Skip to content
VoiGu
Descargar la appDescargar
Legal

Security Policy

Last updated: May 8, 2026 · Effective: May 8, 2026

Security is built into the VoiGu platform from the ground up. Here's a transparent summary of how we protect your data — and how to report a problem if you find one.

Our commitment

VoiGu, Inc. is committed to protecting the confidentiality, integrity, and availability of the information you trust us with — including your account credentials, learning progress, voice recordings, and payment metadata. We take a defense-in-depth approach: layered controls across our application, infrastructure, and operations.

This Security Policy summarizes the measures we have in place. It is not an exhaustive technical specification, but it gives you a clear picture of how we work.

Encryption

  • In transit. All traffic between the VoiGu app or website and our servers is protected with TLS 1.2 or higher. Connections to legacy or insecure protocols are rejected. HSTS is enabled across our domains.
  • At rest. User data is encrypted at rest using AES-256, including databases, file storage, and backups. Keys are managed in Google Cloud KMS and rotated regularly.
  • Secrets management. Application secrets and API keys are stored in encrypted secret stores, never in source code.

Authentication

  • Firebase Authentication. Account sign-in is handled by Firebase Authentication, a managed identity service by Google with battle-tested protections against credential stuffing, enumeration, and replay.
  • Password storage. Passwords are never stored in plaintext. They are hashed with industry-standard algorithms (Scrypt) and salted per user.
  • Single sign-on. You can choose to sign in with Apple, Google, or Facebook. We never receive your password from these providers.
  • Multi-factor authentication. Available for VoiGu team accounts; coming to user accounts in 2026.
  • Session security. Sessions use short-lived tokens that automatically refresh, with secure, HTTP-only, SameSite cookies on the web.
  • Account recovery. Password resets require email verification. Suspicious sign-in attempts trigger a notification to the account email.

Voice & sensitive data

Voice recordings are sensitive data and we treat them accordingly.

  • On-device processing. Where possible, speech recognition and pronunciation scoring happen on your device. The audio never leaves your phone.
  • Server-side processing. When required (e.g., AI conversation), audio is streamed over an encrypted channel, processed in memory, and not retained by default.
  • Opt-in retention. If you opt in to share samples for model improvement, those samples are stored separately from your account, anonymized, and access-controlled.

Payments

VoiGu does not store credit card numbers, CVVs, or full billing addresses.

  • Mobile subscriptions are processed by Apple and Google. Their systems are PCI DSS compliant.
  • Web purchases (where available) are processed by Stripe, a Level 1 PCI Service Provider. Card data is tokenized at entry and never touches our servers.
  • We receive only a transaction identifier and the subscription tier you purchased.

Infrastructure

  • Cloud provider. Production workloads run on Google Cloud Platform, which is ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, PCI DSS, and HIPAA-eligible certified.
  • Regions.Data is hosted in regions chosen for performance and regulatory fit. EU users' primary data is replicated within EU regions.
  • Network isolation. Production systems run in private VPCs with strict ingress/egress controls and network-layer firewalls.
  • Backups & resilience. Databases are backed up daily with point-in-time recovery for the last 30 days. Backups are encrypted and access-controlled.
  • DDoS protection. Traffic is filtered through Google Cloud Armor and CDN edge protections.

Access controls

  • Least privilege. Engineers receive the minimum access needed to do their job. Production access is logged and reviewed quarterly.
  • Mandatory MFA. All VoiGu employees use hardware-backed multi-factor authentication for production systems.
  • Single Sign-On. Internal tools are gated behind SSO with conditional access policies.
  • Background checks. Engineers with production access undergo background checks where permitted by law.
  • Offboarding. Access is revoked within 24 hours of role change or departure.

Monitoring & incident response

  • Continuous monitoring. Application logs, authentication events, and infrastructure metrics are streamed to a centralized SIEM with 24/7 alerting.
  • Vulnerability scanning. Continuous dependency and container scanning, with automatic patching for critical vulnerabilities.
  • Penetration testing. External penetration tests are conducted at least annually by an independent third-party firm.
  • Incident response plan. We maintain a documented plan covering detection, containment, eradication, recovery, and post-incident review.
  • Breach notification. If a security incident affects your personal information, we will notify you and the relevant authorities as required by applicable law.

Compliance & certifications

VoiGu's practices are designed to align with:

  • The EU General Data Protection Regulation (GDPR)
  • The UK General Data Protection Regulation (UK GDPR)
  • The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)
  • The Children's Online Privacy Protection Act (COPPA), where applicable
  • Apple App Store and Google Play security guidelines

We are pursuing SOC 2 Type II certification; additional reports will be made available to enterprise customers under NDA on request.

Your role in keeping VoiGu secure

  • Choose a strong, unique password and never share it. Consider a password manager.
  • Keep your operating system, browser, and the VoiGu app up to date.
  • Sign out of public or shared devices when you're done.
  • Be alert to phishing — VoiGu will never ask for your password by email, SMS, or DM.
  • Report anything suspicious to security@voigu.com.

Reporting a security issue

If you believe you've found a security vulnerability, please let us know promptly and privately.

  • Email: security@voigu.com
  • Encrypt sensitive disclosures with our PGP key, fingerprint 4E2A 9C71 2B14 8F03 2F4E AA0B 1C24 9D78 6A5B 0F81 (key published at /.well-known/pgp.txt).
  • Please include reproduction steps, affected URLs or app versions, and the impact you observed.

Vulnerability disclosure program

VoiGu welcomes good-faith security research. We will:

  • Acknowledge your report within two business days.
  • Provide a status update within seven business days.
  • Work with you to confirm and resolve the issue, and publicly credit you (with your consent).
  • Not pursue legal action against researchers who follow our guidelines: stay within scope, avoid privacy violations and service degradation, and give us a reasonable time to fix before disclosure.

Bounty rewards may be available for qualifying reports. See our disclosure guidelines for scope and details.

Changes to this policy

We may update this Security Policy as our practices evolve. The “Last updated” date at the top reflects the most recent revision. For the broader privacy picture, see our Privacy Policy.

Questions?

Email us at hello@voigu.com or visit our Help Center. We aim to respond within two business days.