Swell

IT Network Requirements

Last updated: June 15, 2026
Contact: hello@tryswell.co

One-page reference for corporate IT teams evaluating Swell on managed Macs. For full context, see our Security Overview:
https://tryswell.co/security

SUMMARY

Swell is a native macOS app for real-time sales call coaching. It requires outbound HTTPS and WSS from the user's Mac to Swell APIs and Deepgram for speech-to-text. Coaching AI runs on Swell's servers; the Mac does not connect directly to OpenAI or Anthropic.

Raw audio is not stored by Swell. Transcript text is retained for 24 hours by default, then automatically purged.

DOMAINS TO ALLOWLIST

Allow outbound traffic from user Macs:

api.tryswell.co
Port: 443
Protocol: HTTPS
Purpose: Authentication, REST API, Sparkle app updates
Required: Yes

coach.tryswell.co
Port: 443
Protocol: WSS
Purpose: Real-time coaching
Required: Yes

api.deepgram.com
Port: 443
Protocol: WSS
Purpose: Speech-to-text streaming
Required: Yes

*.workos.com
Port: 443
Protocol: HTTPS
Purpose: OAuth sign-in (system browser)
Required: Yes (sign-in)

Sign-in flow: Authentication opens the user's default web browser (not an embedded WebView). WorkOS hostnames must be reachable during login.

Optional or intermittent:

GitHub Releases (if used for DMG hosting) — Initial app download only; confirm your distribution URL
*.sentry.io — Crash reporting (if enabled in build)

TLS AND SSL INSPECTION

All connections use TLS 1.2 or later.
Swell uses the macOS system trust store (no certificate pinning).
Corporate SSL/TLS inspection is supported (Zscaler, Netskope, etc.) provided the inspection CA is trusted by the Mac.

MACOS PERMISSIONS (USER-GRANTED)

Microphone
System Settings: Privacy and Security, Microphone
Purpose: AE speech

System Audio Recording
System Settings: Privacy and Security, System Audio Recording
Purpose: Meeting and prospect audio (macOS 14.2+)

IT cannot pre-approve all permission types via MDM; users grant access during onboarding. Swell cannot capture audio without consent.

APPLICATION INSTALLATION

Distribution — Direct download (notarized DMG); not Mac App Store
Code signing — Apple Developer ID
App Sandbox — Disabled (required for system audio capture)
Minimum macOS — 15.0

MDM tip: Deploy via approved software catalog or allowlist the Developer ID team ID after reviewing the signed bundle. Gatekeeper requires notarization for smooth install.

DATA RESIDENCY AND EGRESS

STT — Mac to api.deepgram.com — Audio stream (not retained by Swell)
Coaching — Mac to coach.tryswell.co — Transcript text, session metadata
API — Mac to api.tryswell.co — Auth, profile, session finalize
LLM processing — Swell servers to OpenAI, Anthropic — Transcript text (server-side only)

Swell subprocessors may process data in the United States. See our Subprocessor list:
https://tryswell.co/security/subprocessors

SECURITY CONTACTS

Security review and vulnerabilities — hello@tryswell.co
Privacy and data deletion — hello@tryswell.co
End-user support — hello@tryswell.co

FAQ FOR IT REVIEWERS

Does Swell record and store calls?

Swell streams audio for real-time transcription. We do not retain raw audio. Transcript text is stored temporarily (default 24 hours) for coaching and session history, then purged.

Can we block Deepgram and proxy through our network?

The Mac app currently requires direct WSS to api.deepgram.com. Contact hello@tryswell.co if single-domain egress is a hard requirement.

Is SOC 2 available?

Swell (San Gregorio Labs Inc.) does not yet hold SOC 2. Deepgram and other subprocessors maintain their own certifications. See:
https://tryswell.co/security/subprocessors

Does the app work with VPN and SSL inspection?

Yes, when the Mac trusts the inspection CA.