Security and trust

Compliance posture

Encryption in transit and at rest

• In transit: TLS 1.3 is enforced for all external communications — API, Voxilo app, webhooks, voice signalling, and SMS relay. Customer-facing web traffic is currently served at the hosting edge, and production API / webhook traffic is encrypted in transit end to end.
• At rest: The Voxilo database (Supabase on AWS `us-west-2`) is encrypted at rest using AES-256 via AWS KMS. All data written to disk is encrypted automatically with no application-layer configuration required.

Multi-tenant isolation

Every Subscriber's data is isolated at the database layer using Row Level Security (RLS)policies enforced by Supabase/PostgreSQL. No Subscriber can access another Subscriber's records regardless of application-layer behaviour. An RLS bypass is treated as a P0 security defect and immediately patched.

RLS coverage is verified by an automated cross-tenant probe that runs on every CI build.

Least-privilege access control

• All production credentials are stored in 1Password (never hardcoded or committed to source control). Secrets are injected at process start via the 1Password CLI.
• Each service receives only the permissions it needs. The Supabase admin key is never used in client-side code.
• The platform implements a four-tier role model: admin → operator → dispatcher → client. Subscribers access only their own tenant's data.
• All inbound webhooks verify HMAC-SHA256 signatures before processing.

Monitoring and incident response

• Sentry captures production errors with correlation IDs. Error context is de-identified where possible — PII is not included in Sentry payloads.
• gitleaks scans every commit and CI run to detect accidentally committed secrets.
• Railway health checks automatically restart services on failure.
• We maintain a documented incident response process covering detection, triage, containment, and post-mortem.

TCPA compliance engine

All outbound SMS messages pass through a 10-step compliance check before sending: quiet hours, federal and state DNC lists, consent verification, opt-out status, and spend caps. The compliance check defaults to block — a failed or inconclusive check never permits sending. An emergency kill switch (EMERGENCY_STOP) halts all outbound SMS instantly without a redeploy.

Our policies

We maintain the following security and compliance policy documents (available to Subscribers on request):

• Information Security Policy (ISP)
• Access Control Policy
• Incident Response Policy
• Disaster Recovery & Business Continuity Plan
• Vendor Risk Management Policy
• Data Classification and Retention Policy
• Workforce Sanctions Policy
• HIPAA Privacy Policy (activated on BAA execution)

Sub-processors and trust requests

Our current sub-processor list is maintained at /sub-processors. Security questionnaires, vendor reports, signed BAAs, and SOC reports are shared only through the appropriate legal or security review process.

A hosted trust portal may be added later. Until then, this page and the sub-processor register are the public trust center baseline.

Responsible disclosure

If you believe you have found a security vulnerability in Voxilo, please report it responsibly to security@voxilo.ai. We will acknowledge your report within 48 hours and work with you to understand and address the issue.

Safe harbour: We will not take legal action against researchers who discover and responsibly disclose security issues to us in good faith, provided they do not access or modify customer data, degrade service availability, or publicly disclose before we have had a reasonable opportunity to remediate.