Security

Vouch is hosted on Microsoft Azure, primarily in regions selected to match the customer’s residency preference. Production services run on managed Azure Container Apps with private networking, ingress over HTTPS only, and an internal service mesh for service-to-service calls.

• Azure-managed Postgres with encryption at rest, point-in-time restore, and automated daily backups.
• Object storage encrypted at rest with customer-data scoping enforced at the application layer.
• Container images built reproducibly in CI, signed, and deployed via gated pipelines.
• Static assets served through Azure Static Web Apps and Front Door with edge TLS termination.
• All inbound and inter-service traffic is TLS 1.2 or higher; TLS 1.0 and 1.1 are disabled.

Every record in Vouch belongs to a workspace. The workspace identifier is the first-class scoping key in our data model, on every API call, and in every background job. Application-layer authorization checks reject any read or write that crosses a workspace boundary, and the same constraint is enforced at the database layer for sensitive tables.

AI features — including reply drafting, the Recommendation Engine, and Vouch Score — execute against a single workspace’s data at a time. They do not read, aggregate, or learn from data in any other workspace, and the model providers we use are configured to discard inputs after processing (see AI Policy).

• In transit: TLS 1.2+ for all client-server, service-to-service, and database traffic, with modern cipher suites only.
• At rest: AES-256 for managed databases, object storage, secrets stores, and backups.
• Application secrets, API keys, and OAuth tokens are stored in Azure Key Vault, accessed via managed identity, never embedded in container images or repos.
• Customer passwords, where used, are hashed with a modern memory-hard algorithm and per-credential salt — we never store plaintext or recoverable forms.

Customer authentication options include email + password with 2FA, SAML SSO with your identity provider, and Microsoft Entra ID. Role-based access control governs what each user can see and do inside a workspace, and additional write-gating applies to sensitive admin actions (sending campaigns, exporting customer lists, connecting integrations).

• Short-lived session tokens; refresh-token rotation; idle-session timeouts.
• API keys are scoped to a workspace and to a specific set of capabilities, rotatable from the admin console, and audit-logged on every use.
• Employee access to production requires SSO + hardware-key MFA, runs through a bastion with session recording, and is granted only for the duration of the task.
• Production access is reviewed quarterly and revoked on role change or termination.

Vouch maintains immutable audit logs for security-relevant events, including authentication, role changes, campaign sends, data exports, integration connections, and administrative configuration changes. Logs are retained for a minimum of one year and made available to customers on request.

All requests are W3C-traced end-to-end across services so we can reconstruct the path of any action. Operational telemetry (metrics, traces, logs) is stripped of raw personal data wherever possible and is access-controlled the same way production is.

• Dependencies are continuously scanned for known vulnerabilities; critical and high findings are remediated on a fixed SLA.
• Static analysis (SAST) and secret scanning run on every pull request; high findings block merge.
• Container images are scanned before deploy and rebuilt on base-image updates.
• We follow the OWASP Top 10 and OWASP ASVS Level 2 as design baselines.
• Rate limiting, abuse protection, and tenant-scoped quotas are enforced at the edge and at the API.
• Customer-provided content (review replies, templates, AI prompts) is sanitised at render to prevent stored XSS, and parameterised queries are required across the codebase.

• Annual third-party penetration test of the Platform and supporting infrastructure.
• Continuous internal testing of authentication, authorization, and tenant isolation as part of the CI suite.
• A formal vulnerability management program with severity-based remediation SLAs.
• Compliance posture: we are designed to align with SOC 2 Type II and ISO 27001 control families, and operate the controls described on this page today. Our SOC 2 Type II attestation is in progress; the latest status, and a copy of the report once issued, is available to prospects and customers under NDA.
• Sub-processors providing hosting, database, AI, and messaging services are themselves certified under SOC 2, ISO 27001, and equivalent frameworks (see /subprocessors/).

Customer data is stored in the Azure region selected for the workspace. EU-only residency is available on request for customers with that requirement, with transfers governed by the Standard Contractual Clauses where applicable.

Customers can export their data from the admin console at any time during their subscription. On termination, we make a final export available for at least 30 days and then delete production records on a defined schedule; encrypted backups expire on their normal rotation thereafter.

• Daily encrypted backups with point-in-time recovery for the primary database.
• Backups are stored in a separate failure domain from primary data.
• Documented restore procedures, exercised at least annually.
• Target recovery time objective (RTO): 4 hours for the API; 24 hours for analytics-only services.
• Target recovery point objective (RPO): 1 hour for transactional data.

Vouch operates a documented security incident response plan with named roles, severity tiers, evidence-preservation requirements, and post-mortem expectations. All workforce members are required to report suspected incidents through a single channel.

In the event of a confirmed personal data breach affecting a customer’s workspace, we will notify the customer’s designated security contact without undue delay and in any event within 72 hours of confirmation, including what we know about scope, affected data categories, technical specifics, and remediation in progress. Where Vouch is acting as a processor, we support our business customers in meeting their own regulatory notification obligations.

We use a small set of vetted sub-processors to deliver the Platform — hosting, AI, messaging carriers, identity, and analytics. The current list is published at tryvouch.io/subprocessors/. Each is contractually bound to confidentiality and security obligations at least as strict as our own, and is permitted to use customer data only to deliver the service to us.

Customers under a Data Processing Agreement receive advance notice of new sub-processors with an opportunity to object before processing begins.

• Background checks where permitted by law before access to production.
• Confidentiality agreements signed by every employee and contractor.
• Mandatory security and privacy training at hire and annually.
• Role-specific training for engineers handling personal data or AI systems.
• Hardware-key 2FA on all access to production, source code, cloud consoles, and customer support systems.
• Access is revoked within one business day of role change or departure.

If you believe you have found a security vulnerability in Vouch, please report it to support@aartha.ai. PGP-encrypted submissions are welcome on request. We acknowledge reports within one business day, give you a timeline for remediation, and credit researchers in our hall of fame with their permission.

We ask researchers to: test only against accounts you own or have explicit permission to test, avoid degrading service for other customers, avoid accessing personal data beyond the minimum needed to demonstrate the issue, and give us a reasonable window to remediate before public disclosure. We will not pursue legal action against researchers acting in good faith within these guidelines.

A machine-readable security contact is published at /.well-known/security.txt.

Security issues and vulnerability reports: support@aartha.ai
Customer security questionnaires and procurement reviews: support@aartha.ai
Privacy questions: support@aartha.ai