Trust & Security
How Voice2Evolve protects your data, your sessions, and your organisation.
Voice2Evolve handles sensitive data: voice recordings, conversation transcripts, and organisational context. We treat that responsibility as a design constraint, not an afterthought.
This page describes the controls we have in place. For formal agreements and detailed technical measures, the relevant documents are linked at the bottom.
Data Residency & Encryption
Your application data is stored in the EU (Supabase, Stockholm region). All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Voice session audio is encrypted end-to-end via DTLS-SRTP between your browser and the AI provider.
Application-level encryption (AES-256-GCM) protects sensitive fields such as uploaded documents, API keys, and candidate profiles. Encryption keys are managed through a tiered vault system with configurable tenant-level overrides.
Tenant Isolation
Voice2Evolve is multi-tenant. Every query, every API call, and every storage operation is scoped to your organisation. Isolation is enforced at the database level through Row-Level Security policies, not just application logic.
Tenant context is validated independently at three layers: middleware, authentication token claims, and database policies. All three must agree before data is returned. There is no shared data surface between organisations.
Authentication & Access Control
User authentication is handled through secure, HttpOnly cookies with SameSite protection. Role-based access control separates user, editor, tenant admin, and super admin permissions. All admin routes require explicit role verification.
API endpoints are rate-limited per route. Anonymous access is gated behind CAPTCHA verification. All authentication tokens are short-lived and cryptographically signed.
AI & Voice Data Handling
Voice session audio is processed in real time and not retained by our AI providers after processing. We use API endpoints where session data is not used for model training.
Session transcripts are stored in your organisation's database, scoped to your tenant, and subject to your configured retention policy. When a session expires, transcripts and analysis are automatically deleted.
For our ethical commitments on how AI analysis is used and what the platform will never decide, see our Responsible AI page.
Application Security
Security is built into the development process, not bolted on afterward. Controls include:
- Input validation on every API endpoint (Zod schema enforcement)
- Content Security Policy with per-request nonce injection
- Structured logging with automatic PII redaction
- Automated dependency scanning and vulnerability alerting
- Code review and dependency scanning with automated security tools and manual verification
- Immutable audit logs for administrative and financial operations
Compliance & Frameworks
Voice2Evolve builds its Information Security Management System on ISO 27001 and SOC 2 principles. Formal certifications are not currently completed. All vendors are assessed against security and data protection requirements before use, and have signed Data Processing Agreements.
The platform is GDPR-compliant: data subject access, portability, and erasure requests are supported. A Data Protection Impact Assessment covers voice session processing. German GoBD requirements for digital bookkeeping are met through the Lexware accounting integration.
Vendor Management
Every third-party service is assessed for security posture, data handling practices, and compliance certifications before adoption. All critical vendors hold SOC 2 Type II certification. Data Processing Agreements are signed with every vendor that processes personal data.
A full subprocessor list is published and maintained. Changes to subprocessors are communicated with 30 days advance notice per our Data Processing Agreement.
Incident Response
A documented incident response policy covers detection, containment, eradication, and recovery. Critical incidents target a rapid response, typically within a few hours. Data breaches are reported to the competent supervisory authority within 72 hours as required by GDPR Article 33.
All incidents are documented with root cause analysis and remediation tracking. Post-incident reviews feed back into security controls and monitoring.
Documentation
For procurement, compliance reviews, or detailed technical questions, the following documents are available:
Need more detail for a compliance review?
We provide a security whitepaper and pre-filled security questionnaire responses on request. If you need specifics for procurement, an internal security review, or a vendor assessment, contact us directly.