook server to call AI services is a production credential. Compromise of that key means an attacker can call your AI services, potentially exfiltrate conversation data, or use your resources for unintended purposes.
Security & ComplianceSecuring an Exposed Webhook Server
A webhook endpoint that receives WhatsApp messages from Meta is exposed to the public internet. HMAC signature verification proves the payload came from Meta, but it does not protect against replay attacks, rate-based amplification, or attackers who obtain the app secret.
Data Privacy & GDPRSelf-Hosted AI and Data Sovereignty
Running Ollama, Whisper, and Kokoro on premises means conversation data never leaves your infrastructure. For a legal practice handling privileged communications, this is a meaningful data protection advantage. But self-hosting is not a compliance certificate.