Security, compliance, data handling. One page for procurement to read.
Coordinated disclosure · 24h triage on Sev-1 · Bug bounty by invitation
Security posture
Six controls applied by default to every server.
Hardened-by-default deployment
Every server boots with TLS, no default passwords, ufw firewall configured, fail2ban active, SSH key-only access. The PHP / MySQL stack runs as non-root with file-permission guardrails. No "we will harden it later" — the bake is hardened.
No shared credentials
Customer servers are physically isolated VPS instances. No multi-tenant DB, no shared cache. Admin access keys are rotated per-tenant; access is logged + retrievable. We never have or store your VICIdial admin password.
TLS A+ with HSTS
Per-customer Let's Encrypt cert via DNS-01 challenge. HSTS with includeSubDomains + preload set. TLS 1.2+ only. Auto-renewal 30 days before expiry; failures page the on-call.
RBAC + audit trail
Sub-users with operator / viewer / billing roles. WebAuthn for owners. Every server action (provision, suspend, resize, terminate, firewall rule change, sub-user invite) writes an AuditLog row with actor + timestamp + IP. Audit log is append-only.
Encryption at rest
Hetzner Cloud volumes encrypted at rest (AES-256). Object storage (recordings backups, logos, snapshots) encrypted at rest. PostgreSQL platform DB encrypted. Recording files on customer boxes encrypted via dm-crypt where the customer opts in.
Data residency you choose
Pick the region at provision time. Your data never leaves it without your explicit action. Cross-region replication is opt-in per-customer. Sub-processor list published at /sub-processors with notice on changes.
Compliance
Where we are. Honestly.
We are not going to claim certifications we do not hold. Here is the current state — including what is in progress.
GDPR
CompliantData processing agreement (DPA) published. Sub-processor list maintained. EU customers can request their data residency in EU regions only. Right-to-deletion via /admin/data-purge after legal retention window.
TCPA-aware
OperationalPer-trunk Blacklist Alliance scrubbing baked into the platform. Pre-dial AGI hook fails closed by default. Recording retention configurable per-list. We are not lawyers, but the operational controls for TCPA-compliant dialing are first-class.
HIPAA-aware
On enterpriseStandard plans do not sign BAAs. Enterprise contracts include HIPAA-aware deployment guidance + the platform controls needed (audit log retention, encryption, access reviews). PHI-handling reseller customers should engage via /enterprise.
SOC 2
PlannedOn the roadmap; audit has not begun. Pre-audit, we operate against the AICPA Trust Services Criteria — change management, access reviews, incident response, monitoring all in place — but we will not claim a report we do not hold. Enterprise customers asking for SOC 2 evidence today should engage via /enterprise; we will document the operational controls in detail under NDA.
Data retention
How long we keep what.
Recordings
Customer-controlled retention via list-level recording_retention. Default 7 days on standard plans; configurable up to forever on platform-managed backup or your own S3.
Audit logs
Append-only. 7 years on platform side; queryable from /admin/audit. Customer-visible audit log retains 90 days in the dashboard; full history available on request.
Billing records
7 years retention (US + EU statutory). Stripe / PayPal records replicated into our platform DB via webhook. Customer-visible from /dashboard/billing.
Account data
30 days post-termination grace period for restoration. After grace, hard-delete from primary DB; backups roll off at 90 days. Per-customer purge available on request via /admin/data-purge.
Policies + documents
Everything else lives at its own URL.
Found something? Tell us first.
Coordinated disclosure. 24-hour triage on Sev-1 issues. We do not threaten security researchers acting in good faith.
Email support@vicifast.com