Viantrix Logo Viantrix
Last updated: {{TODAY_DATE_IST}} • Version: {{COMPLIANCE_DOC_VERSION}}

Compliance & Trust

How Viantrix aligns to global security, privacy, and telecom regulations—certifications, attestations, controls, and evidence to help you ship with confidence.

1. Overview

This page summarizes the Viantrix compliance posture across our Platform, Console, APIs, SDKs, Telephony (PSTN/SIP), webhooks, and integrations. It is designed to help customers evaluate controls, certifications, and evidence relevant to their obligations.

This summary is informational. For legally binding commitments, see your Agreement and the Data Processing Addendum (DPA).
  • Jurisdiction overlays: EU/UK GDPR, India DPDP 2023, US CCPA/CPRA.
  • Telecom rules: TRAI/DLT (India), TCPA/TSR (US), EU ePrivacy.

2. Certifications & Attestations

Framework/Standard Status Scope Evidence Owner Review Cycle
SOC 2 Type II {{SOC2_STATUS}} Platform & Ops Request via Trust Portal Security Annual
ISO/IEC 27001 {{ISO27001_STATUS}} ISMS Statement of Applicability (SoA) Security Annual
HIPAA (BAA) {{HIPAA_POSTURE}} HIPAA-Eligible Architecture Request BAA Compliance Annual
PCI DSS (relevance) {{PCI_RELEVANCE}} 3rd-party card flows Third-party AoC Finance Annual
Placeholders shown; contact us for current evidence and scope confirmation.

3. Security Controls Summary

  • Encryption in transit/at rest; tenant isolation; RBAC and least-privilege access.
  • Key management and secrets hygiene; hardened baselines; dependency scanning.
  • SAST/DAST; vulnerability SLAs and remediation tracking.
Control Description Owner Evidence Frequency
ENCR-AT-REST Managed keys, CMK rotation; storage-level encryption enforced. Security KMS policy, rotation logs Quarterly
RBAC-MIN-PRIV Role-based access with least-privilege, periodic access reviews. Security Access review reports Quarterly
VULN-MGMT CVSS-based SLA for remediation; automated scanning and ticketing. Security Scan reports, JIRA links Monthly
control-record.json 
{
  "controlId": "ENCR-AT-REST",
  "frameworks": ["ISO27001:A.8", "SOC2:CC6.1"],
  "owner": "Security",
  "evidence": "KMS policy, CMK rotation logs",
  "review": "Quarterly"
}

4. Privacy & Data Protection

See our Privacy Policy for lawful bases, DPIA guidance, retention, data subject rights, and Global Privacy Control (GPC) handling where required.

Data Type Basis Region Limitations Retention
Account & Billing Contract; Legal obligation Per legal requirements Contract term + statutory
Voice & Transcripts Consent; Contract {{RESIDENCY_OPTIONS}} Customer-configurable
Telemetry & Logs Legitimate interests Regionalized where offered {{RETENTION_LOGS}}

5. Data Residency & Sovereignty

Project-level regional hosting (e.g., India/EU/US) may be available at the tenant level: {{RESIDENCY_OPTIONS}}. Telephony routing may transiently traverse other regions due to carrier interconnects; transfers are protected by SCCs/UK IDTA/adequacy where applicable.

Workload Region Residency Notes Transfer Mechanism
Core services India/EU/US Regional deployment per tenant SCCs/IDTA/Adequacy
Telephony metadata Multi-region Carrier interconnect may cross-border Carrier agreements
Analytics Per tenant choice Aggregation/anonymization controls SCCs/IDTA

6. Telephony & Communications Compliance

  • India (TRAI/DLT): Header/template registration, consent capture, opt-out logging.
  • US (TCPA/TSR): Prior express consent for marketing; internal & national DNC compliance.
  • EU ePrivacy: Consent for non-essential communications; transparency requirements.
  • Caller ID Branding: Best-effort; carrier/device dependent; customer must use lawfully.
  • Voicemail Detection: Probabilistic; confirm outcomes before automated actions.

7. AI Governance & Model Risk

  • Model purpose limits; input/output logging; optional redaction; fairness checks where applicable.
  • Human-in-the-loop for high-risk workflows.
  • Model improvement policy: {{MODEL_IMPROVEMENT_POLICY}}.
  • Training on customer inputs: {{TRAINING_ON_CUSTOMER_INPUTS}}.
AI outputs are probabilistic and may be incorrect. Add human review for high-stakes workflows.

8. Subprocessors & Vendor Risk

Vendors undergo security and privacy reviews, DPAs, and (where applicable) SCCs/IDTA. You control optional integrations you enable.

Vendor Purpose Data Categories Hosting Region Safeguards DPA/Link
ExampleCloud Compute & storage Accounts, logs, audio/transcripts (encrypted) {{RESIDENCY_OPTIONS}} SCCs/IDTA Link
ExampleSTT/TTS Speech processing Audio snippets, transcripts, metadata {{RESIDENCY_OPTIONS}} Processor terms Link
ExampleTelecom PSTN/SIP connectivity CDRs, routing metadata Multi-region Carrier agreements Link
A live subprocessor registry is maintained in the Console; material changes are notified.

9. Vulnerability Management & Pen Testing

  • Automated scanning cadence; CVSS-based SLAs; remediation tracking with ticketing.
  • Independent penetration tests on a periodic basis.
  • Coordinated vulnerability disclosure policy.
security.txt 
Contact: mailto:{{SECURITY_EMAIL}}
Policy: {{DISCLOSURE_POLICY_URL}}
Encryption: {{PGP_KEY_URL}}
Preferred-Languages: en

10. Incident Response & Reporting

  • 24×7 on-call; triage severities; customer notifications per law/contract.
  • Root-cause analysis and corrective actions; evidence retention policies.
Severity Example Initial Response Customer Notice SLA
SEV-1 Widespread outage or suspected breach < 15 min As required by law/contract Immediate
SEV-2 Degradation with security impact < 30 min Case-by-case 4 hours
SEV-3 Isolated service impact < 60 min As appropriate Next business day

11. Access Control & Identity

  • SSO/MFA support; least-privilege; approvals for elevated access.
  • JIT and break-glass procedures; periodic access reviews.

12. Logging, Monitoring & Audit

  • Centralized logs with retention controls and alerting thresholds.
  • Audit trails for administrative and data access.
  • Customer exports: {{LOG_EXPORT_OPTIONS}}.

13. Employee & Physical Security

  • Background checks where lawful; mandatory security training cadence.
  • Need-to-know access to production data; secure device posture.
  • Facilities access controls for applicable locations.

14. Compliance Artifacts & Downloads

Document Version Owner Access Download / Request
DPA (Data Processing Addendum) {{DPA_VERSION}} Legal Sign via Console Get DPA
SCCs / UK IDTA {{XFER_INSTR_VERSION}} Legal Request Request Pack
Pen Test Summary {{PEN_TEST_VERSION}} Security On NDA Request
Subprocessor List Live Security Public View
SOC 2 Report {{SOC2_REPORT_YEAR}} Security NDA Request
Request Compliance Pack Report a Vulnerability See Status Page

15. FAQs

{{BAA_POLICY}}
{{PCI_POSITION}}
Use the DSAR options on our Privacy page.
{{TRAINING_ON_CUSTOMER_INPUTS}}
{{RESIDENCY_SUPPORT}}

16. Change Log

{{TODAY_DATE_IST}}
Initial
  • Initial publication of Compliance page (v{{COMPLIANCE_DOC_VERSION}}).

17. Contact & DPO / Grievance Officer

Security: {{SECURITY_EMAIL}}
Privacy / DPO / Grievance (India): {{PRIVACY_EMAIL}}
Address: {{REGISTERED_ADDRESS}}
Status page: {{STATUS_PAGE_URL}}

This page is a template and may require jurisdiction-specific legal review. Nothing here is legal advice.