Security at Veorix

1. Architecture and hosting

• Hosted on enterprise-grade cloud providers in the United States with isolated production environments.
• Network segmentation between marketing site, application services, and storage layers.
• Configuration changes peer-reviewed and applied through reproducible deploy pipelines.

2. Encryption

• TLS 1.2+ for all data in transit, including voice and SMS gateways.
• AES-256 for data at rest in databases, backups, and object storage.
• Secret material managed in dedicated key/secret stores with rotation policies.

3. Access controls

• Least-privilege roles, single sign-on, and MFA for the Veorix team.
• Production access is logged, time-bound, and reviewed.
• Customer admin actions are recorded for audit visibility.

4. Voice and SMS pipeline

• Carrier-grade telephony partners with documented uptime and abuse controls.
• Recordings and transcripts can be disabled per number; retention is configurable.
• Sensitive fields detected by intent classifiers are flagged for redaction in transcripts.

5. Data retention and deletion

• Workspace-level retention windows for recordings, transcripts, and message logs.
• Customer-initiated deletion of specific records on request.
• Backups rotated on a fixed schedule and destroyed after expiry.

6. Vendor management

We vet sub-processors for security, privacy, and reliability before onboarding them and review them on a recurring basis. Our list of sub-processors is available on request.

7. Incident response

• Documented playbooks for triage, containment, and customer communication.
• On-call rotation with escalation paths to engineering and leadership.
• Post-incident reviews with mitigation actions tracked to completion.

8. Reporting a vulnerability

Found something concerning? Email security@veorix.com with details and steps to reproduce. We aim to acknowledge within one business day and will keep you in the loop as we triage. Please give us a reasonable window before public disclosure.