Security and Trust at Voycee

1. Encryption

• Data in transit is protected with TLS 1.2 or higher on every customer-facing endpoint and every vendor-facing endpoint.
• Data at rest is encrypted with AES-256. Database storage uses Transparent Data Encryption on Azure Database for PostgreSQL. Call audio and recordings live in Azure Blob Storage with server-side encryption.
• Database backups are encrypted with rotating keys and retained inside the Voycee tenancy. We do not share backups with third parties.

2. Authentication

• Sign-in is handled by our managed identity provider, with support for email and password, social sign-in, and single sign-on for enterprise accounts.
• Multi-factor authentication is available to every account. Account owners can require MFA for everyone on the team from the Security settings page.
• Session tokens are short-lived. Webhook callbacks from our payment, identity, and telephony providers are signature-verified before any state change.

3. Data residency

Customer data is processed and stored in Microsoft Azure, US East 2 region (Virginia). We do not transfer customer data outside the United States as part of normal operations. Enterprise customers can request a written record of the exact subprocessors that touch their data on the subprocessors page.

4. Access controls

• Tenant scoping is enforced at the API guard layer on every read and write. Each account can only see its own calls, recordings, transcripts, and configuration.
• Role-based access inside an account: Owner, Manager, and Member. Owners can invite, promote, and remove other users; Members can view but not change billing.
• Voycee employees access tenant data only when a customer opens a support ticket and explicitly grants temporary access, or when responding to a security incident under break-glass procedure. Both paths are logged.

5. Vulnerability disclosure

If you find a security issue, please report it privately so we can fix it before public disclosure. We do not pursue legal action against researchers who follow this coordinated disclosure policy in good faith.

• Read our public security policy at SECURITY.md on the Voycee repository.
• Email security@voycee.com with a description, reproduction steps, and impact assessment.
• We acknowledge reports within 48 hours and aim to publish a fix or mitigation within 30 days, faster for high-severity issues.

6. Incident response

If a security incident affects your data, we follow this timeline.

• Within 24 hours: confirm scope and contain the incident.
• Within 72 hours: notify affected customers with the facts known at that time.
• Within 30 days: publish a post-incident report covering root cause, customer impact, and the steps we are taking to prevent recurrence.

For an incident already in progress, contact help@voycee.com and we will route you to the on-call responder.

7. Compliance

• SOC 2 Type II audit is in progress. Customers under NDA can request the current readiness summary from security@voycee.com.
• GDPR and UK GDPR: we sign a Data Processing Agreement based on the EU Standard Contractual Clauses (2021/914). See the Data Processing Agreement.
• CCPA and CPRA: California residents can submit a Do Not Sell or Share request at /legal/do-not-sell. Voycee does not sell personal information.
• HIPAA: a Business Associate Agreement is available for healthcare customers. See the BAA page.

8. Subprocessors

Voycee uses a small set of vetted vendors to deliver the platform. The current list is published at /legal/subprocessors and updated as needed. Customers receive at least 30 days' notice before a new subprocessor that processes personal data is engaged, with the right to object on reasonable grounds.

9. Audit logs

Write operations on billing, roles, integrations, and BAA-related actions are recorded in an account-scoped audit log. Owners can review the log from the Security settings page and export it on request for internal compliance reviews.