GOAL Investment Inc. · DictateIQ — Security Overview

GOAL Investment Inc.

Insured & Bonded | Est. 2013 | Crystal Lake, IL

DictateIQ is built on a multi-layer security architecture designed to protect sensitive law enforcement data at every point in the workflow — from the moment an officer speaks into their phone to the moment the Chief reviews the final report. This document outlines the specific technical controls, encryption standards, and operational safeguards in place.

Security Controls — Active

🔒

TLS 1.3 Encryption — In Transit

All voice calls, transcriptions, API requests, and report deliveries travel over TLS 1.3 — the highest current standard. No data ever moves over plain HTTP.

ENFORCED — All Endpoints

🎲

256-Bit Random Token — Report URLs

Every report file is assigned a cryptographically random 256-bit token. The URL is mathematically unguessable — not sequential, not predictable. Only the officer receives it by SMS.

crypto.getRandomValues()

✍️

Twilio HMAC-SHA1 Signature Validation

Every incoming call and SMS is verified using Twilio's cryptographic signature. Forged or spoofed requests are rejected with a 403 Forbidden before any data is processed.

HMAC-SHA1 · Per Request

🚫

Directory Enumeration Blocked

The report storage directory has no index. Visitors cannot browse, list, or enumerate stored files. Access requires a valid token URL.

Options -Indexes

📥

Forced Download — No Browser Preview

Reports are delivered as forced file downloads, not browser-viewable pages. This prevents cached previews and ensures the file is received intentionally.

Content-Disposition: attachment

🗄️

No-Cache Headers

All report responses include Cache-Control: no-store. Reports are never cached by browsers, proxies, or CDNs between the server and the recipient.

no-store · must-revalidate

📵

Write Methods Blocked

The report directory only accepts GET requests. POST, PUT, DELETE, and PATCH are blocked at the server level — no external party can modify or overwrite stored reports.

LimitExcept GET → Deny

🛡️

Clickjacking Protection

X-Frame-Options: DENY is set on all report responses. Reports cannot be embedded in a third-party iframe or used in frame-injection attacks.

X-Frame-Options: DENY

🔐

HTTPS-Only Enforcement

Any attempt to access a report over HTTP is automatically redirected to HTTPS with a 301 permanent redirect before any content is served.

301 Redirect · SSL Required

Security Layer Summary

Layer	What Is Protected	Standard / Method	Status
Voice Transmission	Officer's spoken report over phone	Twilio SRTP + TLS 1.3	✅ ACTIVE
Transcription	Audio → text via OpenAI Whisper	HTTPS / TLS 1.3 · API key auth	✅ ACTIVE
Field Extraction	GPT-4o processing of transcript	HTTPS / TLS 1.3 · API key auth	✅ ACTIVE
Webhook Integrity	Incoming call / SMS authenticity	HMAC-SHA1 Twilio Signature	✅ ACTIVE
Report File Storage	DOCX stored on web server	256-bit random token filename	✅ ACTIVE
Report Delivery (SMS)	Download link sent to officer	Twilio SMS / TLS · Officer's device only	✅ ACTIVE
Chief Notification	Alert to Chief's two verified numbers	Twilio SMS · Dual-number verification	✅ ACTIVE
Database Records	Report metadata in Base44 database	Service-role token auth · Encrypted at rest	✅ ACTIVE
Directory Access	Report folder browsability	Options -Indexes · LimitExcept GET	✅ ACTIVE
Browser Cache	Report preview / caching	no-store · Content-Disposition: attachment	✅ ACTIVE

Secure Data Flow — Step by Step

Officer calls (815) 893-3167 — Voice is encrypted in transit via Twilio SRTP. Call metadata is verified with HMAC-SHA1 before processing begins.
Recording is transcribed — Audio is sent to OpenAI Whisper over TLS 1.3. No audio file is stored after transcription completes.
GPT-4o extracts all fields — Transcript is processed over TLS 1.3. ILCS statutes, UCR codes, and flags are auto-assigned without officer input.
DOCX report is generated — File is built in memory and assigned a 256-bit cryptographically random token as its filename. No sequential numbering.
Report is uploaded via SFTP — Transferred over encrypted SSH channel directly to /reports/ directory. Directory browsing is disabled.
Officer receives SMS — Secure token URL delivered to officer's verified phone number only. Link is unique and unguessable.
Chief Gumble receives dual alert — Simultaneous SMS to both verified department and personal numbers. Contains case summary and direct report link.
Record saved to encrypted database — All metadata stored in Base44 database with service-role authentication. Accessible only via authenticated dashboard.

Data Handling Commitments

🚫 No Audio Retention

Voice recordings are downloaded from Twilio for transcription only. No audio file is retained in the DictateIQ system after processing. Audio is deleted from Twilio storage per their standard 30-day policy.

🚫 No Third-Party Data Sharing

Report data is not shared with, sold to, or accessible by any third party. GOAL Investment Inc. is the sole operator of the DictateIQ infrastructure.

✅ Minimal Data Collection

Only data explicitly provided by the reporting officer is stored. No passive data collection, no tracking, no analytics on report content.

Privacy by Design

✅ Access Controlled by Phone Number

Reports are delivered exclusively to the phone number that filed the report. No login portal means no credential theft surface. Chief alerts go only to pre-verified, hardcoded department numbers.

Zero-Login Architecture

Standards Alignment

TLS 1.3Encryption in Transit

HMAC-SHA1Webhook Authentication

256-bit TokenFile Access Control

SFTP / SSHSecure File Transfer

HTTPS-OnlySSL Enforced

CJIS-AwareDesign Alignment

No-CacheBrowser Protection

Zero-LoginNo Credential Surface

CJIS Awareness Note

DictateIQ is designed with awareness of FBI CJIS Security Policy principles including data encryption in transit, access control, and audit logging. Departments requiring full CJIS certification for criminal history integration should consult their state CJIS Systems Agency. DictateIQ as a report-generation tool — not a criminal history query system — operates outside the scope of mandatory CJIS certification for its core workflow.

Operational Security Posture

🔑

Zero Sequential IDs

No report file can be guessed by incrementing a number. Every filename is a unique 32-character hex string.

📡

Encrypted Channels Only

TLS 1.3 on all API calls. SRTP on voice. SFTP for file transfer. No plaintext paths.

🧱

Spoofing Blocked

Twilio HMAC signature validation rejects any request not originating from verified Twilio infrastructure.

🔇

No Exposed Admin Panel

Dashboard access is direct-URL only with no public login page. No credential attack surface for the public.

📋

Full Audit Trail

Every report is logged with officer phone, timestamp, case number, statute, and status in the database.

👁️

Chief Oversight Built-In

Every report automatically notifies the Chief on two verified numbers. No report goes unreviewed.