Security & trust

Your callers' voices, safe.

Encrypted in transit and at rest. Hosted in the region your customers live in — AU and UK live today, EU and US as you land there. Audit-ready from day one. Written by people who actually read the controls.

Controls

How we actually protect your data.

Less a poster, more a checklist. Here's the shape of our security programme.

Encryption everywhere

Data is encrypted end-to-end, with customer-managed keys available on Scale.

  • AES-256-GCM at rest
  • TLS 1.3 in transit (audio, API, admin)
  • SRTP for voice media channels
  • AWS KMS / CMK, rotating by policy

Regional data residency

Your data doesn't leave the region you pick, full stop.

  • Live: ap-southeast-2 (Sydney)
  • Live: eu-west-2 (London)
  • On demand: eu-west-1, eu-central-1, us-east-1
  • Scale: dedicated VPC in your AWS account
  • No inter-region sync, ever

Access, fine-grained

Who sees what, and proof of who saw what.

  • SAML/OIDC SSO (Okta, Azure AD, Google)
  • SCIM provisioning & deprovisioning
  • RBAC with per-workspace scopes
  • Immutable audit log, exportable

PII handling

Sensitive data is redacted from transcripts and kept off downstream logs.

  • Real-time PII redaction (card numbers, SSN, Medicare)
  • Voice biometric opt-out by default
  • Configurable retention: 1–365 days
  • Right-to-delete API for GDPR / APP requests

Monitoring & response

We watch the platform so you don't have to — and we tell you when something happens.

  • 24 / 7 SOC with Datadog + Panther
  • Anomaly detection on call patterns
  • 4-hour RTO for security incidents
  • Public status page + RSS

Vendor & sub-processor trust

A small, audited set of sub-processors. You can see all of them.

  • AWS (infra, region-pinned)
  • Deepgram (speech-to-text)
  • ElevenLabs / Cartesia (voice synth)
  • Full list in DPA · updated in public changelog
Data flow

Every call, every step, inside your region.

01 · Ingress

Carrier → SBC

SIP/SRTP from your carrier terminates at our region-local Session Border Controller.

02 · Pipeline

Pipecat runtime

Audio is streamed through our containerised pipeline — STT, LLM, TTS, tools — all in-region.

03 · Tool calls

Signed + scoped

Every outbound integration call is HMAC-signed with per-tenant keys, from known IPs.

04 · Storage

Your region, your keys

Audio + transcripts encrypted with your CMK. Retention set by your policy, not ours.

Audio never leaves the customer's region — ap-southeast-2 for AU tenants, eu-west-2 for UK tenants, and so on. No cross-region replication, no "convenience copies," no third-party training.
Data handling

What we keep, where, for how long.

Data type
Default retention
Configurable
Used for training
Call audio
Raw recording
30 days
1 – 365 days
Never
Transcripts
Redacted text
90 days
1 – 365 days
Never
Call metadata
Numbers, durations, outcomes
2 years
90d – indefinite
Aggregated only
Tool-call logs
Integration events
90 days
30 – 365 days
Never
Payment data
Card, BSB, bank acct
Never stored
Tokenised only
Never
Security FAQ

The questions your security team will ask.

Do you train models on our calls?
No. Customer audio and transcripts are never used for model training, either by us or our sub-processors. We use model providers under contractual no-training terms, and our own fine-tuning runs only on synthetic data or opted-in samples.
Where exactly is the data stored?
AU customers run in AWS ap-southeast-2 (Sydney). UK customers run in eu-west-2 (London). Audio, transcripts, metadata, and logs all reside in the tenant's region — no cross-region replication. For customers in the EU (eu-west-1 Dublin, eu-central-1 Frankfurt) or US (us-east-1), we stand up the region as part of onboarding. On Scale, customers can also deploy into a dedicated VPC in their own AWS account, any region AWS supports.
Do you have an ISO 27001 report?
Not yet — we're a new product and the formal audit cycle hasn't started. Our controls are modelled on ISO 27001 Annex A, and we can walk you through our practical controls, sub-processor list, and DPA under NDA. Formal ISO 27001 certification is on the 2026 roadmap.
How do you handle sub-processor changes?
Our DPA lists every sub-processor. New sub-processors are announced via a public changelog with at least 30 days' notice. Customers can object to new sub-processors during that window and receive a pro-rated refund if we can't accommodate the objection.
What's your incident disclosure policy?
For any incident affecting confidentiality, integrity, or availability of customer data: notification within 24 hours of confirmation, root-cause analysis within 7 days, remediation plan within 14 days. For Notifiable Data Breach Scheme events under the Australian Privacy Act, OAIC notification happens in parallel.
Do you support SSO and SCIM?
SSO via SAML 2.0 or OIDC on all plans. SCIM 2.0 provisioning on Growth and Scale — Okta, Azure AD, Google Workspace, JumpCloud all supported natively. Custom IdPs work too; we've seen everything from Ping to in-house SAML gateways.
How long until data is actually deleted after retention expires?
Soft-delete within 1 hour of retention expiry. Hard-delete (including backup rotation) within 35 days. For on-demand deletion via API, soft-delete is immediate and hard-delete completes within 35 days. Certificate of destruction available on request for Scale customers.

Responsible disclosure

Found something? We pay for it. Our bug-bounty programme covers authentication bypass, data exposure, injection, and call-takeover vulnerabilities. Report to security@voxapp.com with our PGP key.

Safe-harbour policy for good-faith research. Typical first-response within 4 business hours, 24 / 7.

Your security team will like us.

We built this for the people who have to sign the DPA. Questionnaires answered in a day, not a quarter.

Request the security pack → See features