Security & Compliance
Voxco is committed to protecting and respecting your privacy. When you visit our website, use our products and services, or interact with Voxco, we may collect and process information about you (‘personal data’). Our goal is to provide a secure environment while also being mindful of application performance and the overall user experience.
Secured Data Collection
Voxco clients use our software to gather survey answers from individuals. Our team takes additional proactive measures to ensure a secure infrastructure environment.
All of our products are provided through a self-service platform, whereby our clients decide what data to collect, how to manage the data, and which of their system users should have access to it.
In this regard, our clients, who own and control the data they collect, are the Data Controllers. At the same time, Voxco is the Data Processor (we only process personal data based on direct and specific instructions from our clients).
If you participated in a web or mobile survey from one of our clients, the survey footer might state ‘powered by Voxco,’ and the data may be hosted on a Voxco-provided server environment.
Furthermore, Voxco may aggregate and/or compile anonymous data for statistical purposes. This information could be collected from forms on our website or clients’ websites.
Voxco Insights complies with General Data Protection Regulation (GDPR), and our survey software users can create and send GDPR-compliant data collection surveys. To aid this process, we have established a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant, including data portability, data protection, consent, and other compliance features.
Voxco Insights has received the Service Organization Controls (SOC 2) audit certification. Our platform has undergone periodic SOC 2 audits and is monitored for unauthorized access and service availability twenty-four hours a day.
The audits are conducted by an independent accounting firm and thus signify that the data center security and operational procedures have been reviewed and tested by third-party. It validates that the controls and processes have been designed appropriately and are operating effectively, in addition to protecting and safeguarding customer’s equipment and data.
Purpose & Scope
This document defines the procedures & internal controls related to Voxco’s platform. The system components required to support the Survey platform services include infrastructure, software, people, procedures, and data described as follows:
Voxco leverages several hosting providers to manage the infrastructure. These include:
Microsoft Azure- Europe
- Virtual Networks
- Virtual Machines (Windows server)
- MS SQL- database store, backups
RapidScale- United States, IBM- Canada, NTT (data dimension)- Asia Pacific
- Microsoft Windows- Virtual machines
- MS SQL- database store, backups
Voxco leverages world-class third-party applications, services, and platforms to support its secure development and delivery of services:
Voxco staff in the following key functional areas support the scope of services and controls described in this report:
Board of Directors: A board charter outlines the roles and responsibilities of the board.
With independent members with diverse expertise and significant industry experience, the board has the independence and expertise required to provide its oversight of risk and internal controls and steer the organization toward a sustainable future through sound governance. The board of directors meets quarterly.
- Senior leadership: A cross-functional senior management team responsible for overseeing company-wide activities, establishing and accomplishing goals, overseeing objectives, ensuring resources are effectively applied to meet objectives, and incorporating risk management into decision-making.
- Finance, human resources: Responsible for accounting, financial, and human resource management.
- Sales, lead generation: Responsible for inbound and outbound lead generation and sales.
R&D, customer services, IT, and security: responsible for the development and the day-to-day operations and security of Voxco’s Survey Platform and services, including changes in accordance with Voxco’s change management policy and appropriate communications with customers.
- Product: Responsible for roadmap planning for the survey platform.
Voxco has an acting CISO responsible for overseeing, implementing, maintaining, communicating, and assessing security policies, standards, and controls.
The acting CISO works with a cross-functional Voxco team and external security resources.
Policies and procedures
Voxco maintains a set of information security policies that detail logical access, change management, incident management, vulnerability and endpoint security, risk management, data communication standards, and expectations of employees. Employees must acknowledge their understanding and adherence to the employee manual code of conduct and applicable policies upon hiring and as required thereafter.
Customer data is managed, processed, and stored in accordance with applicable data protection regulations and any specific requirements established in customer contracts. To protect data processed within its platform, Voxco restricts access rights for granting access to the production environment to authorized IT and customer service personnel only and uses encrypted storage and communication channels/protocols to authenticate the application over the Internet. Data processed may include:
- Customer organization information
- Survey questions
- Survey responses
- Survey respondent information
Principal service commitments and system requirements
Voxco has designed its policies and processes to provide a secure environment for its systems and for the data that is processed, in line with its objectives and based on commitments to customers, laws, and regulations. On any operational requirements, Voxco has established its services. These commitments may include service levels related to system uptime and issue response and resolution times.
As applicable, Voxco’s service and security commitments are documented and communicated in agreements with customers or other material (e.g., via terms of service, master agreements, service level agreements, data processing agreements, and training/reference material, as the case may be).
Internal controls are in place to support Voxco’s service and security commitments. These may include but are not limited to the following:
- Logical access security policies are designed to prevent unauthorized persons or systems from accessing systems used to process customer data.
- Technical and organizational measures to protect customer data against loss, alteration, and unauthorized disclosure or access include data encryption and other protective security controls.
- Change management standards are applied during applications and systems development, deployment, and maintenance.
- Practices that require background checks, confidentiality agreements, and a commitment to Voxco’s code of conduct
- System monitoring to detect and alert on incidents or potential incidents, with an incident response policy and process to respond to incidents
- Security tests and assessments of systems (e.g., penetration tests and scans)
- Reviews of key vendors to evaluate their security posture, measures, and control conformance
Relevant aspects of internal controls
Organization and management
The control environment elements at Voxco lay the foundation for the specific control activities.
Elements of the control environment include integrity and ethical values, management’s commitment to competence, and oversight. providing direction. and supporting relevant HR policies and practices.
Ethical values and integrity
Integrity and ethical values are essential elements of Voxco’s control environment affecting the design, administration, and monitoring of other components. Voxco has the following controls in place to incorporate ethical values throughout the organization:
- Documented code of conduct in the employee handbook that communicates Voxco’s values and behavioral standards to personnel.
- Requirement for employees to acknowledge upon hiring that they understand their responsibility to adhere to the employee handbook and applicable policies.
- Employees and contractors must sign a confidentiality/non-disclosure statement agreeing not to disclose proprietary or confidential information, including customer information, to unauthorized parties.
- Background checks are performed for potential employees as part of the hiring process.
- Avenues are available for employees to report issues to management.
Commitment to competence
Voxco has established the following controls to incorporate its commitment to competence throughout the organization:
- Management and appropriate technical designates interview candidates to ensure they possess the requisite skills to fulfill their responsibilities.
- Employees receive a security awareness primer at least once yearly.
- Management allocates an employee training budget and encourages employee development.
Management philosophy and approach
Voxco has established the following controls to reflect its operating philosophy throughout the
- Job descriptions, including roles and responsibilities, are documented and updated as needed.
- Voxco employees receive performance review feedback annually, so they know how they are doing relative to their responsibilities and expectations.
- A Security Awareness training session is available to staff, for review on an annual basis, with a target KPI on participation.
- Voxco’s organizational structure is suited to its needs, with the roles and reporting structure freely accessible to all employees and updated periodically as needed.
Human resource policy and practices
Voxco has established HR practices regarding employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and discipline. Voxco has established the following controls to ensure policies and procedures are adequately communicated throughout the organization:
- Voxco maintains a comprehensive set of information security policies that include employees’ expectations. Upon hiring and as required thereafter, employees must acknowledge their adherence to a confidentiality/non-disclosure statement, a code of conduct in the form of the employee handbook, and other applicable policies.
- Employees receive performance feedback from their supervisors, including discussion of any deficiencies noted in the execution of the Voxco internal and information security controls.
Information and communication
Voxco leverages various communication methods and approaches to ensure the right information is shared with the right internal and external stakeholders as appropriate, consistently, and in a timely manner. Among them:
- A team collaboration tool that allows for real-time communication inside and outside the office.
- Strategies are established by senior management and shared with staff annually.
- Customer responsibilities are described in the contract.
- Customer communications regarding incidents or changes that affect them, such as system changes resulting from incidents or major incidents and system upgrades.
- Updates as required to customers or employees regarding any changes to roles and responsibilities in the organization or any incidents impacting customers or employees.
- Customers have onboarding training from Voxco available to them and training collateral to ensure they have the knowledge to use the application and service effectively.
- Contracts and system documentation articulate Voxco’s commitments to customers regarding the system.
Risk management and design/Implementation of controls
Voxco maintains a cross-functional risk management approach to assess and manage risks that could affect the organization’s ability to provide security services to its customers (user entities).
The process includes considering the inventory of system components, related risks, management’s risk thresholds, and associated mitigation plans. Risk mitigation strategies can include prevention and detection through the implementation of internal controls and the transference through appropriate insurance policies (i.e., Voxco holds cyber insurance).
While risks may be registered or updated at any time and risk reviews are conducted quarterly, a risk assessment is conducted annually. Some examples of internal or external risks considered include:
- Operational/human errors
- Internal or external fraud
- New and evolving legal and regulatory requirements
- Hosting provider service disruption
A security policy is also maintained and available to staff. to ensure that team members understand their role and responsibility in reducing the risk of compromise and exercising appropriate security measures to protect systems and data.
Monitoring of controls
Voxco uses various tools, reports, and processes to monitor the production environment systems. The team reviews alerts and reports and will record/resolve exceptions to normal processing activities as required. An annual internal assessment of the appropriateness and effectiveness of controls in mitigating the risks assessed.
In addition, penetration tests are conducted annually, with results documented and findings reviewed and actioned as required for correction.
Ongoing system monitoring
Voxco has deployed system protection and monitoring tools to alert designated personnel when certain metric thresholds are met. Corrective actions may be initiated through meetings, calls, and other communication channels. Issues noted that require changes to be made to the production platform are tracked via Voxco’s ticketing system and adhere to the change management policy until deployment and resolution.
Management’s close involvement in Voxco’s day-to-day operations helps identify significant variances from expectations regarding internal control activities, and Management reviews incident reports on a periodic basis.
Decisions for addressing any identified deficiencies are made based on whether the incident was Isolated or required a change with respect to tools, procedures, or personnel. In addition, any new applicable laws and regulations and related impacts are reported to management for review and action if required. The Management Committee identifies and evaluates new partnership relationships.
An internal ticket tracking tool documents and tracks issues and incidents identified through monitoring. Corrective actions, if necessary, are documented and tracked within the internal tracking tool.
Voxco has defined a policy that addresses incidents’ management and resolution.
Logical and physical access controls
There are no production servers or systems on the premise to support the Survey Platform or service. All infrastructure and software that support platform operations are in the cloud, hosted at various cloud service providers (depending on the geography served). The offices hold no critical systems or data related to the Survey Platform, and the office networks have no special privileges to any Survey Platform systems or services (e.g., no IP whitelisting, etc.).
In any case, Voxco offices are only accessible via key card access. The facility also has cameras installed throughout.
Users of the system or application must be identified and authenticated before using system resources. Employee access to the production environment is controlled by privileges assigned to their user, role, or group. Passwords must conform to Voxco’s password and authentication policy and are enforced through group policies where applicable.
Remote access to the production environment is tightly restricted to authorized personnel only. Access to the production systems is via a VPN and requires two-factor authentication (2FA), a user ID, and a strong password.
Onboarding and offboarding procedures related to access are implemented to ensure new employees receive only the accesses they require to perform their functions and to ensure that departed employees’ access is revoked without undue delay.
Beyond these onboarding and offboarding procedures, annual user access reviews are conducted to assess the appropriateness of the system access and permission levels and, when necessary, make corrections or modifications based on the principle of least privilege.
Endpoint security software and firewalls protect servers, laptops, workstations, and the network. Storage on laptops and workstations that access production is also encrypted. Installing applications on systems is restricted to change implementation and system administration personnel.
Voxco’s policies prohibit any transmission of sensitive data unless the data is encrypted. Only required services are exposed to the internet.
The corporate network is separate from the development and production networks. Firewalls are enabled, and access is through connections secured via SSL/TLS channels. Network Time Protocol (NTP) servers are configured on IT infrastructure components to maintain proper time synchronization.
Customers have channels to raise and report issues and incidents. in the event of an incident impacting the system, the data, or services, Voxco has an established Incident Management policy to guide personnel in reporting and to respond appropriately. Critical incidents are communicated to affected clients within the established timeline.
In addition, scanning tools are deployed to assess and report potential vulnerabilities. Alerts raised by Voxco’s systems and by its protective and detective tools are investigated by designated personnel, involving the incident response team if necessary.
If required, action is taken to remediate in accordance with the patch management policy and incident response procedures, as needed (logged and tracked in the ticketing system through to resolution). Major incidents are communicated monthly to management, and root causes are shared with senior management for critical incidents. As required, senior management reviews the resolution of critical incidents.
Backups of production critical data and systems are configured, taken, and stored on a daily basis. Backup and restorability are tested annually, either scheduled or due to a requirement to restore for another purpose. Data backups are encrypted during creation, and backups are stored offsite at subservice organizations.
Voxco maintains a documented Change Management Policy to guide personnel in documenting and implementing application changes. changes to consider might come from various sources. including the product roadmap, the risk management process, and responses to critical incidents, issues, or problems that might arise. Change management guidelines include documentation requirements, development standards and practices, test planning and execution, and approvals.
Voxco uses a ticketing system to document changes. Changes are outlined at the level required, ultimately documented, and reviewed in line with an agile approach, with iterations updated based on feedback throughout the development cycle.
Code reviews and tests are conducted for updates. Development and testing are performed in environments separate from the production environment. Changes follow the approved change management flow prior to production deployment per the change management policy. Deployment is handled by a group separate from the development team, and the ability to deploy changes into production is restricted to this authorized personnel only.
Version control software is used to maintain source code versions through the development process to production, and access to source code is restricted to authorized personnel.
Use and monitoring of a subservice organizations
As the production environment is hosted by various cloud providers and as notifications from the platform are sent out via Twilio’s SendGrid, each acts as a subservice organization to Voxco. To validate that each subservice organization with a critical role to play in Voxco’s Survey Platform operations has implemented controls upon which Voxco relies and that Voxco has implemented controls upon which the subservice organization might rely, Voxco management obtains and reviews their independent SOC 2 reports or a similar industry standard (for example, ISO 27001) on an annual basis. This review helps provide comfort that shared responsibilities are covered and helps identify any exceptions that may require further investigation and discussion. Contracts with relevant service providers also include exit clauses.
Complementary subservice organization controls (CSOC)
Voxco’s internal controls consider the controls implemented at key subservice organizations to evaluate the internal controls of subservice organizations upon which some of Voxco’s control objectives depend.
In the design of its internal control, Voxco management determined that certain criteria can only be achieved if the subservice organizations implement appropriate complementary controls. These expected complementary subservice organization’s controls (CSOC) are presented in Section IV with the relevant criteria.
Complementary user entity controls (CUEC)
Meeting overall service and control objectives is a shared objective between Voxco and its customers. As Voxco’s services were designed assuming that some policies, procedures, and controls must be implemented by its customers (aka user entities), the effectiveness of the controls described in this report assumes that some internal controls are in place at each of Voxco’s user entities.
Voxco management has determined that certain applicable trust services criteria, as indicated in section IV, can be met only if complementary user-entity controls (CUEC) are suitably designed and operating effectively at the user entities. It is the responsibility of each Voxco user entity and their auditors to ensure that appropriate review procedures and controls are in place at the user entity level to complement the system of controls in place over the information systems functions being performed by Voxco.
Additional security aspects
Privacy of minors
We do not knowingly provide this website for anyone under 16. Those under 16 years of age should not use our website.
Links to other websites
Got questions about security or compliance?
Keeping our clients’ data secure is our top priority at Voxco. Our goal is to provide a secure environment while also being mindful of application performance and the overall user experience. If you have any concern relating to vulnerability or other security concerns, send an email to …