VoxRidge sits in the call path. Audio, CDRs, agent activity, customer phone numbers — all flow through the platform. The bar for security has to match.

Transport & storage

• TLS 1.3 by default for all API and webhook traffic. HSTS preload, no insecure ciphers.
• SRTP for voice legs where the underlying PBX supports it (Asterisk, FreeSWITCH, Cisco, Twilio).
• At-rest encryption on Postgres for credentials, recording metadata, and webhook secrets.
• BYOK for recording storage on Enterprise — bring your own KMS / customer-managed keys.

Identity & access

• SSO via SAML and OIDC. SCIM provisioning on Growth and above.
• RBAC with four built-in roles (super_admin, admin, supervisor, viewer) and Resource Collections for fine-grained scoping.
• API keys are scoped, rotatable, and recorded in the audit log on every issue / revoke.
• HMAC-signed webhooks with replay-window protection.

Auditability

• Every administrative action — config change, policy edit, IVR deploy, agent state override — is recorded with actor, timestamp, before/after diff.
• Policy evaluation log captures every CEL evaluation, with the input context and the verdict.
• Hash-chained audit log on Enterprise — tamper-evident, exportable for compliance.

Build & supply chain

• Reproducible builds. SBOM published per release.
• Container images and binaries signed with Cosign.
• Pinned dependencies, automated CVE scans, automated OSS license auditing.
• SLSA Level 3 build provenance on the roadmap.

Hosting

• VoxRidge Cloud: EU (Frankfurt) and US (Virginia) regions on tier-1 providers. SOC 2 Type II in progress.
• Self-hosted: single Go binary. Air-gapped install supported on Enterprise. Same product, same release cadence as cloud.

Responsible disclosure

Found a security issue? Email security@voxridge.com. We respond within one business day, triage within three, and credit researchers in the changelog (with permission).

Our security.txt has the latest contacts and PGP key.