E
Vouchstone
Security

Compliance

Vouchstone maintains compliance with major security frameworks and regulations to meet enterprise requirements.

Certifications & Standards

Vouchstone is a California-based company. The frameworks below describe Vouchstone’s own compliance posture as a platform operator. Frameworks our engineers help customers achieve (SOX, HITRUST, PCI-DSS, ISO 27001, ISO 42001, and more) are covered separately under our Compliance Audit service.

SOC 2 Type 1

Type 1 audit in progress. Report available Q3 2026 under NDA. Controls cover security, availability, processing integrity, confidentiality, and privacy.

GDPR

Controls aligned with Articles 5, 25, 30, and 32. DPA, SCCs, and sub-processor list available on request. Data residency controls per engagement.

HIPAA

BAA available for Tier 2 / Tier 3 deployments processing PHI. Technical safeguards aligned with 45 CFR §164.312.

CCPA / CPRA

California Consumer Privacy Act rights honored for all California residents. Right to know, delete, correct, and opt-out (we do not sell personal information). Authorized-agent requests supported.

GDPR Compliance

Data Subject Rights

  • Right to Access - Export all personal data via API or dashboard
  • Right to Rectification - Update or correct personal data
  • Right to Erasure - Complete data deletion on request
  • Right to Portability - Export data in machine-readable format
  • Right to Restrict Processing - Pause data processing

Data Processing Agreement

Vouchstone provides a comprehensive DPA that covers:

  • Sub-processor list and notifications
  • Data transfer mechanisms (SCCs)
  • Security measures and breach notification
  • Audit rights and assistance obligations

Data Residency

Choose your data storage region:

Available Regions:
- US East (Virginia)
- US West (Oregon)
- EU (Frankfurt)
- EU (Ireland)
- Asia Pacific (Singapore)
- Asia Pacific (Sydney)

# Data never leaves your selected region

HIPAA Compliance

For healthcare organizations handling PHI:

  • Business Associate Agreement - BAA required before processing PHI
  • Technical Safeguards - Encryption, access controls, audit logs
  • Administrative Safeguards - Security policies, training, risk assessments
  • Physical Safeguards - Data center security certifications

PHI Handling Configuration

{
  "hipaa_mode": {
    "enabled": true,
    "phi_detection": "strict",
    "audit_all_access": true,
    "encryption": "aes-256-gcm",
    "key_rotation": "90_days",
    "session_timeout": "15_minutes",
    "mfa_required": true
  }
}

CCPA / CPRA Compliance

For California residents (and applied uniformly to all consumers):

  • Right to Know — What personal information we collect, the sources, the purposes, and the categories of third parties we share it with.
  • Right to Delete — Request deletion of personal information we have collected, subject to legal-retention exceptions.
  • Right to Correct — Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale / Sharing — Vouchstone does not sell personal information and does not share it for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information — Limit our use of SPI to what is necessary to provide the Services.
  • Right to Non-Discrimination — We will not deny Services, change prices, or reduce service quality based on a privacy-rights request.
  • Authorized Agent Requests — Permitted via written authorization plus identity verification.

To exercise these rights, email privacy@vouchstone.ai with subject “CCPA Request”. Verifiable requests are honored within 45 days (extendable to 90 days where permitted).

In the prior 12 months, Vouchstone has not sold or shared personal information of California residents. Categories of personal information we collect, retention periods, and disclosures are listed in the Privacy Policy.

SOC 2 Type 1 Controls

Trust Service Criteria

  • Security - Protection against unauthorized access
  • Availability - System availability per SLAs
  • Processing Integrity - Accurate and timely processing
  • Confidentiality - Protection of confidential information
  • Privacy - Collection and use of personal information

Key Controls

  • Background checks for all employees
  • Security awareness training
  • Vulnerability scanning and penetration testing
  • Incident response procedures
  • Change management processes
  • Vendor risk management

Audit Logging

Comprehensive audit logs for compliance reporting:

# Audit log entry example
{
  "timestamp": "2024-01-20T10:30:00Z",
  "event_type": "agent.message.created",
  "actor": {
    "user_id": "usr_abc123",
    "ip_address": "192.168.1.100",
    "user_agent": "Mozilla/5.0..."
  },
  "resource": {
    "type": "agent",
    "id": "agent_xyz789"
  },
  "action": "chat",
  "result": "success",
  "metadata": {
    "tokens_used": 245,
    "model": "claude-sonnet-4-6"
  }
}

# Export logs
curl https://api.vouchstone.ai/api/v1/audit-logs/export \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d "start_date=2024-01-01&end_date=2024-01-31&format=json"

Compliance Reports

Available upon request under NDA:

  • SOC 2 Type 1 Report (available Q3 2026; bridge letter on request)
  • Penetration Test Summary
  • Security Whitepaper
  • Data Processing Agreement (DPA)
  • Standard Contractual Clauses (SCCs) addendum
  • Business Associate Agreement (BAA)
  • CCPA / CPRA disclosure pack
  • Sub-processor list
Continue to Security Best Practices