Trust

Security at VoxReach

Last updated 23 April 2026. Report a vulnerability: security@voxreach.com.au or via /.well-known/security.txt.

Voice AI is a trust-gated product. Below is an operator-level summary of the controls protecting VoxReach tenant data. A detailed vendor security questionnaire is available on request under NDA at security@voxreach.com.au.

Data protection

  • Encryption in transit: TLS 1.2 or higher on every external endpoint, TLS 1.3 preferred. HSTS enforced site-wide.
  • Encryption at rest: AES-256 for all tenant databases, recordings, transcripts, and backups.
  • Key management: separate key-management service with automatic rotation every 90 days; engineering staff never handle raw keys.
  • Data residency: tenant databases and stored recordings live on Australian infrastructure. Some real-time sub-processors (transcription, TTS, LLM) are US-based; audio and text pass through them in real time and are not retained there. See the Data processing addendum.

Tenant isolation

  • Hard tenant_id scoping on every database row. Application-layer policy prevents cross-tenant reads or writes.
  • Separate Vapi assistants, phone numbers, and billing ledger per tenant.
  • Per-tenant API keys with scoped permissions.
  • Admin actions are logged with actor, tenant, action, and timestamp.

Access control

  • Multi-factor authentication enforced on every staff account and tenant admin.
  • Role-based access control inside the admin surface (view, edit, bill, support).
  • Principle-of-least-privilege: production database access is gated by reviewed, time-boxed tickets; raw recordings are never downloaded to staff machines.
  • Staff laptops encrypted with full-disk FileVault/BitLocker, MDM-enforced.

Application security

  • All inputs validated server-side; ORMs parameterise every query.
  • CSRF tokens on every authenticated form, same-site cookies.
  • Content Security Policy in place on the marketing site and tenant app.
  • Weekly automated dependency scans (Snyk / npm audit); high-severity findings patched within 7 days, critical within 24 hours.
  • Code review required on every production change; no solo merges to main.
  • Annual third-party penetration test; results summary available to enterprise tenants under NDA.

Infrastructure

  • Hosted on hardened Linux images with firewalled VPC boundaries.
  • No inbound SSH from the public internet; access via bastion with short-lived certificates.
  • Daily encrypted backups with 30-day retention; quarterly restore drills.
  • DDoS protection at the edge. Rate-limiting on authentication, signup, and form endpoints.
  • Intrusion detection + anomaly alerting on audit logs.

Incident response

  • Documented incident response plan with on-call rotation.
  • Tenant notification within 72 hours of any eligible data breach (or sooner where the Notifiable Data Breaches scheme of the Privacy Act requires).
  • Status page at status.voxreach.com.au for live incident communication.
  • Post-incident public post-mortems for any Sev 1 event affecting more than one tenant.

Responsible disclosure

If you believe you have found a vulnerability, we want to hear from you. Email security@voxreach.com.au. We respond within one business day, investigate in good faith, and credit disclosers on this page (with consent) once the finding is resolved. We do not yet run a paid bug-bounty programme but plan to by Q3 2026. Please refrain from automated scanning that degrades service for other tenants.

Contact

security@voxreach.com.au — all security matters.