Updated on April 6, 2026.
Cybersecurity at Voicit
Commitment to safety
At Voicit, security isn't an added feature: it's a core principle that guides how we design, develop, and operate our platform. We work to ensure that businesses can trust that the data they enter into the platform is protected at all times.
Our commitment translates into concrete practices: encryption of data in transit and at rest, infrastructure hosted in the European Union, strict access controls and a clear roadmap towards the most demanding certifications in the sector.
How we protect the roles: Data Controller and Data Processor
Voicit acts as person in charge of treatment in accordance with Article 28 of the GDPR. This means that we process candidates' personal data on behalf of the client company, which decides what data is collected, for what purpose, and for how long it is kept.
The client company (data controller):
- Define the purpose of the treatment.
- Decide what information is entered into the platform.
- This is the person who informs participants about the processing of their data, in accordance with Article 13 of the GDPR.
- You can request the deletion of your data at any time from the platform itself.
Voicit (processor):
- Process the data exclusively according to the client's instructions.
- Implement the necessary technical and organizational measures to protect that data.
- It does not use any data for its own purposes.
- It facilitates the client's regulatory compliance by providing transparent information about their security practices and their sub-processors.
Infrastructure security
Encryption
All communications with the Voicit platform are protected using TLS/SSL encryption. Sensitive data is encrypted both in transit and at rest, ensuring that candidate information is protected throughout its entire lifecycle.
Storage
The data is stored in Google Cloud Storage, within the European Union, using storage buckets and PostgreSQL databases with the security and availability standards of the Google Cloud infrastructure.
Servers
The application logic is executed in Microsoft Azurealso in European zoneThis architecture allows us to combine the strengths of both cloud providers while keeping all data within the European Economic Area.
Network and access
Access to Voicit's internal systems is restricted through authentication and authorization controls. Voicit supports Google SSO, allowing users to authenticate securely without needing to enter additional credentials on our platform.
Application security
Safe development
Voicit integrates security practices into its development cycle, including code review and access control to repositories.
Penetration tests
Voicit conducts third-party security penetration tests annually to identify and correct potential vulnerabilities before they can be exploited.
Vulnerability analysis
Network vulnerability analyses are carried out annually by third parties, assessing the robustness of the infrastructure against external threats.
Data management and privacy
What data do we process
During the use of the platform, Voicit may process the following candidate data, depending on what the client company decides to enter:
- Personal data: name, email address and other identifying data provided by the company.
- CV Content: professional and academic information that the company shares with the platform.
- Audio and voice: recording of the interview conducted by the candidate.
- Transcription: conversion of the interview content to text.
- Analysis and reports: evaluation generated with the assistance of artificial intelligence from the interview.
Data retention and deletion
Participant data is stored on the platform as long as the client company needs it for its processes. The client company can delete the data at any time directly from the platform.
Voicit is actively working on implementing automated retention policies that allow defining retention periods and deleting data on a scheduled basis once its purpose has been fulfilled.
Participants' Rights
Participants whose data is processed through Voicit have the rights recognized by the GDPR: access, rectification, erasure, restriction of processing, data portability, and objection. To exercise these rights, participants must contact the company managing their conversation, as it is the data controller. Voicit will collaborate with the company to address any request within the timeframes established by law.
Sub-processors
To provide our service, Voicit uses technology providers who act as data processors. All of them comply with the security and privacy standards required by the GDPR.
| Assistant Manager | Purpose | Location |
|---|---|---|
| Google Cloud (GCS) | Data storage and databases | UE |
| Microsoft Azure | Application servers | UE |
| Google APIs | Processing (speech-to-text, among others) | UE |
| OpenAI | Artificial intelligence (interview analysis) | USA.* |
| Google Gemini | Artificial intelligence (alternative under development) | UE |
| Stripe | Payment processing | EU / US |
| Mailjet | Email communications | UE |
* With standard contractual clauses (SCC) compliant with the GDPR.
Note on AI and privacy: Voicit is developing an integration with Google Gemini as an alternative to OpenAI for artificial intelligence processing. By operating entirely within Google's European infrastructure, Gemini offers additional data protection guarantees under the GDPR. Our goal is to give our business clients the ability to choose which AI provider they want to use.
Certifications and regulatory compliance
Voicit operates in accordance with GDPR principles and is continuously working to raise its security standards. Below, we detail our current status and roadmap:
Active compliance
- GDPR (General Data Protection Regulation): Voicit operates as a data processor in accordance with the GDPR. We implement technical and organizational measures to protect personal data, maintain infrastructure within the EU, and provide transparency regarding our sub-processors and processing practices.
In our roadmap
- ISO 27001 — Information Security Management System. An international reference standard that certifies the existence of a formal system for managing information security.
- SOC 2 — Security, availability, and confidentiality controls. Framework for evaluating security controls in cloud services that store customer data.
- HIPAA — Health data protection. US standard applicable to organizations that handle protected health information. Considered in our development to expand the sectors we can serve.
Each step in this roadmap reflects a conscious investment in security. We will post updates here as we progress through each certification.
Documentation and resources
To facilitate the evaluation of Voicit by legal, compliance, or security teams, we provide the following resources:
- Privacy Policy: https://voicit.com/politicas-de-privacidad/
- Data Processor Agreement (DPA): Coming soon. If you need a Data Protection Agent (DPA) to begin your Voicit evaluation, please contact us at support@voicit.com.
- List of sub-managers: Available on this same page (previous section).
- Security contact: To report vulnerabilities or security inquiries, write to us at support@voicit.com.
Frequently Asked Questions
No. Voicit acts as the data processor. Your company is the data controller and decides what data is collected and for what purpose. Voicit processes it according to your instructions.
All data is stored on cloud infrastructure located in the European Union (Google Cloud Storage and Microsoft Azure).
Yes. As a client company, you can delete any candidate's data directly from the platform at any time.
The data is sent to AI providers solely for generating the interview transcript and analysis. It is not used to train models. Voicit is developing an alternative option to use Google Gemini with entirely European processing.
We currently comply with the GDPR and implement security measures aligned with standards such as ISO 27001 and SOC 2. Obtaining these certifications formally is on our roadmap and we will publish each step forward here.
We are formalizing our standard DPA. If you need it to begin the assessment, please contact us and we will provide it to you.