🛡 Enterprise compliance hub

Compliance Center

Enterprise-grade security documentation for vendor risk assessments and procurement teams. Download what you need or grab the whole pack as a ZIP.

📦 Download All Documents (ZIP) Browse Documents
AES-256 Encryption SOC 2 Aligned GDPR Ready 99.9% Uptime SLA
Documents

Everything procurement asks for

Five PDFs covering security architecture, data processing, AI governance, SOC 2 readiness, and a pre-completed vendor risk assessment. Download individually or grab the full pack above.

📄

Security Architecture White Paper

Comprehensive overview of Votriz's security controls, data isolation architecture, encryption approach, RBAC model, and access-control enforcement.
7 pages · PDF · 15 KB
Download PDF →
📋

Data Processing Agreement (DPA)

Standard contractual clauses for data protection, including the sub-processor list, data retention policy, and breach-notification commitments.
4 pages · PDF · 6 KB
Download PDF →
🤖

AI Governance Policy

AI model inventory, human-oversight framework, data-usage principles, bias monitoring, and the accountability structure for autonomous components.
4 pages · PDF · 6 KB
Download PDF →

SOC 2 Readiness Summary

Trust Service Criteria coverage with key control mapping (CC6 access, CC7 ops, CC8 change, CC9 risk) and the path to formal certification.
3 pages · PDF · 5 KB
Download PDF →
📝

Vendor Risk Assessment (Pre-completed)

Pre-filled security questionnaire covering AI governance, data handling, security controls, intellectual-property posture, and operational resilience. Designed to drop straight into your vendor management workflow.
5 pages · PDF · 7 KB
Download PDF →
How we protect your data

Six controls, end-to-end

Every layer is testable, auditable, and reflected in the documents above. The dashboard's Security page surfaces the live status for compliance auditors.

🔒

Encryption

AES-256 at rest. TLS 1.3 in transit (Cloudflare edge). Per-OAuth-token Fernet keys. JWT HS256 with 15-minute access tokens.

Read full documentation → 🛡

Data Isolation

Three layers — JWT-derived org_id on every query, PostgreSQL Row-Level Security policies on the nine tenant-scoped tables, and dedicated infrastructure for Enterprise.

Read full documentation → 👁

Audit Logging

Immutable append-only SOC 2 log enforced by a database trigger (no UPDATE, no DELETE). Queryable + exportable API. 7-year retention target.

Read full documentation → 🎭

RBAC

Five built-in roles, 40+ wildcard-aware permissions, brand-level scoping for agencies, and per-user permission overrides. Custom roles on Enterprise.

Read full documentation → 🤖

AI Safety

Human-approval gates on every published piece of content. No customer data is used for model training. PII redaction on logging boundaries.

Read full documentation → 🔄

Incident Response

Four severity levels with defined response times. Kill switches on every autonomous component. Operator access via encrypted VPN tunnel only; every entry logged.

Read full documentation →
Certifications

Where we are today, where we're going

We don't claim certifications we don't hold. Here's the honest roadmap.

GDPR Compliance
● Active — DPA available, sub-processor list published, deletion endpoint live.
CAN-SPAM Compliance
● Active — One-click unsubscribe on every campaign, sender identification, content-filter audit.
NIST AI RMF Alignment
● Active — Govern / Map / Measure / Manage controls documented in the AI Governance Policy.
SOC 2 Type I
○ Q4 2026 — Audit window opening; control evidence already collected via the audit-log infrastructure.
SOC 2 Type II
○ Q2 2027 — Six-month observation period following Type I attestation.
ISO 27001
○ 2027 — Information-security management system certification.
ISO 42001 (AI Management Systems)
○ 2027 — First international standard for AI governance.
FAQ

The questions procurement actually asks

Do you use my data to train AI models?
No. Never. We use Anthropic's Claude API, which contractually does not use API data for model training. Your content, subscribers, and analytics exist only to generate output for your brand within your organization.
How is my data separated from other customers?
Three layers. (1) Application: every query is filtered by an org_id that's derived from your JWT — never from client input. (2) Database: PostgreSQL Row-Level Security policies on every tenant-scoped table provide defense-in-depth. (3) Infrastructure: dedicated database schemas / instances are available for Enterprise customers. Live proof is exposed via the in-app /security/isolation-proof endpoint.
Do you have SOC 2 certification?
We are SOC 2 aligned with the controls in place — RBAC, immutable audit log, encryption, change management, incident response. Formal Type I attestation is targeted for Q4 2026 and Type II follows in Q2 2027. The Readiness Summary above maps current controls to the Trust Service Criteria.
Who can access my data within your organization?
Only designated engineering personnel via an encrypted VPN tunnel, and every connection is logged. Customer-data access happens for support, debugging, or migration only — and only with a documented reason that lands in the audit log.
What happens to my data if I cancel?
Account data is retained for 30 days post-cancellation in case you change your mind, then permanently deleted. You can request immediate deletion or export all your data at any time via the in-app deletion request flow or by emailing [email protected].
Can I get a custom security assessment?
Yes. Enterprise customers receive dedicated security reviews, custom penetration-test windows, and direct access to our security team for compliance questionnaires beyond what's in the standard pack. Email [email protected] to start the conversation.

Need a custom security assessment?

Enterprise customers get dedicated reviews, custom penetration-test windows, and direct access to our security team for any compliance question outside the standard pack.

Contact Security Team Download All Documents
📧 [email protected]