Trust & Security

Security & Data Protection.

How we protect your dealership's data — and exactly what happens if something goes wrong.

Last Updated: June 10, 2026

SOC 2
Type II Certified
AES-256
Encryption at Rest
TLS 1.2+
Encryption in Transit
24/7
Monitoring & Alerting

1. Our Security Commitment

At voAIce, security is not a feature we bolt on — it is the foundation the entire platform is built on. Our customers are Automotive, RV, Powersports, Marine, and Outdoor Power Equipment retailers across the United States, and the data they entrust to us is some of the most sensitive information in any business: customer contact details, driver's license and identity documents, credit applications, financial figures, deal structures, and the full history of every conversation a dealership has with the people it serves.

We treat that responsibility with the seriousness it deserves. voAIce maintains a comprehensive, continuously-audited information security program designed around a single principle: your data is yours, it is protected with enterprise-grade controls at every layer, and it is never sold, never repurposed for advertising, and never exposed to one dealer's competitors. This document describes the standards we hold ourselves to, the controls we operate, the third-party certifications that independently verify those controls, and — critically — exactly what we do, and what you can expect from us, in the unlikely event of a data security incident.

Security is a moving target. Threats evolve, infrastructure changes, and best practices advance. Our program is designed to evolve with them. The commitments on this page reflect our current posture and are reviewed regularly.

2. SOC 2 Type II Certification

voAIce is SOC 2 Type II certified — the most rigorous and widely-recognized independent security audit available for cloud service providers. A SOC 2 Type II examination is conducted by an independent, accredited third-party auditing firm and goes far beyond a point-in-time checklist. It evaluates the design of our security controls and then tests the operating effectiveness of those controls continuously over an extended audit period, verifying that we don't just claim to do the right things — we actually do them, every day, and can prove it with evidence.

Our SOC 2 program is built on the AICPA's five Trust Services Criteria. Each represents a distinct dimension of how we safeguard the platform:

  • Security. The system is protected against unauthorized access — both physical and logical. This covers our access controls, network defenses, encryption, threat detection, and incident response.
  • Availability. The system is available for operation and use as committed. This covers our redundancy, monitoring, capacity planning, backup, and disaster-recovery practices.
  • Confidentiality. Information designated as confidential is protected throughout its lifecycle. This covers data classification, encryption, access restriction, and secure disposal.
  • Processing Integrity. System processing is complete, valid, accurate, timely, and authorized — so the data you see in the platform is the data you can trust.
  • Privacy. Personal information is collected, used, retained, disclosed, and disposed of in conformity with our commitments and applicable privacy law.

SOC 2 is not a one-time event. We undergo recurring audits to maintain our certification, and we continuously collect control evidence between audit cycles. A copy of our most recent SOC 2 Type II report is available to current and prospective customers upon request under a mutual non-disclosure agreement. To request the report, contact security@voaice.com.

3. Regulatory & Compliance Alignment

Vehicle dealers are "financial institutions" under U.S. federal law, which places them — and the vendors who process data on their behalf — under a specific and demanding set of obligations. voAIce's security program is built to align with the laws and standards that govern our customers' industry:

  • Gramm-Leach-Bliley Act (GLBA). We design our handling of nonpublic personal financial information to support our dealer customers' GLBA obligations, including the Privacy Rule and the Safeguards Rule.
  • FTC Safeguards Rule (16 CFR Part 314). Our information security program reflects the Safeguards Rule's requirements for financial institutions, including a written security program, designated qualified personnel, access controls, encryption, monitoring, and — as discussed in Section 13 — a defined incident-response and breach-notification process.
  • State Privacy Laws (CCPA/CPRA and others). We support compliance with the California Consumer Privacy Act and California Privacy Rights Act, as well as comparable comprehensive privacy laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states. See our Privacy Policy for details.
  • State Data Breach Notification Laws. All 50 states, the District of Columbia, and U.S. territories have data breach notification statutes. Our incident-response process is built to satisfy applicable notification obligations wherever affected individuals reside.
  • TCPA & CAN-SPAM. Communications sent through the platform (calls, texts, and email) are governed by consent and opt-out controls designed to support compliance with the Telephone Consumer Protection Act and the CAN-SPAM Act.
  • Payment Card Security (PCI DSS). voAIce does not store full payment card numbers. Card-based transactions, such as deposits, are processed through a PCI DSS Level 1 certified payment processor. Card data is tokenized and handled by the processor; voAIce never takes custody of cardholder funds or stores raw card data on its systems.

4. Data Encryption

We encrypt data both when it is stored and when it moves across networks, eliminating the two most common avenues of data exposure.

Encryption at Rest

All customer data persisted in our databases, object storage, and backups is encrypted at rest using AES-256, the same encryption standard trusted by financial institutions and governments. This includes structured database records, uploaded documents and media, call recordings, and backup snapshots.

Encryption in Transit

All data transmitted between your browser or device and our platform, and between our internal services, is encrypted in transit using TLS 1.2 or higher. We enforce HTTPS across all customer-facing surfaces and use modern cipher suites. Legacy, weak, and deprecated protocols are disabled.

Key & Secret Management

Encryption keys and application secrets (API keys, signing keys, service credentials) are managed through centralized, access-controlled secret storage — never hardcoded into application source and never exposed to client-side code. Access to secrets is restricted to the specific services that require them, rotation procedures are in place, and secret-scanning controls run against our codebase to prevent accidental credential exposure.

5. Multi-Tenant Data Isolation

voAIce is a multi-tenant platform — many dealerships and dealer groups operate on shared infrastructure — but each tenant's data is rigorously isolated from every other tenant's. One dealer can never see, query, or access another dealer's customers, deals, communications, or settings.

Isolation is enforced at multiple layers rather than relying on a single control:

  • Tenant-scoped data model. Every record in the platform carries a tenant identifier, and every data access is automatically constrained to the requesting user's tenant. The tenant identity is derived from the authenticated server-side session — it can never be overridden by client-supplied input.
  • Database-level controls. Our databases enforce row-level security and least-privilege access so that data cannot be reached outside its tenant boundary, even in the event of an application-layer flaw.
  • Authorization on every request. Server-side authorization checks validate that the authenticated user is entitled to the specific resource being requested — independent of how the request was constructed.

This defense-in-depth approach means a single bug or misconfiguration cannot, by itself, break the boundary between two customers' data.

6. Access Controls & Authentication

We operate on the principle of least privilege: every user — whether a dealership employee or a member of voAIce's own staff — receives only the access required for their role, and nothing more.

  • Role-based access control (RBAC). Within each dealership, access to features and data is governed by configurable permission groups. New users begin with zero permissions; an administrator explicitly grants capabilities. This "secure by default" model means access is something deliberately given, never assumed.
  • Granular, scoped visibility. Permissions can restrict a user to the specific stores, customers, and functions appropriate to their role, supporting groups that span multiple rooftops and time zones.
  • Step-up authorization for sensitive actions. The most sensitive configuration areas require an additional, time-limited elevated-access step beyond ordinary administrator rights — and that elevation automatically expires.
  • Strong authentication. Customer access is protected by secure session management and multi-factor verification controls. Internal access to production systems by voAIce personnel requires strong authentication and is limited to authorized staff.
  • Session security. Sessions are issued and validated server-side, scoped to a single tenant, and expire appropriately. Authorization is re-checked on every privileged request rather than trusting a prior decision.

Every grant, change, and elevated-access event is logged (see Section 9).

7. Infrastructure & Network Security

voAIce runs on enterprise-grade, professionally-managed cloud infrastructure with security and resilience built into the platform itself.

  • Hardened, managed environments. Our production systems run on reputable cloud providers that maintain their own rigorous security certifications, physical-security controls, and infrastructure protections.
  • Edge protection. Customer traffic is served through a global edge network that provides TLS termination, distributed-denial-of-service (DDoS) mitigation, and traffic filtering.
  • Network segmentation & minimized exposure. Internal services are segmented, and only the surfaces that must be public are exposed to the internet. Administrative and operational interfaces are not publicly reachable.
  • Rate limiting & abuse prevention. Public-facing endpoints enforce rate limiting and abuse-detection controls to deter automated attacks, credential stuffing, and bulk-data scraping.
  • Webhook & integration verification. Inbound webhooks and machine-to-machine integrations are cryptographically verified before any action is taken, using signature verification with replay protection. Unverified requests are rejected.

8. Secure Software Development

Security is embedded in how we build, not just how we operate. Our software development lifecycle includes:

  • Code review. Changes are reviewed before reaching production, with attention to security-relevant code paths such as authentication, authorization, and data access.
  • Automated security scanning. We run automated checks for hardcoded secrets, vulnerable dependencies, and common security anti-patterns as part of our pipeline. Builds are blocked when these checks detect a problem.
  • Input validation & output hygiene. Inputs are validated server-side, and error responses are sanitized so that internal details — file paths, library versions, schema names — are never leaked to clients.
  • Dependency management. Third-party libraries are monitored for known vulnerabilities and updated on a risk-prioritized basis.
  • Separation of duties & change control. Production changes follow controlled deployment processes with audit trails.

9. Logging, Monitoring & Audit Trails

You cannot protect what you cannot see. voAIce maintains continuous monitoring and comprehensive audit logging across the platform.

  • 24/7 monitoring & alerting. Automated systems monitor platform health, security signals, and anomalous activity around the clock, and escalate to our team in real time when thresholds are crossed.
  • Comprehensive audit logging. Sensitive and administrative actions — permission changes, configuration updates, data mutations, elevated-access events, and authentication events — are recorded to tamper-evident audit logs that capture who performed the action, when, and from where.
  • Anomaly & abuse detection. We operate automated detection for unusual access patterns, such as bulk-data access bursts, and route confirmed signals to on-call staff for rapid response.
  • Log protection. Audit and security logs are access-restricted, retained for an appropriate period, and protected from unauthorized modification.

10. Vulnerability Management & Penetration Testing

We proactively look for weaknesses before attackers can. Our program includes ongoing vulnerability scanning of our applications and infrastructure, periodic third-party penetration testing, and a risk-based remediation process that prioritizes findings by severity and exposure. Critical findings are addressed on an expedited basis. We also welcome reports from external security researchers — see Section 16 on how to responsibly disclose a vulnerability to us.

11. Vendor & Sub-Processor Management

voAIce relies on a carefully-selected set of third-party service providers (sub-processors) for capabilities such as cloud hosting, communications delivery, payment processing, and analytics. We hold these vendors to security standards consistent with our own, and we limit the data shared with each to what is necessary for the service they provide. Each sub-processor is bound by contractual confidentiality and data-protection obligations.

We do not sell customer or consumer personal information to any party. A current list of our sub-processors is available to customers upon request at security@voaice.com.

12. Business Continuity & Disaster Recovery

Your business depends on the platform being there when you need it. We maintain business-continuity and disaster-recovery practices designed to minimize both data loss and downtime:

  • Automated, encrypted backups. Customer data is backed up on a regular schedule, with backups encrypted at rest and stored durably.
  • Redundancy. Our infrastructure is designed for resilience, with redundancy across the components that serve customer traffic.
  • Recovery objectives. We maintain defined recovery objectives and procedures for restoring service and data following a disruptive event, and we test our ability to recover.
  • Availability monitoring. Continuous monitoring detects degradations early so we can respond before they become outages.

13. Data Breach & Incident Response

No organization can promise that a security incident will never occur — and any vendor who tells you otherwise is not being honest. What a trustworthy partner can do is be prepared, act fast, and be transparent. voAIce maintains a formal, documented Incident Response Plan that is reviewed and exercised on a recurring basis. This section describes, in plain language, exactly how we respond to a suspected or confirmed security incident — and what you, as a customer, can expect from us.

13.1 Our Incident Response Lifecycle

Our response follows a structured, repeatable lifecycle so that nothing is missed under pressure:

  • 1. Preparation. We maintain the plan, define roles, run continuous monitoring, and train our team in advance — so that when an event happens, the response is reflexive, not improvised.
  • 2. Detection & Reporting. Incidents may surface through automated monitoring and alerting, internal discovery, customer reports, or external researcher disclosures. Every credible report is logged and triaged immediately.
  • 3. Triage & Severity Classification. A designated incident responder assesses the report, assigns a severity level based on the sensitivity of data involved and the scope of potential exposure, and — for anything beyond the lowest severity — activates the incident-response team and appoints an incident commander.
  • 4. Containment. Our first operational priority is to stop the bleeding: isolate affected systems, revoke or rotate compromised credentials, block malicious access, and prevent the incident from spreading or continuing — without destroying the evidence needed for investigation.
  • 5. Investigation & Forensics. We determine the root cause, the timeline, the systems involved, and — most importantly — whether any customer or consumer data was actually accessed, acquired, or exfiltrated, and if so, exactly which data and whose.
  • 6. Eradication. We remove the underlying cause — the vulnerability, the malicious artifact, the misconfiguration — so the same incident cannot recur through the same path.
  • 7. Recovery. We restore affected systems and data to known-good states from secure backups, validate integrity, and confirm that normal, secure operation has resumed under heightened monitoring.
  • 8. Notification. Where an incident affects, or is reasonably likely to have affected, customer or consumer data, we notify affected parties and regulators in accordance with our commitments and applicable law (see 13.3 and 13.4).
  • 9. Post-Incident Review. After every significant incident we conduct a formal retrospective to capture lessons learned and drive concrete improvements to our controls, monitoring, and the plan itself.

13.2 Roles & Responsibilities

Incident response is owned, not diffused. Each incident is led by a designated incident commander who coordinates the technical responders, communications, and any required legal and regulatory engagement. Severe incidents are escalated to executive leadership. This clear ownership prevents the most common failure mode in a real incident — confusion about who is in charge.

13.3 How & When We Notify You

In a typical voAIce engagement, the dealership is the controller of its consumers' personal information and voAIce acts as its service provider/processor. That shapes how notification works, and we commit to the following:

  • Prompt notice to affected customers. If we confirm a security incident that has compromised, or is reasonably likely to have compromised, the personal information of a dealer customer, we will notify that customer without undue delay after confirmation — with a target of within 72 hours of confirming the breach affects their data. We will not wait for a complete investigation to put you on notice that an incident affecting you has occurred.
  • What the notice contains. To the extent known at the time, our notification will describe: the nature of the incident; the categories of data and, where possible, the records or individuals affected; the date or date range of the incident and of its discovery; the steps we have taken to contain and remediate it; the steps you may wish to take; and a point of contact for follow-up. As the investigation progresses, we provide updates rather than going silent.
  • Support for your own obligations. Because consumer breach-notification duties generally fall on the dealership as the data controller, we provide the information you reasonably need to meet your own legal obligations to your customers and regulators, and we cooperate with your response in good faith.
  • How we reach you. Notifications are delivered to your designated administrative and security contacts via direct communication (email and, where warranted by severity, telephone). We encourage every customer to keep an up-to-date security contact on file with us.

13.4 Regulatory Notification

Where an incident triggers legal notification obligations, voAIce supports and, where we are directly obligated, performs the required regulatory notifications, including:

  • FTC notification under the amended Safeguards Rule. For incidents meeting the regulatory threshold (notification events involving the unencrypted information of 500 or more consumers), notification to the Federal Trade Commission is made as soon as possible and no later than the 30-day regulatory deadline following discovery.
  • State breach notification laws. We support notification to affected individuals and, where required, to state attorneys general and other authorities, in accordance with the breach-notification statutes of the states where affected individuals reside — most of which require notice without unreasonable delay.
  • Other applicable obligations. We comply with any additional notification duties imposed by law or contract that apply to a given incident.

13.5 No Cover-Ups

We will never conceal, downplay, or delay disclosure of a confirmed data security incident that affects you. Transparency under pressure is the truest test of a security program, and it is a test we intend to pass every time.

14. Data Retention & Secure Disposal

We retain customer data for as long as necessary to provide the service, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, or upon valid request and consistent with our contractual and legal duties, it is securely deleted or anonymized so that it cannot be reconstructed. See our Privacy Policy for retention details and your rights.

15. Personnel Security & Shared Responsibility

Our People

Security depends on people as much as technology. voAIce personnel are subject to confidentiality obligations, receive security awareness training, and are granted production access only on a need-to-know, least-privilege basis. Access is reviewed and is promptly revoked upon role change or departure.

Your Role

Security is a shared responsibility. We secure the platform; you help secure your account. We ask that customers protect their login credentials, enable available authentication safeguards, grant employees only the permissions their roles require, remove access promptly when staff leave, and report any suspected compromise of their account to us immediately. The strongest platform controls can be undermined by a shared or stolen password — partnering with us on basic account hygiene keeps everyone's data safe.

16. Reporting a Security Concern or Vulnerability

If you believe you have discovered a security vulnerability in any voAIce product or service, or if you suspect your account or data may have been compromised, please contact us immediately. We take every report seriously, investigate promptly, and welcome good-faith research conducted responsibly (without accessing or exfiltrating data that is not yours, degrading service, or violating others' privacy).

Security Contact
Email: security@voaice.com
For account-compromise emergencies, mark your message "URGENT — Security" in the subject line.

17. Changes to This Statement

We may update this Security & Data Protection statement from time to time to reflect changes in our practices, technology, certifications, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this page periodically. Our SOC 2 report and security documentation, available under NDA, always reflect our current, audited control set.

18. Contact Us

For questions about our security program, to request our SOC 2 Type II report or sub-processor list, or to begin a vendor security review, please reach out:

voAIce
Security: security@voaice.com
Privacy: privacy@voaice.com
Website: voaice.com