BKB Voice
Back to BKB Voice
Security

Security at BKB Voice

A tour of the technical and organisational controls that protect our customers and their end users. Each domain below is mapped to the SOC 2 Trust Services Criteria it supports.

Last reviewed: April 22, 2026

Network & transport security

SOC 2 CC6.1 · CC6.6 · CC6.7
  • TLS 1.2+ enforced for all public traffic (HTTPS-only) with HSTS (max-age=63072000, preload).
  • Hardened HTTP response headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy.
  • Strict Content-Security-Policy: default-src 'self' with an explicit allow-list for Abacus.AI, Google Fonts and ElevenLabs.
  • Per-request correlation ID (x-request-id) propagated from the edge for forensic traceability.

Application & API controls

SOC 2 CC6.1 · CC6.6 · CC7.2
  • Strict zod input validation on every public API route (leads, qualify-lead, voice-generate, optimize-script, dsr).
  • Distributed fixed-window rate limiting on every public endpoint (IP-keyed, database-backed).
  • Honeypot field on the lead form to silently reject automated bot submissions.
  • No vendor credentials ever exposed to the client — ElevenLabs and Abacus.AI are server-side only.
  • Generic error messages returned to the client; detailed diagnostics live in server logs.

Identity & access management

SOC 2 CC6.1 · CC6.2 · CC6.3
  • Administrative access to production infrastructure is gated behind SSO with hardware-backed MFA.
  • Principle of least privilege — no shared engineer accounts on production databases or secret stores.
  • Access reviews performed quarterly; removal on role change or departure is triggered within one business day.
  • Production secrets live only in managed environment variables; never committed to source control.

Data protection

SOC 2 C1.1 · P4.1 · P4.2
  • Data in transit encrypted with TLS 1.2+. Data at rest encrypted by the managed Postgres provider (AES-256).
  • Data minimisation: lead records and API logs store only the minimum fields required for the stated purpose.
  • Script content submitted to /api/voice-generate and /api/optimize-script is not persisted; only audit metadata (character count, model id) is recorded.
  • Backups are encrypted at the storage layer and inherit the same access controls as primary data.

Logging, monitoring & audit trail

SOC 2 CC7.2 · CC7.3
  • Immutable AuditLog table captures lead creation, qualification, voice generation, script optimization, DSR submission, rate-limit denials and validation failures.
  • Each event records the action taxonomy, entity, actor, outcome, severity, IP, user-agent (truncated) and correlation ID — never raw content or PII beyond what is strictly necessary.
  • Retention is 12 months by default; purges are performed under the documented Records Retention policy.
  • Application-level errors are centralised in production logs and reviewed as part of the on-call rotation.

Vulnerability & change management

SOC 2 CC8.1 · CC7.1
  • All code changes flow through pull requests and peer review — no direct pushes to the main branch.
  • Dependency and container images are scanned for known CVEs on each build; critical findings block release.
  • Semantic versioning with change-log entries for any change touching authentication, input validation or the audit pipeline.
  • Static type checking (TypeScript strict) enforces contract stability.

Availability & resilience

SOC 2 A1.1 · A1.2 · A1.3
  • Stateless application nodes behind a managed edge CDN with automated fail-over.
  • Daily encrypted database backups with point-in-time recovery.
  • Rate limiter fails open on storage error — availability is never sacrificed, and the failure itself is audit-logged.
  • Disaster Recovery plan targets RTO ≤ 4h and RPO ≤ 24h for the production database.

Privacy engineering

SOC 2 Privacy (P1–P8)
  • Privacy Policy states exactly what is collected, why, and how long it is retained.
  • Documented Data Subject Request workflow with verification and 30-day response target.
  • Explicit subprocessor inventory kept current; customers are notified of material changes with at least 30 days’ notice.
  • Standard Data Processing Addendum (DPA) available to every enterprise customer.

Incident response

SOC 2 CC7.3 · CC7.4
  • Documented incident classification, severity scale and escalation path (see Incident Response).
  • Customer-impacting incidents communicated within 72 hours of confirmation.
  • Post-incident reviews within 10 business days; remediation tracked to closure.
  • Security event channel ([email protected]) monitored during business hours; acknowledgement within one business day.

People & organisational security

SOC 2 CC1.1 · CC1.4 · CC2.2
  • Background checks required for personnel with production access (where legally permitted).
  • Annual security awareness training with completion evidence retained.
  • Confidentiality obligations in every contractor and employee agreement.
  • Role-based access — engineers are scoped to the systems their role requires and are reviewed quarterly.

Report a vulnerability

Email [email protected]. Include steps to reproduce, impact and the affected URL / endpoint. We acknowledge within one business day and treat all good-faith reports as authorised testing under our security.txt policy.