At Vorden, trust isn't a statement of intent — it's a direct engineering output. Every claim you read on this page maps directly to a control mechanism or configuration file in our codebase. No abstract marketing promises or empty words; just concrete, verifiable technical proof.
No vague, open-ended phrases like "we're working on it." For Vorden, every compliance framework has a clear status, a defined technical scope, and a concrete target date for ongoing processes. Transparency is the first step toward security.
All personal data is processed and stored in isolation within European Union borders (Frankfurt, Germany). Our platform provides end-to-end data subject rights (access, rectification, erasure), maintains an up-to-date record of processing activities, and applies technical and organizational measures, including encryption, granular access controls, and audit logs. A dedicated Data Processing Agreement (DPA) is available for all customers.
Vorden is classified as a "limited-risk AI system" under the EU AI Act. We fully implement every transparency obligation, including clear disclosure that end-users are interacting with autonomous agents, and model provider documentation. We monitor regulatory guidance from the EU AI Office in real time to ensure continuous compliance.
We've implemented every technical control required for SOC 2 Type II into our core architecture: granular access controls, immutable audit logs, secret management, and real-time incident monitoring infrastructure. We've successfully taken this infrastructure through multiple rounds of internal review. Formal engagement with an independent auditor and the audit process itself are scheduled for 2026.
We're running the ISO 27001 certification process in parallel with SOC 2 Type II — the vast majority of required technical and organizational controls overlap across these two frameworks. Our Information Security Management System (ISMS) is built on the same isolated foundation. With ISO 27001 certification, we're specifically targeting the European Union market, where it carries the most weight.
To confidently support healthcare customers in the United States, we're evaluating the architectural requirements for HIPAA compliance. As part of this, a Business Associate Agreement (BAA) framework covering the legal process is under development.
The Vorden infrastructure is hosted on Google Cloud Platform (GCP) within European Union borders. To uphold data sovereignty standards and guarantee business continuity, our primary and failover regions are documented below in full transparency.
We don't publicly list every one of our security controls here — doing so would hand a potential attacker a map of our system architecture. Below we outline our core defense categories and architectural principles. All technical details about our network topology and Defense-in-Depth mechanisms are shared transparently with enterprise customers under a signed DPA (Data Processing Agreement) and NDA (Non-Disclosure Agreement).
Detailed technical descriptions of the controls, architecture diagrams, and audit artifacts are shared transparently only with enterprise customers who have signed a DPA and NDA. As part of formal Security Reviews, a live walk-through of how these controls operate in the production environment is provided on request.
A security control list on its own means nothing against real-world intrusion attempts. Below is the methodology for how we defend our code and infrastructure not just on paper, but under ruthless stress tests:
We regularly engage independent cybersecurity specialists to break into our production systems. Every finding is instantly triaged, patched, and retested for verification. The latest pentest Executive Summary is available to customers who have signed an NDA/DPA.
Every commit pushed to our repository and every container image we build is automatically scanned for known vulnerabilities (CVEs), leaked secrets, and static code analysis (SAST) findings. Critical-severity dependency vulnerabilities trigger a same-day hotfix process.
We believe in strengthening security walls together. Independent security researchers can report potential vulnerabilities directly to security@vorden.ai. We confirm incoming reports within one business day at most and personally track the process through to resolution.
Below is a fully transparent breakdown of the core infrastructure partners in our data processing chain that we rely on. Additional sub-processors that integrate with the system based on operational requirements are shared in detail with enterprise customers only under a signed Data Processing Agreement (DPA).
Cloud hosting, managed database, object storage, serverless compute, and hardware-backed secret (KMS) management.
Global edge network fronting public HTTP traffic. Provides DDoS protection, Web Application Firewall (WAF), advanced bot management, rate limiting, and a DNS/CDN layer before requests reach our origin infrastructure.
Our low-latency, real-time voice and video engine powering autonomous agent conversations. Handles WebRTC media transport and AI orchestration.
Inbound/outbound call routing, SIP trunking, and SMS delivery infrastructure for Vorden-provisioned numbers. Enterprise customers can connect their own trunks directly to the system via a "Custom SIP Bridge."
WhatsApp Business Platform integration. Enterprise tenants connect their WhatsApp Business accounts directly to Meta's Cloud API — Vorden orchestrates agent responses autonomously through the tenant's authorization.
Enterprise payment processing and subscription (billing) management. Secure checkout sessions, recurring invoicing workflows, and tokenized payment method storage infrastructure.
Real-time application error monitoring and performance tracking. Personally Identifiable Information (PII) is automatically redacted at the source; the system receives only sanitized telemetry and error reports.
Our data retention periods are tenant-configurable where operational flexibility makes sense, and fixed where legal compliance and security require it. The boundaries of control are transparently defined below.
| Category | Default Period | Tenant Control | Notes |
|---|---|---|---|
Call Recordings 90 Days · configurable | 90 Days | Configurable | Audio recordings are stored in isolated GCS buckets with signed URL access. Tenants can set shorter retention periods or permanently delete recordings on demand. |
Call Transcripts 90 Days · configurable | 90 Days | Configurable | Text transcripts follow the exact same lifecycle as their associated audio recording. Data can be exported for compliance before permanent deletion. |
Chat History Indefinite (while account is active) · configurable | Indefinite (while account is active) | Configurable | Web chat, SMS, WhatsApp, and Telegram logs are retained until the tenant/project is deleted or a data subject exercises their GDPR "right to be forgotten." |
Account Data Contract Duration + 30 Days · fixed | Contract Duration + 30 Days | Fixed | User profiles, billing, and configuration data are retained for the duration of the active contract plus an additional 30 days for potential reactivation. |
Audit Logs 2 Years · fixed | 2 Years | Fixed | Audit logs of critical, legally required actions (data access, permission changes, administrative settings) are retained immutably for a minimum of 2 years to satisfy regulatory standards. |
Error & Performance 90 Days · fixed | 90 Days | Fixed | Sentry error reports and performance traces are retained for a maximum of 90 days, sanitized and free of personally identifiable information (PII). No PII is contained in these logs. |
We don't hide behind boilerplate "standard document packs" in enterprise procurement processes. At Vorden, you run the security evaluation directly with the architect who built the platform's infrastructure. Send us your company-specific security questionnaire (vendor assessment) or your specific compliance requirements; we'll put our concrete infrastructure proof and the necessary legal frameworks (DPA/NDA) directly on the table.
