Security

Built for B2B IT review. No buzzwords, just specifics.

Encryption everywhere, EU data residency, SSO/SAML, role-based access, full audit trail, vulnerability disclosure program. Your content never trains base models.

TLS 1.3In-transit encryption
AES-256At-rest encryption
EU 🇩🇪Data residency by default
0Customer data used for model training

Pillars

Four pillars, no hand-waving

Concrete controls per pillar — what you'd want to see in a vendor security questionnaire.

  • Data protection

    Strong cryptography in transit and at rest. Per-customer keys on Enterprise. No data sharing across tenants.

    • TLS 1.3, HSTS preload, OCSP stapling
    • AES-256-GCM at rest (DB + object storage)
    • Per-customer encryption keys (Enterprise)
    • Tenant isolation enforced at app + DB layer
    • Backups encrypted, 90-day retention, geo-replicated within EU

  • Access & identity

    SSO on Enterprise, granular RBAC, session controls and a complete audit trail per workspace.

    • SAML 2.0 / OIDC SSO (Okta, Azure AD, Google Workspace)
    • Roles: Owner / Admin / Editor / Reviewer / Read-only
    • 2FA available on every plan
    • Configurable session timeout & IP allowlists (Enterprise)
    • Full audit log: who-did-what-when, exportable

  • Operational security

    Vetted hosting, hardened images, CI/CD with signed releases, dependency scanning and immutable infrastructure.

    • EU hosting (Hetzner / OVH, Frankfurt + Warsaw)
    • Hardened container images, weekly base-image rebuilds
    • Signed CI/CD releases, no manual prod access
    • Dependency scanning (SCA) on every PR
    • Quarterly internal pentest + annual third-party

  • AI & model security

    The part most marketing tools wave away. Voceo treats it as a first-class control.

    • No training on customer data — contractually enforced with sub-processors
    • Prompt injection defenses on every generation step
    • Output classifiers for PII / forbidden content
    • Per-customer Qdrant collections — never shared
    • Model usage logged, not the input content

  • Compliance & governance

    GDPR by design. SOC 2 Type II in progress. Public sub-processor list, change-notification commitment.

    • GDPR-compliant; signed DPAs available within 24h
    • Public sub-processor list (Privacy §5)
    • 30-day prior notice on sub-processor changes
    • Annual security policy review
    • Vendor security questionnaire pre-filled and downloadable

  • Incident response

    Defined playbooks, named on-call, customer notification within 72 hours of confirmed material incidents.

    • 24/7 on-call rotation, <15 min acknowledgement target
    • Severity matrix (S0–S3) with escalation paths
    • Customer notification within 72h of confirmed material breach
    • Post-incident: blameless postmortem, customer-facing summary
    • Status updates on status.voceo.pl

Compliance

Frameworks & certifications

What we hold today, what we're working on. We don't claim certifications we don't have.

  • GDPR

    Compliant by design. Signed DPAs available.

  • SOC 2 Type II

    Audit window: H2 2026.

Incident response

Five steps. One playbook.

If something breaks, here's exactly how we handle it — and how we keep you informed.

  1. 01

    Detect

    T+0

    Automated alerts (anomaly detection, error budgets, security signals) + customer reports paged to on-call.

  2. 02

    Triage

    ≤15 min

    On-call acknowledges, assigns severity (S0–S3), opens incident channel, names commander.

  3. 03

    Contain

    ≤2 h

    Stop the bleed: feature-flag, rate-limit, rollback. Status page updated for any customer-visible incident.

  4. 04

    Notify

    ≤72 h

    Confirmed material incidents → email to affected customers + DPO notification per GDPR Art. 33 within 72h.

  5. 05

    Postmortem

    ≤7 d

    Blameless postmortem, customer-facing summary, action items tracked to closure.

Vulnerability disclosure

Found something? Tell us — we'll thank you.

We run a coordinated-disclosure program. Researchers acting in good faith are not pursued legally.

Reporting channel

Email security@voceo.pl with a clear write-up: affected URL, reproduction steps, observed vs. expected behavior, and the impact you assess.

PGP-encrypt sensitive details with our key (fingerprint below). We acknowledge within 24 hours and triage within 72.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Key ID: 0xVOCEO12345678AB
Fingerprint: 1234 5678 90AB CDEF 1234
             5678 90AB CDEF 1234 5678
Download: https://voceo.pl/.well-known/security-pgp.asc
-----END PGP PUBLIC KEY BLOCK-----
  • security.txt at https://voceo.pl/.well-known/security.txt
  • PGP key at https://voceo.pl/.well-known/security-pgp.asc
  • Hall of fame for credited researchers

Safe harbor

If you make a good-faith effort to comply with this policy, we will not initiate legal action against you. We will work with you to understand and resolve the issue quickly.

In scope: *.voceo.pl, our public APIs, mobile apps, and self-hosted demo environments.

Out of scope: third-party services, social engineering of staff, physical security of offices, denial-of-service attacks.

  • Test only with accounts you control
  • Don't access or modify other users' data
  • Give us reasonable time to fix before public disclosure

Procurement review?

Get our pre-filled vendor security questionnaire and signed DPA in one email.

Email security@voceo.pl Read privacy policy