Viantrix Logo Viantrix
Last updated: August 17, 2025 (IST) • Version: 1.0

Security at Viantrix

A layered, defense-in-depth approach across infrastructure, application, data, and operations—so your voice, telephony, and AI workloads stay protected.

1. Security Overview & Principles

Viantrix follows a security-by-design philosophy: minimize data, isolate tenants, encrypt broadly, authenticate strongly, and monitor continuously. Our controls are mapped to industry frameworks to support enterprise risk and compliance requirements.

  • Defense in depth: Controls layered across data, app, infra, and people.
  • Least privilege: Just-in-time access; role scoping; audited actions.
  • Secure defaults: TLS 1.2+ enforced; at-rest encryption enabled; logging on.
  • Customer control: Per-tenant retention, redaction, residency, and integrations.
Security-by-design: minimize data, isolate tenants, encrypt broadly, authenticate strongly, and monitor continuously.

2. Architecture & Tenant Isolation

Control Area Default Description
Tenant Isolation Logical isolation Per-tenant namespaces and scoped credentials; optional dedicated VPC on request (Enterprise).
Secrets KMS-managed Secrets stored in cloud KMS/HSM-backed managers; rotated and access-controlled via IAM.
Supply Chain SBOM tracked Dependency scanning with CI gates; provenance captured; container image signing.
Environments Strict separation Prod/stage/test networks and accounts segregated; no test data in prod and vice versa.

3. Data Protection (Encryption & Keys)

Aspect Default Notes
In Transit TLS 1.2+ (1.3 preferred) Strict HTTPS; modern ciphers; HSTS on managed domains.
At Rest AES-256 Platform-managed encryption for databases, object storage, and backups.
Key Mgmt Cloud KMS Keys rotated per policy; customer-managed keys (CMK) available on Enterprise tiers.
PII Redaction Optional Transcript masking and selective field redaction configurable per project.
Retention Configurable Per-data-type retention windows; override in Console; align with Privacy policy.
tls-policy.txt 
TLS 1.2 or higher required; TLS 1.3 preferred. Weak ciphers disabled. HSTS enabled for managed domains.

4. Identity & Access Management (IAM)

  • SSO/SAML/OIDC: Enterprise SSO supported. SCIM user provisioning available.
  • MFA: MFA enforced for privileged roles; support for WebAuthn/TOTP.
  • RBAC: Fine-grained roles for admin, developer, analyst, billing.
  • API Auth: Scoped tokens and per-tenant keys; rotate from Console/CLI.
  • Audit Trails: Critical actions logged (auth, token ops, config changes).

5. Application Security (SDLC)

Secure SDLC with mandatory code review, automated tests, SAST/DAST, and pre-deploy checks.
  • Branch protections, signed commits, and CI gates for secrets and dependency risk.
  • Runtime controls: rate limiting, input validation, object-level access checks.
  • Multi-tenant safety and prompt-injection mitigations for LLM features.

6. Network & Infrastructure Security

Control Status Details
Perimeter WAF & CDN Managed WAF, TLS termination, bot filtering, DDoS absorption.
Segmentation VPC + SG Strict SG/NSG rules; private subnets for data planes; admin planes isolated.
Patching Automated OS and managed services patched per vendor SLAs; images rebuilt regularly.
Endpoints Hardened Minimal packages, read-only FS where possible, reduced attack surface.

7. Observability, Logging & Threat Detection

  • Centralized logs with retention; immutable archives for forensics.
  • Metrics and traces with SLOs and alerting; on-call rotations 24×7 for production.
  • Automated anomaly alerts (auth spikes, error bursts, unusual egress) with runbooks.

8. Backups, Disaster Recovery & Business Continuity

Item Default Notes
Backups Daily + PITR Encrypted; restore tests performed periodically; object versioning enabled.
Retention 35 days Adjustable per tenant for certain data types.
RPO / RTO ≤ 15m / ≤ 4h Targets under typical failure scenarios; may vary by region/tier.
Regional Redundancy Multi-AZ Multi-zone HA; optional multi-region DR for Enterprise.

9. Vulnerability Management & Testing

  • Continuous scanning (images, hosts, dependencies); CVEs triaged with severity SLAs.
  • Periodic third-party penetration tests; executive summary available under NDA.
  • Coordinated vulnerability disclosure via security@viantrix.com (PGP key available).

10. Compliance & Privacy Alignment

Framework Status Notes
SOC 2 Type II Planned/Available* Report availability under NDA where completed. Scope: Security/Availability/Confidentiality.
ISO/IEC 27001 Planned/Available* ISMS aligned controls; certificate provided upon request where applicable.
GDPR / DPDP / CCPA Aligned See Privacy Policy for roles, rights, transfers, and retention controls.
HIPAA (BAA) Enterprise Available for eligible deployments and features; contact sales/security.
*Exact status depends on product scope and region; contact security@viantrix.com.

11. Data Residency & Telephony Routing

Project-level regional hosting (e.g., India/EU/US) may be available. Telephony traffic can traverse interconnects outside the hosting region due to carrier routing. Residency choices influence storage and processing locations for voice audio, transcripts, CDRs, and logs.

12. Incident Response

ir-playbook.md 
1) Detect & Triage → 2) Contain → 3) Eradicate → 4) Recover → 5) Notify (per law/contract) → 6) Postmortem & Hardening.

Customers are notified of material incidents per contractual SLAs and applicable law. Post-incident reports are shared under NDA where appropriate.

13. Shared Responsibility (Your Part)

  • Enforce SSO/MFA and least-privilege roles for your admins and developers.
  • Rotate API keys, control webhook destinations, and validate third-party integrations.
  • Configure retention/redaction per policy; obtain consent for recordings where required.
  • Use IP allowlists, tenant-specific restrictions, and network ACLs if enabled.

14. Status, Uptime & SLA

Service Target SLA Notes
Core API & Console 99.95% Monthly measured; maintenance windows announced on Status page.
Telephony Gateway Carrier-grade Multi-zone; dependent on upstream carriers and regional regulations.

Live status: https://status.viantrix.com

15. Contact & Vulnerability Reporting

Security team: security@viantrix.com
PGP: Download key (fingerprint posted on status page).
Responsible disclosure appreciated. Private bug bounty available for invited researchers.

Appendix — Cipher Examples & Allowlist

A. TLS Cipher Examples

TLS Version Preferred Ciphers
TLS 1.3 TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256
TLS 1.2 ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384

B. IPs & Ports

Egress IPs and port requirements vary by region and carrier. The authoritative list is maintained on the Status/Networking page.

allowlist-example.txt 
Allow https(443) to *.viantrix.com and region endpoints; SIP/TLS and RTP ports as per carrier interop guide.

Change Log

2025-08-17
Initial
  • Initial publication of Security Overview (v1.0).

This security overview is informational and may be adjusted per deployment. For attestations and signed docs, contact our security team.