Certifications & frameworks
- SOC 2 Type II — annual report covering Security, Availability and Confidentiality. Available under NDA.
- ISO 27001 — alignment, certification in progress.
- HIPAA — BAA available on Enterprise.
- GDPR / UK-GDPR — see our GDPR page.
Encryption
- TLS 1.2+ for every connection — enforced via HSTS.
- AES-256 at rest for all customer data, including audio recordings.
- Per-tenant encryption keys, rotated automatically every 90 days.
Access control
- Mandatory MFA for all employees; SSO via Okta.
- Role-based permissions, reviewed quarterly.
- Just-in-time production access with full audit trails.
Infrastructure
- Hosted on AWS (eu-west-1, eu-central-1, us-east-1) with VPC isolation.
- Immutable infrastructure provisioned via Terraform.
- Multi-AZ databases with point-in-time recovery.
- Daily encrypted off-site backups with quarterly restore tests.
Application security
- Static analysis on every pull request; dependency scanning daily.
- Annual third-party penetration testing.
- Public vulnerability disclosure programme: security@voicematrix.ai.
- Bug bounties paid for in-scope reports.
Incident response
We follow a documented incident response plan with defined severities and 24/7 on-call. Customers are notified without undue delay; supervisory authorities are notified within 72 hours where required.
Reporting a vulnerability
Email security@voicematrix.ai with reproduction steps. We acknowledge within one business day and provide regular updates until resolution. Please do not publicly disclose until we've had a reasonable chance to fix.
Trust resources
SOC 2 reports, pentest summaries, sub-processor lists, and our SIG Lite questionnaire are available under mutual NDA. Email security@voicematrix.ai to request access.