Security at Certivox

We handle sensitive compliance data. Security is not an afterthought — it is foundational to everything we build.

Last Updated: April 1, 2026

SOC 2 Type II

Certification in progress. We are actively pursuing SOC 2 Type II across Security, Availability, and Confidentiality trust service criteria.

Encryption

All data encrypted in transit via TLS 1.2+ and at rest via AES-256. No exceptions.

Google Cloud Platform

Built on GCP — FedRAMP Authorized, ISO 27001 certified, SOC 2 compliant infrastructure in us-central1.

Access Controls

Role-based access control (RBAC), least-privilege principles, and audit logging on all production systems.

Infrastructure Security

Cloud provider: Google Cloud Platform (GCP), us-central1 region (Iowa, USA)
Compute: Cloud Run — fully managed, serverless containers with automatic scaling and zero persistent server access
Database: Cloud SQL (PostgreSQL) — private VPC only, no public internet exposure, automated backups with point-in-time recovery
Secrets management: All API keys, database credentials, and secrets stored in GCP Secret Manager. Never hardcoded or committed to source control
Network: Private VPC with strict firewall rules. Cloud Run services communicate over private Google network fabric
CI/CD: Google Cloud Build with automated security scanning. No direct production deployments — all changes go through automated build pipeline

Application Security

Authentication: Firebase Authentication with support for Google OAuth and email/password. Session tokens are HTTP-only, secure cookies — not accessible to JavaScript
Authorization: Role-based access control (RBAC) enforced server-side on every API route. Organization data is strictly isolated — users can only access their own organization's data
Input validation: All API inputs validated using Zod schema validation with TypeScript strict mode. Parameterized queries via Prisma ORM prevent SQL injection
Dependency management: Dependencies regularly audited and updated. Critical vulnerabilities patched within 24 hours
DNS and CDN: Cloudflare sits in front of our infrastructure providing DDoS protection, WAF, and TLS termination

Data Security

Encryption in transit: TLS 1.2 minimum, TLS 1.3 preferred on all connections
Encryption at rest: AES-256 encryption on all Cloud SQL data and GCP storage
Multi-tenancy isolation: Each organization's data is logically isolated at the database level using organization-scoped queries enforced in application code
Payment data: We never store payment card data. All payment processing is handled by Stripe (PCI-DSS Level 1 certified)
Compliance data: Your AI governance content (system inventories, assessments, controls) is your data. We do not analyze, share, or use it outside of providing the Service

Operational Security

Access management: Production access is limited to authorized personnel only, with audit logs on all access
Monitoring: GCP Cloud Logging and Monitoring for real-time alerting on anomalous activity
Backups: Automated daily database backups with 7-day retention and point-in-time recovery capability
Incident response: We maintain an incident response plan. Material security incidents will be communicated to affected customers within 72 hours per GDPR requirements

Compliance Posture

SOC 2 Type IIIn Progress

GDPRCompliant

CCPACompliant

GCP FedRAMPInherited

PCI-DSS (Stripe)Inherited

ISO 42001Roadmap

Vulnerability Disclosure

We take security reports seriously. If you discover a security vulnerability in Certivox, please report it responsibly:

Security contact: security@certivox.ai

Please include a description of the vulnerability, steps to reproduce, and your contact information. We will acknowledge receipt within 48 hours and keep you informed of our remediation progress. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Questions

For security-related questions or to request our security documentation, contact us at security@certivox.ai.