Security & compliance

Yes, we're SOC 2 compliant.

If you're filling out a security questionnaire or checking a box for procurement, the short answer is yes: Voze runs a Drata-managed SOC 2 program, completed our Type 1 audit, and the Type 2 audit is in finalization. The longer answer is right here — and if your IT team needs a conversation with ours, we'll set it up.

What to tell your security team

Current compliance status→ How we protect your data→ For your IT team→

Voze · compliance status

Live

SOC 2 Type 1

Audited · Dec 2025

Complete
SOC 2 Type 2

Audit complete · Report in finalization

In review
Annual penetration test

3rd-party · last completed Oct 2025

Complete
Drata-managed program

Continuous control monitoring

Active

Full report and packet available during the sales process under NDA

For procurement & security questionnaires

What you can tell your security team. In one paste-able list.

If you're filling out an internal security review or vendor questionnaire on Voze, this is the short version. Each item maps to a question your team has almost certainly asked of another SaaS vendor before.

Voze · security summary for your questionnaire

Paste-ready · last updated May 2026

SOC 2 Type 1 attestation complete (audited December 2025). Type 2 audit complete; report in finalization with our auditors.Both reports available under NDA during the sales process.
Annual third-party penetration testing — last completed October 2025. Executive summary available with the security packet.
Data encrypted in transit (TLS 1.2+) and at rest (AES-256) across every system that touches customer data.
Single sign-on (SSO) and multi-factor authentication (MFA) supported via your existing identity provider.
Role-based access control at the account, territory, and individual-rep level. Customer data is segregated, and access is limited to your authorized users.
US data residency — all production data is hosted in US-based AWS and Microsoft Azure regions, with continuous backups.
Continuous compliance monitoring via Drata. Every Voze employee and contractor signs annual security policies. Vendors are reviewed before they touch customer data.
Customer-owned data. Your data is yours. You can export it any time, and we won't use it to train models for other customers — that's in the contract.

How we protect your data

The same controls your enterprise vendors run — in plain English.

If you've signed off on HubSpot, Salesforce, or any modern SaaS app in the last few years, the controls below will look familiar. The deep technical detail lives in our SOC 2 report; this is the short version.

Encryption

Your data is encrypted everywhere it sits or moves.

TLS 1.2+ in transit. AES-256 at rest. Voice notes, transcripts, account records, and signals are all encrypted across our infrastructure — and the keys are managed inside AWS and Azure, not in our application.

Access control

Only the right people see the right data.

SSO and MFA through your identity provider. Role-based access at the account, territory, and rep level. Voze respects who owns what in your CRM and inherits the same boundaries.

Data residency

Your data stays in the US.

Production systems run in US-based AWS and Microsoft Azure regions. Backups are stored separately and tested regularly. Disaster recovery is part of our SOC 2 scope.

Audit logs

Every action leaves a trail.

Admin and user activity is logged with timestamps and user attribution. Customer admins can review their own access history; full audit trails are available to your security team during the sales process.

Vendor management

Every vendor that touches your data is reviewed.

Subprocessors go through annual security review and sign data-processing agreements through Drata. The current subprocessor list is part of the security packet we share during your evaluation.

People & policies

Every employee signs in. Every year.

Voze employees and contractors complete security training and acknowledge our policies annually through Drata. Background checks for production-access roles. Offboarding revokes access within 24 hours.

For your IT team

When your IT team needs our IT team.

Some questions don't fit on a marketing page — and shouldn't. If your security review needs the full report, a deeper architecture conversation, or specific control evidence, we'll route you to the Voze IT team during the sales process.

The full security packet

SOC 2 reports (Type 1 + Type 2 once finalized), pen test executive summary, current subprocessor list, DPA, and our standard security-questionnaire responses. Shared under NDA during your evaluation.

IT-to-IT call

If your security lead wants a working session with our team to review controls, architecture, or specific questionnaire items — we'll schedule a 45-minute call. Most evaluations don't need this. The ones that do appreciate it.

Faster questionnaire turnaround

Our standard responses cover about 80% of typical security questionnaires (SIG, CAIQ, custom). We complete the remaining 20% with your team in the same call. Most reviews close in under two weeks.

FAQ

Questions we hear most often.

Is Voze SOC 2 compliant?

Yes. We've completed our SOC 2 Type 1 audit (December 2025) and our SOC 2 Type 2 audit is complete — the report is in finalization with our auditors. Both reports are available under NDA during the sales process. We run a continuous SOC 2 program through Drata, so the controls aren't a once-a-year scramble — they're how we operate every day.

How do I get the actual SOC 2 report?

During the sales process. Once you're in an active evaluation, your Voze account team shares the SOC 2 report, pen test executive summary, subprocessor list, and DPA under NDA. We don't publish the reports on the website because that's standard practice — SOC 2 reports contain control detail that shouldn't be in public search results.

Do you do penetration testing?

Yes, annually, with a third-party firm. Our most recent test wrapped in October 2025. The executive summary (findings, remediation, retest results) is part of the security packet we share during evaluations. We also do continuous code-level scanning and dependency monitoring throughout the year.

Where is our data stored?

In US-based regions of AWS and Microsoft Azure. Production data, backups, and replication all stay within the United States. Backups are encrypted, stored separately from production, and tested regularly as part of our disaster recovery program.

Do we own our data? Can we get it out?

Yes, your data is yours. You can export accounts, contacts, voice notes, transcripts, and signals via CSV or API at any time. Our contract explicitly says we won't use your data to train models for other customers. If you leave, we'll work with you on a controlled export and confirm deletion on a defined timeline.

Do you support SSO and MFA?

Yes. We support SSO through your identity provider (SAML / OIDC) and MFA on all admin accounts by default. Customer admins can require MFA for everyone in their organization. SSO is included in our standard plan, not gated behind an enterprise tier.

What about subprocessors and vendor management?

We use a small set of subprocessors for hosting, transcription, analytics, and email — every one is reviewed annually as part of our SOC 2 program and signs a data-processing agreement. The current subprocessor list is part of the security packet we share during evaluations and updates are communicated to customers when they change.

What happens if there's a security incident?

We have a documented incident response program with defined roles, severity levels, and customer-notification timelines. Material incidents affecting customer data are communicated to affected customers within the timeframes required by our DPA — which we'll cover in detail if you ask.

How do you train employees on security?

Every Voze employee and contractor completes security training during onboarding and acknowledges our security policies annually through Drata. Production-access roles go through additional background checks. Offboarding revokes access within 24 hours.

Can our IT team talk to yours directly?

Yes. During your evaluation we'll schedule a 45-minute working session between your security lead and our IT team. This is the right venue for control-level detail, architecture questions, and anything your questionnaire couldn't fully cover. Most evaluations don't need it. The ones that do appreciate having the option.