Data residency in Europe
Production data is stored on in-region hyperscaler infrastructure in the European Union. AWS Europe (Ireland) region eu-west-1 keeps content in-region unless you choose to move it.
Security Trust Center
Enterprise-grade security with full data residency in Europe.

Our security commitments
Security is not an add-on — it is a founding requirement. Every system we build starts with data protection as the primary constraint.
Production data is stored on in-region hyperscaler infrastructure in the European Union. AWS Europe (Ireland) region eu-west-1 keeps content in-region unless you choose to move it.
We align with the General Data Protection Regulation (GDPR). We support lawful processing, data-subject rights, breach notification within 72 hours, and documented conditions for any cross-border transfers.
All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256.
Access to production systems is restricted on a least-privilege basis. Every write enforces user-level identity verification.
Every significant operation is logged with structured JSON entries including a trace ID, timestamps, and user context.
We apply security patches on a continuous basis. Dependency vulnerabilities are monitored via automated scanning in our CI pipeline.
In-region infrastructure
All three major hyperscalers offer EU regions — enabling true in-region residency for schools, trusts, and enterprises.
Amazon Web Services
3 Availability Zones. Primary production region — long-established EU infrastructure with in-region data residency.
Microsoft Azure
In-region data residency with Availability Zones. Use West Europe for production workloads that must remain in the EU.
Google Cloud
Google's foundational European region — suitable for workloads requiring EU data residency.
Compliance & certifications
Our compliance posture reflects the regulatory environment of the schools and institutions we serve.
Primary production infrastructure hosted in Ireland with GDPR-aligned residency posture.
Lawful processing under GDPR principles — accountability, data minimisation, purpose limitation, security safeguards, and data-subject rights.
Security and privacy constraints are built into every system from the start, not bolted on after launch.
Data practices
Vocal stores the minimum data necessary to deliver the learning system:
GDPR requires lawful processing and sets strict conditions on transfers of personal data outside the European Economic Area. We design for in-region residency first and document subprocessors transparently. Serious contraventions can result in substantial fines — we treat compliance as operational, not decorative.
Active account data is retained for the duration of your pilot or subscription agreement. On request, we will delete personal data within 30 days, subject to legal obligations.
To report a security vulnerability or raise a data protection concern, contact us directly.
Talk to our team about compliance