Security Trust Center

Built for institutions that take data seriously.

Enterprise-grade security with full data residency in Europe.

Our security commitments

Six pillars of institutional trust.

Security is not an add-on — it is a founding requirement. Every system we build starts with data protection as the primary constraint.

Data residency in Europe

Production data is stored on in-region hyperscaler infrastructure in the European Union. AWS Europe (Ireland) region eu-west-1 keeps content in-region unless you choose to move it.

GDPR alignment

We align with the General Data Protection Regulation (GDPR). We support lawful processing, data-subject rights, breach notification within 72 hours, and documented conditions for any cross-border transfers.

Encryption in transit & at rest

All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256.

Access control

Access to production systems is restricted on a least-privilege basis. Every write enforces user-level identity verification.

Audit logging

Every significant operation is logged with structured JSON entries including a trace ID, timestamps, and user context.

Vulnerability management

We apply security patches on a continuous basis. Dependency vulnerabilities are monitored via automated scanning in our CI pipeline.

In-region infrastructure

Verifiable European data residency.

All three major hyperscalers offer EU regions — enabling true in-region residency for schools, trusts, and enterprises.

Amazon Web Services

eu-west-1 (Ireland)

3 Availability Zones. Primary production region — long-established EU infrastructure with in-region data residency.

Microsoft Azure

West Europe (Netherlands)

In-region data residency with Availability Zones. Use West Europe for production workloads that must remain in the EU.

Google Cloud

europe-west1 (Belgium)

Google's foundational European region — suitable for workloads requiring EU data residency.

Compliance & certifications

Standards we uphold.

Our compliance posture reflects the regulatory environment of the schools and institutions we serve.

AWS Ireland (eu-west-1)

Primary production infrastructure hosted in Ireland with GDPR-aligned residency posture.

GDPR (European Union)

Lawful processing under GDPR principles — accountability, data minimisation, purpose limitation, security safeguards, and data-subject rights.

Privacy-by-design

Security and privacy constraints are built into every system from the start, not bolted on after launch.

Data practices

How your data is handled.

What we store

Vocal stores the minimum data necessary to deliver the learning system:

  • Account credentials (hashed passwords, never stored in plain text)
  • Session and practice data linked to your user account
  • Documents uploaded by your institution
  • Anonymised usage analytics used only to improve Vocal

Third-party processors

  • AWS eu-west-1 (infrastructure and storage — Ireland)
  • Amazon Bedrock (AI inference)
  • LiveKit (real-time voice sessions — demo marketing sessions are not stored)

GDPR & cross-border transfers

GDPR requires lawful processing and sets strict conditions on transfers of personal data outside the European Economic Area. We design for in-region residency first and document subprocessors transparently. Serious contraventions can result in substantial fines — we treat compliance as operational, not decorative.

Data retention

Active account data is retained for the duration of your pilot or subscription agreement. On request, we will delete personal data within 30 days, subject to legal obligations.