Security at Zvani

Technical and organisational measures we take to protect data on the Zvani platform.

Last updated: 16 May 2026 • Questions or issues: security@zvaniai.com

This page is a summary, not a substitute for a contractual commitment. Customers with regulatory obligations (healthcare, finance, public sector) should request our full Technical and Organisational Measures (TOM) annex as part of the Data Processing Agreement.

Technical measures

The controls built into the Zvani platform.

Encryption

Data in motion and at rest is encrypted using widely accepted, industry-reviewed algorithms.

TLS 1.2 or higher for every connection that touches Zvani
AES-256 encryption at rest for managed storage volumes and databases
Sensitive credentials (third-party API tokens, integration secrets) wrapped with symmetric encryption (Fernet / KMS) before persistence
Recordings stored in object storage with server-side encryption and short-lived signed URLs

Identity and access

Who can see what, enforced at multiple layers.

Multi-factor authentication required for all internal access to production systems
Role-based access control on the customer dashboard with permission scoping per organisation and workspace
Per-organisation scoping enforced at the API layer (every workspace-scoped read and write goes through a scoped query helper, not raw filters)
Least-privilege IAM policies on all cloud infrastructure
Quarterly access reviews of internal users and service accounts

Network and infrastructure

How the platform itself is hardened.

Production environment isolated from development and staging at the network level
Web Application Firewall in front of public endpoints
Distributed denial-of-service mitigation provided by our cloud platform
Private connectivity between internal services where supported by the cloud platform
Secrets stored in a dedicated secrets manager — no hardcoded credentials in source code
Hosted on Amazon Web Services, whose underlying infrastructure is independently certified to SOC 2 Type II and ISO 27001 (among others)

Logging and monitoring

What we record so we can detect and investigate issues.

Application logs, audit logs, and infrastructure logs centralised and retained per our retention policy
Audit log captures who did what, on which resource, with what payload, for privileged actions
Automated alerting on anomalous access patterns and error spikes
Time-synchronised logs across services to support forensic investigation

Software supply chain

How we keep the code and its dependencies safe.

Dependency vulnerability scanning on every pull request
Container and infrastructure-as-code scanning for known issues
Signed and reviewed deployment artefacts; production deploys go through a controlled pipeline
Periodic credential rotation

Backup and recovery

How we recover from data loss.

Encrypted automated backups of operational databases
Tested restoration of backups
Documented recovery time and recovery point objectives per data class

Organisational measures

The policies and practices that surround the platform.

People

Practices applied to everyone with access to data.

Background checks for staff who can access production data, to the extent permitted by local law
Confidentiality agreements with all employees and contractors
Annual security and privacy training
Onboarding and offboarding checklists, including credential revocation

Vendor management

How we evaluate and oversee the vendors that touch data.

Security and privacy assessment before onboarding a sub-processor
Data processing terms (or equivalent) in place with every sub-processor that handles customer data
Sub-processor list published and customers notified at least 30 days before changes — see the live list at /subprocessors

Governance

The internal practices that keep security and privacy in the product, not just on paper.

Privacy review embedded into product design for new data flows
Data Protection Impact Assessments for high-risk processing
Named Grievance Officer responsible for privacy requests and complaints — see /grievance
Incident response playbook with named on-call roles

Incident response

If we confirm a security incident that affects customer data, our commitments are:

Notify affected customers within 24 to 48 hours of confirmation, so customers can meet their own regulatory obligations.
Notify the relevant regulator within 72 hours (Data Protection Board of India under DPDP; the lead supervisory authority under GDPR), where required by law.
Notify affected individuals in line with applicable law and our agreement with the controlling customer.
Publish a post-incident summary once containment and remediation are complete.

Vulnerability disclosure

If you believe you have found a security issue in Zvani, we want to hear from you.

Email security@zvaniai.com with a short description. We will acknowledge within two business days.
Please do not publicly disclose details until we have had a reasonable opportunity to investigate and remediate.
Please do not access data that is not your own, degrade service for other users, or extract more data than is necessary to demonstrate the issue.
We do not currently run a paid bug bounty programme but we will acknowledge meaningful reports and credit reporters with their permission.

Certifications roadmap

Independent attestations we are working towards. Our underlying cloud infrastructure (Amazon Web Services) already holds SOC 2 Type II and ISO 27001 certification; the items below are Zvani’s own organisational attestations.

Programme	Target	Notes
SOC 2 Type 1 attestation	2027	Independent review of security controls and operating effectiveness.
ISO 27001 certification	2027	International information security management standard.
Annual third-party penetration test	2026 (first engagement)	Executive summary available on request under NDA.

More detail

For the full Technical and Organisational Measures annex, pen-test executive summary, or to start a security questionnaire, contact security@zvaniai.com.