Security at Voiceflow

Customer trust is one of the most valuable assets a company has. That’s why our top priority is delivering a high-performance solution with a focus on keeping our customers’ data safe and their interactions secure. Voiceflow strives to provide uninterrupted and reliable service.
Our application and network infrastructure meet or exceed industry security expectations.

Below we outline how we achieve our high levels of resilience and security.

Compliance

ISO/IEC 27001:2013 Compliance Logo

ISO/IEC 27001:2013 is a specification for an information security management system (ISMS), which is a framework for an organization's information risk management processes

View Certificate

Reliability and Resilience

● 24x7x365 systems server monitoring and on-call support from a dedicated infrastructure team
● Infrastructure hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP).
● Annually tested business continuity and disaster recovery (DR) plans
● Separate production and testing environments.
● Multi-availability zone (AZ) compute instances
● Infrastructure as Code (IaaC) management of cloud resources to ensure repeatable and reliable changes.

Product Security Features

● Voiceflow follows secure credential storage best practices by storing passwords using one-way hash encrypted passwords (BCRYPT)
● Audit logging and event alerting
● Regular updates rolled out to all customers, ensuring everyone has the latest application and security innovation
● Project history tracking and rollback capability
● User-managed workspace access control to govern sharing privileges
● Application audit log that includes security events such as user logins or configuration changes.

Data Security

● Encryption-at-rest with AWS/GCP KMS customer-managed keys (AES-256)
● Geographically distributed and encrypted offsite backups
● Fully managed multi-AZ database instances with point-in-time-restore (PITR)

Network Security

● A CDN-based Web Application Firewall (WAF) and (D)DOS mitigation technologies
● Encryption-in-transit using industry-standard TLS v1.2+ to ensure that all traffic between users and Voiceflow is secure.
● All cloud-internal traffic is encrypted with mTLS with short-lived per-application certificates.
● Tiered, firewalled, and segmented network infrastructure to ensure that communication between Voiceflow services is strictly controlled.

Organizational security

● Employee background and reference checks in accordance with local laws.
● Annual employee security awareness training covers topics such as data privacy, information security, and password security.
● Principle-of-least-privilege implemented across the organization for both information and resource access.
● Audit logging of all cloud resources

Application Security

● Automated vulnerability analysis via network, host, and application scans.
● Code assessment through both automated and manual review processes governed by Voiceflow's document Software Development Life Cycle (SDLC) policy.
● Annual external penetration testing on primary public-facing endpoints.
● Single Sign-On (SSO) support for enterprise users

Contact Us

If you believe you've discovered a security-related issue or would like to learn more about Voiceflow's security practices, please contact us at security@voiceflow.com.