Security at Verc

Security and privacy at Verc

Security is at the core of everything we build. As a platform that processes sensitive call data and conversations, protecting our customers' information is our highest priority.

Last updated: February 2026

Governance

We establish security policies and controls, monitor compliance, and demonstrate our security posture to customers and auditors.

Our policies are based on the following foundational principles:

01.

Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.

02.

Security controls should be implemented and layered according to the principle of defense-in-depth.

03.

Security controls should be applied consistently across all areas of the platform and organization.

04.

The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness and increased auditability.

Compliance Roadmap

We are building our security program toward industry-recognized certifications. The following frameworks are on our compliance roadmap:

SOC 2ISO 27001HIPAAGDPR

Data protection

Data at rest
All customer data, including call recordings, transcripts, and analytics, is encrypted at rest using AES-256 encryption. Database storage is encrypted at the volume level with keys managed through Google Cloud KMS. Sensitive fields are protected with additional application-level encryption.

Infrastructure security

We run on Google Cloud Platform with enterprise-grade infrastructure, physical security, and network isolation.

Cloud-native architecture
Our platform runs on Google Cloud Run with fully managed containerized services. This provides automatic scaling, built-in DDoS protection, and eliminates the need to manage underlying server infrastructure. Each deployment is immutable and reproducible.
Network isolation
Services are deployed within private networks with strict firewall rules. Database access is restricted through Cloud SQL Proxy with IAM-based authentication. Only authorized services can communicate with the database, and all connections are encrypted.
Secure storage
Audio files and call recordings are stored in Google Cloud Storage with server-side encryption, versioning, and access logging. Storage buckets are configured with uniform bucket-level access control, and all access is authenticated through service account credentials.

Product security

Tenant isolation

Verc implements database-level row-level security (RLS) to enforce strict tenant isolation. Every database query is automatically scoped to the authenticated tenant's organization. This means customer data is isolated at the database layer, not just the application layer, providing defense-in-depth against data leakage.

Our middleware pipeline sets the tenant context on every request, and PostgreSQL RLS policies enforce isolation regardless of application logic. This architectural approach ensures that even in the event of an application-level vulnerability, cross-tenant data access is prevented by the database itself.

Vulnerability management

We employ multiple layers of security testing throughout our development lifecycle:

Authentication & authorization
Authentication is handled through secure JSON Web Tokens (JWT) with short-lived access tokens and automatic refresh rotation. Tokens are stored in memory, not in localStorage or cookies, to minimize exposure to XSS attacks. Role-based access control (RBAC) ensures users only access resources appropriate to their role.
Secure development
All code changes undergo mandatory peer review with security considerations as a primary review criterion. Our CI/CD pipeline enforces type checking, linting, and automated tests before any code reaches production. Branch protection rules prevent direct pushes to production branches.
API security
All API endpoints are protected by authentication and authorization middleware. Rate limiting is applied per-endpoint (for example, authentication endpoints are limited to 10 requests per minute). Input validation is enforced at the API boundary using Django REST Framework serializers.

Enterprise security

Access control
Access to production systems is restricted to authorized personnel only and requires multi-factor authentication. Employee access is provisioned based on the principle of least privilege using role-based access control (viewer, user, admin, superuser). Access is revoked immediately upon role change or offboarding.
Incident response
We maintain a documented incident response plan with defined severity levels, escalation procedures, communication protocols, and post-incident reviews. We respond rapidly to security events with clear ownership and accountability.
Security education
All team members receive security awareness training covering secure coding practices, phishing awareness, data handling procedures, and incident reporting. Engineering team members receive additional training on common vulnerabilities and secure development patterns.
Vendor security
Verc uses a risk-based approach to vendor security. All third-party vendors with access to customer data undergo security review. Factors that influence vendor risk assessment include:

Vendor security assessments are reviewed annually or when significant changes occur in the vendor relationship.

AI & data processing

As an AI-powered call analytics platform, we take special care to ensure responsible and secure processing of sensitive conversation data.

PII protection
Personally identifiable information (PII) such as names, phone numbers, and transcript content is never included in application logs. Our logging framework is designed to capture operational metrics using anonymized identifiers while excluding any sensitive customer data.
AI model governance
AI-generated outputs (analysis, scoring, summaries) are treated as probabilistic and validated before persistence. All AI results include model provenance tracking, linking each output to the specific model version and input data that produced it.
Transcript security
Call transcriptions are processed using dedicated GPU infrastructure with no data persistence on processing nodes. Audio files are securely transferred, transcribed, and the processing environment is ephemeral. Transcripts are stored encrypted and access is controlled through the same tenant isolation mechanisms.

Data privacy

At Verc, data privacy is a fundamental commitment. We build privacy controls into our platform by design and maintain transparency with our customers about how their data is handled.

Data minimization

We only collect and process data that is necessary for providing our services. Customer data is retained only for the duration required by the service agreement, and deletion mechanisms are available to customers.

Regulatory compliance

Verc's security program is designed to meet requirements across multiple regulatory frameworks. We continuously evaluate updates to regulatory and emerging frameworks to evolve our compliance program accordingly.

Transparency & documentation

We maintain clear documentation of our data processing activities, privacy policies, and data protection agreements. Customers can request details about how their data is handled at any time.