Security Policy

Effective Date: January 5, 2026
Last Updated: January 5, 2026
Version: 1.0

1. Introduction

Voice AI Portal (“we,” “us,” or “our”) is a white-label Software-as-a-Service (SaaS) analytics platform operated by ALIM Ltd (Company Number 14528810), registered in England and Wales. We aggregate call analytics and ROI metrics from voice AI platforms (Retell AI, VAPI, ElevenLabs) into branded client workspaces for AI agencies.

This Security Policy outlines our comprehensive security framework, demonstrating enterprise-grade security practices aligned with SOC 2 Type II principles, ISO 27001 standards, and UK GDPR Article 32 security requirements. We operate under a shared responsibility model clearly defining security obligations across infrastructure providers, voice AI integrations, and our platform.

Security Commitment: Protecting customer data and platform integrity is our highest priority.

2. Company Certifications & Compliance

Current Certifications & Compliance:

 SOC 2 Type II (Trust Services Criteria: Security, Availability, Confidentiality, Privacy, Processing Integrity)
• ISO 27001 Information Security Management (planned 2026)
• UK GDPR Article 32 Security of Processing
• PCI DSS (via Stripe payment processor)
• EU Cloud Code of Conduct (GCP, Supabase compliance)

Independent Audits:

  • Annual third-party SOC 2 Type II audits
  • Quarterly internal security assessments
  • Bi-annual penetration testing by certified providers
  • Monthly vulnerability scanning

Audit Reports: Available to enterprise customers under NDA.

3. Shared Responsibility Model

Voice AI Portal operates under a three-tier shared responsibility model:

Security DomainInfrastructure ProviderVoice AI ProviderVoice AI Portal
InfrastructureGCP physical security, VPC, hypervisorN/AService configuration, IAM, network security
Voice ProcessingUnderlying compute/storageCall recording, AI models, telephonyAPI integration, metadata only
ApplicationPlatform services (GCP, Supabase)Voice API endpointsApp security, auth, RBAC
DataStorage encryptionVoice data securityCustomer metadata, billing
ComplianceInfrastructure certificationsVoice-specific compliancePlatform GDPR/SOC 2

3.1 Infrastructure Layer (GCP + Supabase)

Google Cloud Platform (europe-west1, Belgium) and Supabase (eu-central-1, Germany) provide:

 Physical data center security
• Network infrastructure & DDoS protection
• Hypervisor & OS patching
• Infrastructure compliance (SOC 2, ISO 27001)

3.2 Voice AI Provider Layer

Retell AI, VAPI, ElevenLabs are responsible for:

 Voice recording storage & security
• AI model security & privacy
• Telephony infrastructure
• Real-time communication encryption
• Voice-specific compliance (TCPA, consent)

Voice AI Portal Role: Metadata retrieval only (no voice storage).

3.3 Voice AI Portal Application Layer

We maintain responsibility for:

 Application security & code integrity
• Supabase authentication & RBAC
• Multi-tenant isolation
• White-label domain security
• API security & integrations

4. Voice AI Portal Security Framework

4.1 Secure Development Lifecycle (SDL)

Code Security:

 OWASP Top 10 secure coding standards
• Snyk dependency vulnerability scanning (weekly)
• GitHub Advanced Security code scanning
• Pre-commit security hooks
• Mandatory 2-person code review

CI/CD Pipeline:

 Automated security testing (SAST/DAST)
• Container image vulnerability scanning
• Infrastructure as Code (IaC) security validation
• Signed container images & commits
• Immutable deployments

4.2 Authentication & Authorization

Supabase Authentication (eu-central-1):

 Bcrypt password hashing (per-user salt)
• JWT tokens with 24h expiry + refresh
• Row Level Security (RLS) tenant isolation
• Rate limiting (5 failed logins → lockout)
• Magic link authentication (time-limited)

Role-Based Access Control (RBAC):

 6 permission levels: Super Admin, Agency Admin, Workspace Admin, Workspace Editor, Workspace Viewer, Guest
• Granular permissions per resource type
• Just-in-time privilege elevation
• Audit trail for all permission changes

Multi-Factor Authentication (MFA):

 Required for all Admin accounts
• Optional for Workspace users
• TOTP + backup codes
• Hardware security key support (YubiKey)

4.3 Data Protection

Encryption Standards:

 Data at Rest: AES-256 (Supabase + GCP)
• Data in Transit: TLS 1.3 (HSTS enabled)
• Database: Supabase RLS + GCP Cloud SQL encryption
• Key Management: GCP KMS + Supabase native
• White-label SSL: Cloudflare automatic provisioning

Data Classification:

 Public: Marketing content, public docs
• Internal: Operational data, analytics
• Confidential: Customer metadata, billing
• Restricted: Authentication credentials, API keys

Data Minimization: Only collect necessary metadata (no voice content storage).

4.4 Network & Infrastructure Security

Google Cloud Platform (europe-west1):

 VPC with private subnets
• Cloud Armor WAF + DDoS protection
• Cloud Load Balancing with health checks

Cloudflare Security:

 OWASP Top 10 WAF ruleset
• DDoS mitigation (100+ Gbps capacity)
• Bot Management (95%+ accuracy)
• Rate limiting (API abuse protection)
• Managed Challenge for suspicious traffic

4.5 Multi-Tenant & White-Label Security

Tenant Isolation:

 Supabase RLS policies (database-level)
• Application-level workspace ID enforcement
• Separate Cloud SQL schemas per enterprise client
• Logical network segmentation (VPC peering)
• Audit logs isolated per tenant

White-Label Security:

 Cloudflare SSL for custom domains (auto-renewal)
• CSP headers per tenant (content isolation)
• Custom domain validation (DNS ownership)
• Per-domain security analytics

5. Monitoring & Incident Response

5.1 24/7 Security Monitoring

Security Operations Center (SOC):

 GCP Security Command Center (unified view)
• Cloudflare Security Analytics (real-time)
• Supabase audit logs (authentication)
• GCP Cloud Logging (centralized)

Threat Detection:

• Cloudflare Threat Score (0-10 risk rating)
• Anomaly detection (login patterns, API usage)
• File integrity monitoring
• Configuration drift detection

5.2 Incident Response Procedures

IR Playbooks (SOC 2 compliant):

1.Detection → Automated alerting (PagerDuty)
2. Triage → Severity classification (P1-P4)
3. Containment → Isolate affected systems
4. Eradication → Remove root cause
5. Recovery → Restore from backups
6. Lessons Learned → Post-mortem + playbook update

Notification SLAs:

 P1 (Critical): ICO notification <72h, Clients <24h
• P2 (High): Clients <48h
• P3 (Medium): Clients <5 days
• P4 (Low): Internal only

6. Vulnerability Management

Vulnerability Scanning:

• Weekly: Snyk (dependencies), GCP Security Scanner
• Monthly: Qualys external scanning
• Quarterly: Full pen test (independent provider)
• Daily: Cloudflare threat intelligence

Patch Management:

• Critical: <24h
• High: <7 days
• Medium: <30 days
• Low: <90 days

Responsible Disclosure: Bug bounty program via HackerOne (private).

7. Third-Party Risk Management

7.1 Sub-Processor Security Requirements

All third-party providers must meet:

• SOC 2 Type II or ISO 27001
• Executed DPA (Article 28 UK GDPR)
• Annual security audit reports
• 24h breach notification SLA
• Right to audit (with notice)

Current Providers: Supabase, GCP, Cloudflare, Resend, Stripe ✓

7.2 Voice AI Provider Security

Client Responsibility (Retell AI, VAPI, ElevenLabs):

• Execute DPA directly with providers
• Configure recording consent mechanisms
• Monitor provider security posture
• Validate voice data compliance

Voice AI Portal Role: Secure API integration only.

8. Business Continuity & Disaster Recovery

Backup Strategy:

• Daily automated backups (Supabase + GCP)
• 7-day retention + 30-day point-in-time recovery
• Cross-region replication (europe-west4)
• Quarterly restore testing

Recovery Objectives:

• RTO (Recovery Time): 4 hours
• RPO (Recovery Point): 1 hour
• Multi-AZ high availability (99.95% uptime SLA)

9. Compliance Framework

Regulatory Compliance:

• UK GDPR: Article 32 security, Article 28 processing
• EU GDPR: SCCs for US transfers
• PCI DSS: Via Stripe (Level 1)
• Digital Markets Act: Interoperability standards

Framework Alignment:

• NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, Recover
• CIS Controls v8: Implementation Groups 1-3
• ISO 27001: Annex A controls (planned certification)

10. Employee Security Program

Onboarding:

• Background checks (UK DBS where required)
• Security awareness training (mandatory)
• Signed confidentiality agreements

Access Controls:

• Least privilege principle
• Quarterly access reviews
• Just-in-time privileged access
• Immediate offboarding (<1h)

Security Culture:

• Monthly phishing simulations (95%+ pass rate)
• Annual security certification training
• Security champions program

11. Security Governance

Security Committee: Monthly meetings (CTO, DPO, engineering leads)

Risk Management:

• Quarterly risk assessments
• Annual third-party risk reviews
• Continuous threat modeling

Metrics Dashboard:

• MTTD (Mean Time to Detect): <15 min
• MTTR (Mean Time to Respond): <4h
• Vulnerability backlog: <30 days
• Patch compliance: >99%

12. Security Contact & Reporting

Security Officer: ALIM Ltd Security Team
Email: [email protected]
Emergencies: +44 7725999798 (24/7)

Vulnerability Reporting:

1. Email: [email protected]
2. Subject: "Security Vulnerability Report - [Brief Description]"
3. Include: Steps to reproduce, impact assessment, affected component
4. Response SLA: 24 hours
5. No unauthorized data access/modification

Responsible Disclosure Program: Available via HackerOne (private program).

Data Breach Reporting:
ICO notification: [email protected] (<72h)
Client notification: [email protected] (<24h P1)

13. Policy Review & Updates

Review Cadence:

• Quarterly: Technical controls
• Semi-annual: Third-party risk
• Annual: Full policy review + audit
• Ad-hoc: Material incidents/changes

Version Control:

• Document maintained in GitHub Enterprise
• Signed releases with change log
• Client notification for material changes

Next Review: April 6, 2026


Document Control:
Owner: ALIM Ltd Security Team
Approval: CTO + DPO
Classification: Public