Skip to main content

    Trust

    Security

    Last updated:

    Voxaris operates production AI infrastructure that handles customer data, voice calls, SMS, and CRM webhooks for service businesses. Security is treated as a product requirement, not an afterthought.

    Reporting a vulnerability

    If you believe you've found a security issue affecting any Voxaris-operated surface — voxaris.io, audit.voxaris.io, pitch.voxaris.io, talkingpostcard.io, or hiringhand.io — email security@voxaris.io or admin@voxaris.io.

    • Acknowledgment target: 2 business days
    • Triage target: 5 business days
    • Critical-issue patch target: 14 days

    Please do not publicly disclose an issue before we've had a chance to remediate it. Please do not access, modify, or destroy data that isn't yours, run automated scans that disrupt service, or phish or social-engineer our team or customers.

    The full coordinated-disclosure policy is published at /.well-known/security.txt per RFC 9116.

    How we secure customer data

    Encryption. All Voxaris-operated surfaces are served exclusively over TLS 1.2+. Strict-Transport-Security is enforced with a 2-year max-age, includeSubDomains, and HSTS preload. Application secrets (API keys, OAuth refresh tokens, Twilio auth tokens, LiveKit API secrets) are stored in environment-scoped secret managers, never in source control.

    Database access. All managed databases (Supabase Postgres, Neon Postgres) enforce row-level-security policies for every multi-tenant table. Cross-tenant reads are not possible — every query is scoped by an authenticated office or user ID.

    Voice & SMS. Telephony runs on LiveKit Cloud + Twilio Elastic SIP Trunking. Outbound voice requires explicit TCPA voice-consent captured per-lead (FCC AI-voice disclosure rule, Feb 2024). Outbound SMS senders carry STOP, HELP, and quiet-hours handling at the platform layer.

    Code. Production deployments go through CI checks (build, typecheck, lint). Dependabot/Renovate updates are reviewed weekly. Code with security implications is reviewed by a second engineer or our security-reviewer agent before merge.

    Browser headers. Every Voxaris surface ships with X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), and a 2-year HSTS preload.

    What we collect

    See /privacy for the full data-collection breakdown. Short version: contact details you submit, audit / estimate inputs you provide, and standard server access logs (IP, user-agent, timestamp) retained for 30 days for abuse prevention.

    Subprocessors

    • Vercel — application hosting + edge network
    • Supabase — managed Postgres + auth + storage
    • Neon — managed Postgres (audit.voxaris.io)
    • Twilio — SMS + Voice telephony
    • LiveKit Cloud — voice AI media routing
    • Google Cloud — Gemini + Solar + Maps APIs (no PII passed)
    • Anthropic — Claude API for select agentic tasks
    • OpenAI — speech-to-text + select model inference

    We do not sell or rent customer data to any third party.

    Acknowledgments

    Security researchers who have responsibly disclosed issues:

    None yet — be the first.