Back to Home

Security

How we protect your data

Last Updated: November 29, 2025

Security Overview

At Vocanta, security is not an afterthought - it is fundamental to everything we build. We understand that businesses trust us with their most sensitive data: customer and operational information. This responsibility drives our commitment to implementing industry-leading security measures across every layer of our platform.

Defense in Depth

Multiple layers of security controls protect your data

Continuous Monitoring

24/7 security operations center watching for threats

Zero Trust

Never trust, always verify - for every request

Our Security Commitment

We are committed to maintaining the highest standards of security for healthcare data. Our security program is aligned with HIPAA requirements, SOC 2 controls, and industry best practices. We continuously invest in our security capabilities and undergo regular third-party assessments.

Encryption Standards

We use strong encryption to protect your data at every stage - whether it is stored in our systems, transmitted over networks, or processed by our applications.

Data at Rest

Encryption AlgorithmAES-256-GCM
Key ManagementAWS KMS / HSM
Database EncryptionTransparent Data Encryption
Backup EncryptionEncrypted with separate keys

Data in Transit

ProtocolTLS 1.3
Certificate AuthorityDigiCert / Let's Encrypt
Perfect Forward SecrecyEnabled
HSTSEnforced (max-age=31536000)

Voice Data

Call EncryptionSRTP with AES-256
Recording StorageAES-256 encrypted
TranscriptionEnd-to-end encrypted
RetentionConfigurable per practice

Infrastructure Security

Our infrastructure is designed with security as a core principle, leveraging enterprise-grade cloud providers and implementing multiple layers of protection.

Cloud Infrastructure

Enterprise-grade cloud hosting with multiple layers of security

Multi-region deployment with automatic failover
Virtual Private Cloud (VPC) isolation
Web Application Firewall (WAF)
DDoS protection and mitigation
Network segmentation and micro-segmentation
Container security with runtime protection

Network Security

Defense-in-depth approach to network protection

Intrusion Detection/Prevention Systems (IDS/IPS)
Zero Trust network architecture
Private endpoints for database access
IP allowlisting for administrative access
Regular network vulnerability scanning
Traffic encryption between all services

Application Security

Secure development and deployment practices

Secure Software Development Lifecycle (SSDLC)
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Dependency vulnerability scanning
Code review requirements for all changes
Immutable infrastructure deployments

Access Controls

We implement strict access controls to ensure only authorized individuals can access sensitive data and systems.

Authentication

  • Multi-factor authentication (MFA) required
  • SSO integration (SAML 2.0, OIDC)
  • Passwordless authentication options
  • Biometric authentication support
  • Session management with automatic timeout
  • Device trust and management

Authorization

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Just-in-time (JIT) access for admins
  • Attribute-based access control (ABAC)
  • Regular access reviews and recertification
  • Automated deprovisioning on termination

Identity Management

  • Centralized identity provider integration
  • Unique user identification
  • Strong password policies enforced
  • Account lockout after failed attempts
  • Credential rotation requirements
  • Privileged access management (PAM)

Monitoring and Logging

Continuous monitoring and comprehensive logging enable us to detect, investigate, and respond to security events quickly.

Security Monitoring

  • 24/7 Security Operations Center (SOC)
  • Real-time threat detection and alerting
  • User behavior analytics (UEBA)
  • Anomaly detection with machine learning
  • Security information and event management (SIEM)

Audit Logging

  • Comprehensive audit trails for all actions
  • PHI access logging and monitoring
  • Administrative action logging
  • API access logging
  • Immutable log storage with 7-year retention

System Monitoring

  • Infrastructure performance monitoring
  • Application performance monitoring (APM)
  • Availability and uptime monitoring
  • Capacity planning and scaling
  • Automated alerting and escalation

Incident Response

We have a comprehensive incident response program to quickly detect, contain, and remediate security incidents.

1

Detection

< 15 minutes

Automated and manual identification of potential security incidents

2

Containment

< 1 hour

Isolate affected systems and prevent further damage

3

Investigation

< 24 hours

Determine scope, impact, and root cause of the incident

4

Notification

Per HIPAA requirements

Notify affected parties as required by law and contracts

5

Recovery

Based on severity

Restore systems and data to normal operations

6

Lessons Learned

Within 72 hours

Post-incident review and process improvements

Report a Security Incident

If you discover a security vulnerability or suspect a security incident, please report it immediately:

Compliance Certifications

We maintain compliance with industry standards and regulations to demonstrate our commitment to security and privacy.

SOC 2 Type II

Annual audit of security, availability, and confidentiality controls

HIPAA Compliance

Full compliance with HIPAA Privacy and Security Rules

GDPR Compliance

Data protection standards for European Union residents

CCPA Compliance

Privacy protections for California residents

Request Security Documentation

Current or prospective customers can request copies of our security documentation under NDA:

SOC 2 Report
Penetration Test
Security Questionnaire
Architecture Diagram

Security Contact

Our security team is available to answer questions about our security practices, discuss security requirements, or address any security concerns.

Security Team

General Security Inquiries

security@vocanta.io

Vulnerability Reports

security@vocanta.io

Security Incidents

incident@vocanta.io

Responsible Disclosure

We appreciate security researchers who help us keep Vocanta secure. If you discover a vulnerability, please report it responsibly.

  • Report vulnerabilities to security@vocanta.io
  • Allow reasonable time for remediation
  • We commit to acknowledging reports within 24 hours