Voiceflow | Security and Compliance

Compliance

ISO/IEC 27001:2013 is a specification for an information security management system (ISMS), which is a framework for an organization's information risk management processes

View Certificate

Reliability

● 24x7x365 system server monitoring and on-call support from dedicated cloud-ops team
● Infrastructure hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP)
● Annually tested business continuity and disaster recovery (DR) plans
● Separate production and testing environments
● Multi-availability zone (AZ) compute instances
● Infrastructure as Code (IaaC) management of cloud resources to ensure repeatable and reliable changes.

Security features

● Voiceflow follows secure credential storage best practices by storing passwords using one-way hash encrypted passwords (BCRYPT)
● Audit logging and event alerting
● Regular updates rolled out to all customers, ensuring everyone has the latest application and security innovation
● Project history tracking and rollback capability
● User-managed workspace access control to govern sharing privileges
● Application audit log that includes security events such as user logins or configuration changes.

Data security

● Encryption-at-rest with AWS/GCP KMS customer-managed keys (AES-256)
● Geographically distributed and encrypted offsite backups
● Fully managed multi-AZ database instances with point-in-time-restore (PITR)

Network security

● A CDN-based Web Application Firewall (WAF) and (D)DOS mitigation technologies
● Encryption-in-transit using industry-standard TLS v1.2+ to ensure that all traffic between users and Voiceflow is secure.
● All cloud-internal traffic is encrypted with mTLS with short-lived per-application certificates.
● Tiered, firewalled, and segmented network infrastructure to ensure that communication between Voiceflow services is strictly controlled.

Organizational security

● Employee background and reference checks in accordance with local laws.
● Annual employee security awareness training covers topics such as data privacy, information security, and password security.
● Principle-of-least-privilege implemented across the organization for both information and resource access.
● Audit logging of all cloud resources

Application security

● Automated vulnerability analysis via network, host, and application scans.
● Code assessment through both automated and manual review processes governed by Voiceflow's document Software Development Life Cycle (SDLC) policy.
● Annual external penetration testing on primary public-facing endpoints.
● Single Sign-On (SSO) support for enterprise users

Contact

If you believe you've discovered a security-related issue or would like to learn more about Voiceflow's security practices, please contact us at security@voiceflow.com.

‍Adam Loo
Head of Legal and Compliance
Voiceflow, Inc.
Toronto, Canada