Procurement Software Security Review
Trust & Security
EU-hosted supplier negotiation training software with tenant isolation, published subprocessors, a DPA, documented controls, and a review path for procurement, privacy, and IT.
This page explains how Voice2Evolve protects voice sessions, transcripts, organisational context, and the rollout process before use inside procurement teams.
Training and organisation data stored in the EU
DPA and subprocessor list available
Tenant isolation enforced across middleware, auth claims, and database policy
Voice sessions protected in transit via WebRTC/DTLS-SRTP
Voice recordings are not stored long term
Security pack and questionnaire responses available on request
Short-lived tokens, rate limits, and role-based access control
Voice2Evolve handles sensitive data: live voice audio during sessions, conversation transcripts, and organisational context. We treat that responsibility as a design constraint, not an afterthought.
This page describes the controls we have in place. For formal agreements and detailed technical measures, the relevant documents are linked at the bottom.
Data Residency & Encryption
Training and organisation data is stored in the EU, currently via Supabase in the Stockholm region. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Voice-session audio is protected in real-time transmission via WebRTC/DTLS-SRTP.
Application-level encryption (AES-256-GCM) protects sensitive fields such as uploaded documents, API keys, and organisation-specific configuration data. Encryption keys are managed through a tiered vault system. Additional service providers and relevant data categories are documented in the subprocessor list.
Tenant Isolation
Voice2Evolve is multi-tenant. Every query, every API call, and every storage operation is scoped to your organisation. Isolation is enforced at the database level through Row-Level Security policies, not just application logic.
Tenant context is validated independently at three layers: middleware, authentication token claims, and database policies. All three must agree before data is returned. There is no shared data surface between organisations.
Voice & AI Data Handling
Voice-session audio is processed in real time for the live session. Voice2Evolve does not store voice recordings long term after the session.
Transcripts and analysis are assigned to the relevant organisation and stored according to the configured retention period. After that period, they are deleted.
We use API endpoints where inputs and outputs are not used for model training. Details on providers, data categories, and retention are documented in the subprocessor list and review materials.
For our principles on AI analysis and the boundaries of the platform, see our Responsible AI page.
Authentication & Access Control
User authentication is handled through secure, HttpOnly cookies with SameSite protection. Role-based access control separates user, editor, tenant admin, and super admin permissions. All admin routes require explicit role verification.
API endpoints are rate-limited per route. Anonymous access is gated behind CAPTCHA verification. All authentication tokens are short-lived and cryptographically signed.
Application Security
Security is built into the development process, not bolted on afterward. Controls include:
- Input validation on every API endpoint (Zod schema enforcement)
- Content Security Policy with per-request nonce injection
- Structured logging with automatic PII redaction
- Automated dependency scanning and vulnerability alerting
- Code review with automated security tools and manual verification
- Immutable audit logs for administrative and financial operations
Compliance & Frameworks
Voice2Evolve builds its Information Security Management System on ISO 27001 and SOC 2 principles. Formal certifications are not yet in place. Documented controls, processes, and review paths are being expanded and made available for procurement and security review.
Voice2Evolve is designed for GDPR-aligned processing: DPA coverage, subprocessor transparency, deletion and access workflows, documented retention, and technical access controls are in place. A Data Protection Impact Assessment covers voice-session processing. German GoBD requirements for digital bookkeeping are met through the Lexware accounting integration.
Vendor Management
Every third-party service is assessed for security posture, data handling practices, and available compliance evidence before adoption. Data Processing Agreements are signed with every vendor that processes personal data. Relevant certifications and supporting evidence are documented in the subprocessor list.
A full subprocessor list is published and maintained. Changes to subprocessors are communicated with 30 days advance notice per our Data Processing Agreement.
Incident Response
A documented incident response policy covers detection, containment, eradication, and recovery. Critical security events are prioritised for response. Data breaches are assessed under GDPR Article 33 and, where reportable, notified to the competent supervisory authority within 72 hours.
All incidents are documented with root cause analysis and remediation tracking. Post-incident reviews feed back into security controls and monitoring.
Review Materials
For procurement, privacy, IT, and compliance reviews, the following materials are available:
What we provide during vendor review
Procurement, IT, security, and privacy teams usually need the same proof set before rollout. We provide it directly.
- Data Processing Agreement and subprocessor list
- Privacy policy and Responsible AI position
- Security whitepaper and questionnaire responses on request
- Clear explanation of retention, hosting, access control, and tenant isolation
Need the review pack for procurement, IT, or compliance?
We provide the security whitepaper, procurement questionnaire responses, and direct answers for buyer, privacy, and security review teams.