Security

Our commitment

Security is treated as a core part of how we build and operate vocumi — not an afterthought. We apply layered technical and organisational controls across the platform, review them regularly, and take reports from the security community seriously.

This page describes our approach in plain language and explains how to reach us if you find a problem.

How we protect your data

• Encryption in transit and at rest — we enforce encrypted connections for all data transmission and store data on encrypted infrastructure.
• Credential security — passwords are never stored in plain text or logged. Credential handling is delegated to a dedicated authentication provider with industry-standard protections. Sessions are managed to reduce exposure to common web-based attacks.
• Data isolation — we design for strong separation between organisations. Each team's data is scoped at the infrastructure level, and access is enforced server-side.
• Role-based permissions — within a team, what each member can see and do is determined by their role. Permission checks are applied on the server for all data-modifying actions.
• Input handling — user-submitted data is validated and sanitised before processing. We apply controls to resist automated abuse and excessive resource consumption.
• Protective response headers — the application applies HTTP security headers on every page to mitigate common browser-based attack categories.
• Controlled error responses — we take care to ensure that error messages do not expose internal system details to end users.
• Minimal access for internal services — integrations and background services are scoped to only the access they require.
• Infrastructure security — vocumi is hosted on enterprise-grade cloud infrastructure whose providers maintain independent security certifications and compliance programmes.

We conduct periodic internal security reviews and act on findings. No platform is immune from vulnerabilities — our goal is to detect and address them quickly.

If something goes wrong

In the event of a confirmed security incident that affects personal data, we will notify impacted users and, where required by law, the relevant supervisory authorities within the timelines mandated by applicable regulations (including GDPR).

If you believe your account or data has been affected, contact us immediately at contact@vocumi.com.

Responsible disclosure

If you believe you have found a security vulnerability in vocumi, we encourage you to tell us before making it public. We commit to working with you in good faith.

Safe harbour — we will not pursue legal action against researchers who discover and report vulnerabilities responsibly, provided they act in good faith, do not access or modify data belonging to other users, and allow us reasonable time to respond before any public disclosure.

How to report — send your report to contact@vocumi.com with a description of the issue, steps to reproduce it, and any potential impact you have identified. Please include “Security Report” in the subject line.

What to expect — we will acknowledge your report within 2 business days. We aim to provide an initial assessment within 5 business days and to resolve confirmed vulnerabilities as quickly as the severity warrants. We will keep you informed and ask that you allow us at least 90 days before any public disclosure, unless we agree on a shorter timeline.

Scope — reports are welcome for the vocumi web application and its API. Issues in third-party services we rely on (authentication provider, payment processor, cloud infrastructure) should be reported directly to those vendors. Please do not perform automated scanning or denial-of-service testing against our production environment.

We do not currently operate a paid bug bounty programme, but we will publicly acknowledge researchers who responsibly disclose significant findings, if they wish.

Limitations

No system connected to the internet can be guaranteed to be completely secure. Despite our efforts, we cannot warrant that vocumi is free from vulnerabilities or that data will never be compromised. We hold ourselves accountable to act responsibly and transparently if that happens.