Mercor had a SOC 2, an MSA, all the right clauses. Voices still leaked. The apology email writes itself.

Why is voice and biometric stuff still server-side at all in 2026? Whisper.cpp runs on a phone. WebGPU works. Half these "we keep your voice secure" pipelines could run in the browser today.

The real reason isn't capability. It's cost. Centralised compute is cheaper to run, but that math only holds if you don't price in the periodic breach. Which nobody does until it's their own employees on the leak list.