Voice Gecko Security Policy

Last updated:

Entity: Social Freak Limited (trading as “Voice Gecko”), a UK company

0) Overview

Purpose. This policy explains how Voice Gecko protects the confidentiality, integrity, and availability of our services and the data we process.

Scope. It covers our product, internal processes, and the third-party services we use (notably AWS and Vercel). It applies to all people who have access to Voice Gecko systems and data (employees, contractors, and managed service providers).

Audience. External (customers, partners, and prospective customers).

What we process. Voice Gecko converts user-provided audio into text. By design, we store text dictations and related metadata (for example: timestamps, language, and account identifiers). We do not store raw audio unless explicitly agreed for a support case or a customer-requested feature.

GDPR. As a UK company, we comply with the UK GDPR and the Data Protection Act 2018. For most features, Voice Gecko acts as a processor of customer dictation content and as a controller for account administration data (billing, login, support).

1) Governance & Roles

Security lead. Voice Gecko designates a security lead responsible for implementing, maintaining, and improving this policy, coordinating risk reviews, and handling security incidents.

Policy reviews. We review this policy at least annually, and after any material changes to our risk profile, infrastructure, or legal requirements.

Accountability. All people with access to production systems or customer data must follow this policy and complete onboarding that covers data handling, acceptable use, and incident reporting.

2) Risk Management

We maintain a lightweight but formal risk management approach inspired by recognised frameworks (e.g., NIST). At least annually we:

  • identify relevant threats and assets;
  • assess control effectiveness and residual risks;
  • prioritise remediation; and
  • track improvements to closure.

Documented exceptions are time-bound, risk-assessed, and approved by the security lead.

3) People, Devices & Acceptable Use

Device security (all devices used to access customer data or production):

  • Full-disk encryption enabled (e.g., BitLocker, FileVault).
  • Automatic screen lock ≤ 15 minutes; strong OS account password/passphrase.
  • Supported OS versions with automatic security updates applied promptly.
  • Endpoint protection/antimalware enabled.
  • Removable media must not be used to store customer data.

Accounts, secrets & tools:

  • Password manager required for any non-SSO secrets; MFA required wherever supported (and mandatory for production access).
  • Credentials and API keys must never be checked into source control or shared over insecure channels.
  • Access to customer data is for support/operations only, on the principle of least privilege, and is logged.

Acceptable use (high level):

  • No unlawful activity, malware, scanning, or attempts to bypass security controls.
  • Do not copy customer data to local storage outside approved workflows.
  • Report suspected incidents or policy breaches immediately to the security lead.

4) Identity & Access Management (IAM)

  • Single sign-on. We use a central identity provider (e.g., Google Workspace) for corporate accounts and enforce MFA.
  • Least privilege. Access is role-based and granted only as needed to perform duties.
  • Segregation. Production access is limited to authorised accounts; administrative actions are logged.
  • Lifecycle. Access requests are ticketed; reviews occur at least quarterly. Access is revoked promptly on role change or departure.
  • Customer IAM. Customer authentication uses modern standards; MFA is encouraged where available. Rate-limiting and protections help deter brute-force attempts.

5) Secure Development & Change Management

  • Source control. All code is kept in private repositories with protected branches and mandatory reviews for security-relevant changes.
  • Dependency hygiene. Automated checks flag vulnerable third-party libraries; critical vulnerabilities are prioritised for patching.
  • Secrets management. Application secrets are stored in managed secret stores (e.g., AWS Secrets Manager or similar), not in code or images.
  • Testing & CI/CD. Build pipelines use least privilege credentials; only signed/approved artefacts are deployed.
  • Environment separation. Development/staging are logically separated from production. Production data is never used in dev/test unless properly anonymised.
  • Configuration as code. Infrastructure changes are version-controlled and peer-reviewed.

6) Cloud & Network Security

  • Hosting. Core services run on Amazon Web Services (AWS) and Vercel. We leverage their baseline physical and platform security controls.
  • Segmentation. Security groups, managed firewalls, and environment-specific accounts/projects restrict east-west and north-south traffic.
  • Encryption in transit. External connections enforce TLS 1.2+. HSTS and modern cipher suites are used; weak protocols are disabled.
  • Encryption at rest. Data at rest is encrypted using AES-256 with cloud-managed keys (e.g., AWS KMS).
  • Key management. Access to keys follows least privilege; usage is logged; keys are rotated in line with provider guidance and risk.
  • Monitoring & logging. Application, access, and infrastructure logs are collected centrally. Security-relevant events generate alerts for investigation.
  • DDoS & edge. We rely on cloud-native and managed edge protections to absorb or mitigate volumetric attacks.

7) Data Protection & Privacy

7.1 Data Types

  • Customer Content (Dictations). Text derived from user-submitted audio and related metadata. May include personal data depending on what users submit.
  • Account & Billing Data. Names, emails, company details, payment metadata (payment processing is handled by a PCI-compliant provider).
  • Operational Telemetry. Service logs and diagnostics used to operate and secure the platform (IPs, user agent, timestamps, event types).

7.2 Data Minimisation

  • We only store what we need to provide the service, support customers, ensure security, and meet legal obligations.
  • We do not store raw audio by default.

7.3 Customer Controls

Customers can request export or deletion of dictations and account data (subject to legal retention requirements). Contact: privacy@voicegecko.com.

Upon verified request or account closure, we delete active copies within 30 days and remove from backups during normal backup expiry cycles (typically within 35–60 days thereafter).

7.4 Retention

  • Dictations are retained for as long as the customer account remains active or until the customer deletes them.
  • Log data is retained for security and operational purposes (typically 90 days hot and up to 12 months archived, subject to change based on risk and legal needs).

7.5 Customer Access by Staff

Access to Customer Content is exceptional, logged, and limited to:

  • resolving a support ticket;
  • investigating an incident; or
  • operating the service (e.g., migrations, recovery).

We never use Customer Content for sales/marketing.

AI/ML. We do not use Customer Content to train generalised AI models without explicit customer opt-in.

7.6 International Transfers

We aim to host in UK/EU regions where feasible. Some subprocessors may process data outside the UK/EU. Where transfers occur, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) consistent with UK GDPR.

8) Third-Party Providers & Subprocessors

  • We use reputable cloud and SaaS providers (including AWS and Vercel) that maintain strong security programs.
  • We assess providers before onboarding (security posture, certifications, data location, DPA terms) and review them periodically thereafter.
  • A current list of material subprocessors is maintained and available upon request. Data Processing Agreements are in place where required.

9) Vulnerability Management

  • Discovery. Automated dependency and image scanning, periodic infrastructure scanning, and targeted reviews of security-sensitive code.
  • Prioritisation. We triage vulnerabilities by severity and likelihood; critical issues are addressed with urgency and may trigger out-of-band releases.
  • Responsible disclosure. Security researchers are encouraged to report issues to security@voicegecko.com. We will acknowledge receipt, investigate, and remediate as appropriate. (No active bug-bounty programme at this time.)

10) Incident Detection & Response

  • Detection. We monitor for anomalous activity across authentication, data access, application behaviour, and infrastructure events.
  • Response process. Preparation → Identification → Containment → Eradication → Recovery → Post-incident review with corrective actions.
  • Notifications. If a personal-data breach is likely to result in a risk to individuals’ rights and freedoms, we will notify affected customers without undue delay and meet our regulatory obligations (including notifying the ICO where applicable).
  • Forensics & logging. Relevant logs are preserved for investigation; access to evidence is restricted and auditable.

11) Business Continuity & Disaster Recovery

  • Backups. Encrypted backups are taken regularly and tested via restore exercises.
  • Targets. We aim for a Recovery Point Objective (RPO) ≤ 12 hours and a Recovery Time Objective (RTO) ≤ 24 hours for core services, subject to the nature of the event.
  • Resilience. We use managed, highly available cloud services and replicate critical data across availability zones/regions where appropriate.
  • Remote-first operations. Our operating model supports secure remote work if a primary site or provider is unavailable.

12) Customer Responsibilities

Security is a shared responsibility. Customers should:

  • Use strong authentication and enable MFA where available.
  • Control who has access to their workspace/API keys.
  • Avoid submitting special category data unless necessary and lawful.
  • Keep their own devices and browsers up to date.
  • Promptly report suspected compromise of their credentials or API keys.

13) Exceptions

Temporary deviations from this policy must be documented, include compensating controls where possible, be approved by the security lead, and have an explicit expiry date.

14) Contact

  • Security: security@voicegecko.com
  • Privacy/Data Protection: privacy@voicegecko.com
  • Legal/Abuse: legal@voicegecko.com or abuse@voicegecko.com

For access, deletion, or other data-subject requests under UK GDPR, contact privacy@voicegecko.com. We will verify identity and respond within statutory timeframes.

15) Changes to This Policy

We may update this policy to reflect improvements, new features, or legal requirements. The “Last updated” date will change when we do. Material changes will be highlighted for a reasonable period.

16) Disclaimers

This Security Policy is provided for transparency. It is not a contractual commitment or a substitute for a Data Processing Agreement (DPA). Contractual security obligations, if any, are set out in the applicable agreement between Social Freak Limited (Voice Gecko) and the customer.

Nothing in this policy limits our ability to take actions we reasonably believe are necessary to protect customers, the service, or our infrastructure.

Optional Appendix A — Data Classification (concise)

  • Customer Content (Dictations): Highest protection. Encrypted at rest and in transit. Access strictly limited and logged.
  • Account & Billing Data: Encrypted at rest and in transit. Access limited to authorised personnel.
  • Operational Telemetry/Logs: Encrypted, access limited; retained per Section 7.4 for security and operations.
  • Public/Marketing Content: Intended for public disclosure.
VoiceGeckoType less, say more.

Product

Support

Legal

Socials

Security

©2025 VoiceGecko