Home / Security

Security & compliance

Built for your security team's checklist.

If you're filling out a security questionnaire or checking a box for procurement: Voze runs a Drata-managed SOC 2 program with our observation window underway, an annual third-party penetration test, and the same controls your other enterprise vendors run. The longer answer is right here — and if your IT team needs a conversation with ours, we'll set it up.

Voze · program status
Live
  • SOC 2 program
    Observation window underway · Type 1 audit scheduled
    In progress
  • Annual penetration test
    3rd-party · last completed Oct 2025
    Complete
  • Drata-managed program
    Continuous control monitoring
    Active
  • Controls implemented
    Encryption · access · logging · vendor review
    Active
Drata trust profile and security packet available during the sales process under NDA
For procurement & security questionnaires

What you can tell your security team. In one paste-able list.

If you're filling out an internal security review or vendor questionnaire on Voze, this is the short version. Each item maps to a question your team has almost certainly asked of another SaaS vendor before.

Voze · security summary for your questionnaire
Paste-ready · last updated May 2026
  • SOC 2 program in progress — Drata-managed, with the full control set implemented and our observation window underway. Type 1 audit is scheduled.Drata trust profile and security questionnaire responses available under NDA during the sales process.
  • Annual third-party penetration testing — last completed October 2025. Executive summary available with the security packet.
  • Data encrypted in transit (TLS 1.2+) and at rest (AES-256) across every system that touches customer data.
  • Single sign-on (SSO) and multi-factor authentication (MFA) supported via your existing identity provider.
  • Role-based access control at the account, territory, and individual-rep level. Customer data is segregated, and access is limited to your authorized users.
  • US data residency — all production data is hosted in US-based AWS and Microsoft Azure regions, with continuous backups.
  • Continuous compliance monitoring via Drata. Every Voze employee and contractor signs annual security policies. Vendors are reviewed before they touch customer data.
  • Customer-owned data. Your data is yours. You can export it any time, and we won't use it to train models for other customers — that's in the contract.
How we protect your data

The same controls your enterprise vendors run — in plain English.

If you've signed off on HubSpot, Salesforce, or any modern SaaS app in the last few years, the controls below will look familiar. The deep technical detail lives in our security questionnaire responses and Drata trust profile; this is the short version.

Encryption

Your data is encrypted everywhere it sits or moves.

TLS 1.2+ in transit. AES-256 at rest. Voice notes, transcripts, account records, and signals are all encrypted across our infrastructure — and the keys are managed inside AWS and Azure, not in our application.

Access control

Only the right people see the right data.

SSO and MFA through your identity provider. Role-based access at the account, territory, and rep level. Voze respects who owns what in your CRM and inherits the same boundaries.

Data residency

Your data stays in the US.

Production systems run in US-based AWS and Microsoft Azure regions. Backups are stored separately and tested regularly. Disaster recovery is part of our SOC 2 program scope.

Audit logs

Every action leaves a trail.

Admin and user activity is logged with timestamps and user attribution. Customer admins can review their own access history; full audit trails are available to your security team during the sales process.

Vendor management

Every vendor that touches your data is reviewed.

Subprocessors go through annual security review and sign data-processing agreements through Drata. The current subprocessor list is part of the security packet we share during your evaluation.

People & policies

Every employee signs in. Every year.

Voze employees and contractors complete security training and acknowledge our policies annually through Drata. Background checks for production-access roles. Offboarding revokes access within 24 hours.

For your IT team

When your IT team needs our IT team.

Some questions don't fit on a marketing page — and shouldn't. If your security review needs the full report, a deeper architecture conversation, or specific control evidence, we'll route you to the Voze IT team during the sales process.

The full security packet

Security questionnaire responses, Drata trust profile, pen test executive summary, current subprocessor list, and DPA. Shared under NDA during your evaluation. SOC 2 Type 1 report joins the packet once our audit completes.

IT-to-IT call

If your security lead wants a working session with our team to review controls, architecture, or specific questionnaire items — we'll schedule a 45-minute call. Most evaluations don't need this. The ones that do appreciate it.

Faster questionnaire turnaround

Our standard responses cover about 80% of typical security questionnaires (SIG, CAIQ, custom). We complete the remaining 20% with your team in the same call. Most reviews close in under two weeks.

FAQ

Questions we hear most often.

Are you SOC 2 compliant?
Our SOC 2 program is active and our observation window is underway through Drata, with the Type 1 audit scheduled. The full control set is implemented and continuously monitored today — the formal attestation is the next step, not the starting point. We share our Drata trust profile and security questionnaire responses under NDA during the sales process so your team has real evidence to evaluate now.
What can you share with our security team today?
During the sales process, your Voze account team shares our Drata trust profile, security questionnaire responses (SIG / CAIQ / custom), pen test executive summary, subprocessor list, and DPA under NDA. Our SOC 2 Type 1 report joins that packet once our audit completes.
Do you do penetration testing?
Yes, annually, with a third-party firm. Our most recent test wrapped in October 2025. The executive summary (findings, remediation, retest results) is part of the security packet we share during evaluations. We also do continuous code-level scanning and dependency monitoring throughout the year.
Where is our data stored?
In US-based regions of AWS and Microsoft Azure. Production data, backups, and replication all stay within the United States. Backups are encrypted, stored separately from production, and tested regularly as part of our disaster recovery program.
Do we own our data? Can we get it out?
Yes, your data is yours. You can export accounts, contacts, voice notes, transcripts, and signals via CSV or API at any time. Our contract explicitly says we won't use your data to train models for other customers. If you leave, we'll work with you on a controlled export and confirm deletion on a defined timeline.
Do you support SSO and MFA?
Yes. We support SSO through your identity provider (SAML / OIDC) and MFA on all admin accounts by default. Customer admins can require MFA for everyone in their organization. SSO is included in our standard plan, not gated behind an enterprise tier.
What about subprocessors and vendor management?
We use a small set of subprocessors for hosting, transcription, analytics, and email — every one is reviewed annually as part of our SOC 2 program and signs a data-processing agreement. The current subprocessor list is part of the security packet we share during evaluations and updates are communicated to customers when they change.
What happens if there's a security incident?
We have a documented incident response program with defined roles, severity levels, and customer-notification timelines. Material incidents affecting customer data are communicated to affected customers within the timeframes required by our DPA — which we'll cover in detail if you ask.
How do you train employees on security?
Every Voze employee and contractor completes security training during onboarding and acknowledges our security policies annually through Drata. Production-access roles go through additional background checks. Offboarding revokes access within 24 hours.
Can our IT team talk to yours directly?
Yes. During your evaluation we'll schedule a 45-minute working session between your security lead and our IT team. This is the right venue for control-level detail, architecture questions, and anything your questionnaire couldn't fully cover. Most evaluations don't need it. The ones that do appreciate having the option.
Security & compliance

Ready when your security team is. Just say go.

Start an evaluation and we'll share our security packet — Drata trust profile, questionnaire responses, pen test summary, and DPA — under NDA. If your IT team wants a working session with ours, we'll set that up too.

No credit card · 30-min call · We come prepared