Seven layers of security.
Zero shortcuts.
From edge protection to encrypted storage — every layer of VoiCase is independently hardened. Built for organizations where security is non-negotiable.
Defense in depth. Seven independent layers.
Each layer operates independently — a breach at any single point is contained by the layers above and below it. This is the architecture your data lives inside.
Edge & Bot Protection
AWS WAF with 5 rule groups — OWASP patterns, known exploits, and tiered rate limiting. hCaptcha on all public forms.
Transport Encryption
TLS 1.3 preferred, 1.2 minimum. HTTP → HTTPS 301 redirect. Zero plaintext traffic at any point in the request chain.
Network Isolation
Private VPC with SG-reference chain. Application and database in isolated subnets — no public IPs. S3 via VPC Gateway Endpoint.
Identity & Access
OIDC for CI/CD, IAM token-based database auth, JWT + MFA for users. 4 roles × 16 permission flags per user.
Secrets Management
16 secrets in AWS Secrets Manager, injected at container startup. Zero plaintext in task definitions, API outputs, or logs.
Application Security
BaseApiHandler validates every request: organization check, role + permission verification, UUID sanitization. Typed audit logger.
Data at Rest
AES-256 on all stores — Aurora (KMS), S3 (SSE-S3), ECR images, Secrets Manager. Versioning, deletion protection, 7-day backups.
Built to protect. At every layer.
Six security domains — from edge protection to compliance — working in concert so your data and your reporters stay safe.
Multi-Layer Edge Defense
Attacks are stopped at the perimeter — before they reach a single line of application code.
- AWS WAF with OWASP Core Rule Set + Known Bad Inputs — blocks SQLi, XSS, SSRF, Log4Shell automatically
- Targeted rate limiting: auth endpoints (300/5min), AI endpoints (500/5min), global (3,000/5min per IP)
- hCaptcha bot protection on every public submission form; HTTP → HTTPS 301 redirect — zero plaintext traffic
Private Network Architecture
Application services and databases have no direct internet exposure — traffic flows through a hardened, segmented path.
- Private VPC with ECS containers and Aurora PostgreSQL in isolated subnets — no public IPs assigned to any service
- Three-tier security group chain: ALB → ECS → Aurora using SG-reference rules, not CIDR — each tier only talks to its neighbor
- S3 traffic routed via VPC Gateway Endpoint — never leaves the AWS backbone; all outbound via NAT instance only
End-to-End Encryption
Every byte is encrypted in transit and at rest — with dedicated KMS keys and strict header policies on every response.
- TLS 1.3 preferred, 1.2 minimum (1.0/1.1 fully blocked) via AWS ELBSecurityPolicy-TLS13-1-2-2021-06
- AES-256 at rest: Aurora PostgreSQL (dedicated KMS), S3 attachments (SSE-S3), Secrets Manager (dedicated KMS)
- HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy on every response
Granular Access Control
Four role tiers, 16 permission flags per user, and database-level tenant isolation — access is enforced, not assumed.
- 4 roles (admin / manager / member / viewer) × 16 granular permission flag overrides per user
- PostgreSQL Row-Level Security — cross-tenant access impossible even with a valid session token
- MFA enforced for admins; Passkey / WebAuthn supported; IAM database auth (token-based, no static passwords)
Anonymous by Architecture
Reporter identity is structurally separated from the report — protected by code, not policy. Reporting and admin surfaces run on separate domains with zero shared cookies.
- Domain-isolated reporting — reporter and admin surfaces share zero cookies, sessions, or origin context
- Reporter IP addresses never exposed to organization administrators at any role or permission level
- No account, login, or identifying information required — fully anonymous case submission
- Unique secure token issued for follow-up communication; database-enforced isolation via Row-Level Security
Compliance-Ready by Default
Audit trails, GDPR workflows, and data residency controls built into the platform — not bolted on after the fact.
- Immutable audit trail for every case action, access event, and data change — typed security event logger
- Built-in GDPR: SAR intake (Art. 15–22), retention review queue with scheduled expiry, one-click regulatory PDF export
- All data in EU (Frankfurt, Germany); architecture aligned to SOC 2 and ISO 27001 frameworks
Explore the full stack. Click any component.
An interactive map of every security checkpoint your data passes through — from the client's browser to the encrypted database. Select any component to see exactly what protections are enforced at that layer.
All client traffic is encrypted with TLS 1.3 as the preferred protocol and TLS 1.2 as the minimum. Older TLS versions are permanently disabled. HTTP port 80 returns a 301 redirect — zero plaintext traffic at any point in the request chain.
Security Measures
Every inbound request passes through AWS Web Application Firewall before reaching application code. Five rule groups block OWASP attack patterns, known exploits, and enforce tiered rate limiting.
Security Measures
The ALB handles TLS termination, distributes traffic across availability zones, and routes only to healthy containers in private subnets. It is the sole ingress point — no direct internet path to the application exists.
Security Measures
The application runs in ECS Fargate containers in private subnets with public IP assignment disabled. Reporting and admin surfaces are served on separate domains — zero shared cookies or session context. Every API request is validated through middleware and BaseApiHandler.
Security Measures
Aurora PostgreSQL runs in a private subnet, accepting connections only from the ECS task security group on port 5432. Row-Level Security enforces multi-tenant isolation at the database engine level — cross-tenant queries are structurally impossible.
Security Measures
Case file attachments are stored in a fully private S3 bucket with all four public access blocks enabled. Files are accessible only through presigned URLs generated by the application with a 24-hour TTL.
Security Measures
16 application secrets stored under a dedicated prefix in AWS Secrets Manager. Injected into containers at startup via task definition ARN references — secrets never appear in plaintext anywhere in the infrastructure.
Security Measures
AWS WAF
5 Managed Rule Groups
Every inbound request passes through AWS Web Application Firewall before reaching application code. Five rule groups block OWASP attack patterns, known exploits, and enforce tiered rate limiting.
Security Measures
Trust earned through action, not words.
We've invested in a security infrastructure that exceeds industry standards — because the people who speak up deserve absolute protection.
Zero-trust architecture
Every request passes through WAF, TLS, JWT validation, organization checks, and row-level security — seven independent layers, any of which blocks unauthorized access alone.
Tamper-proof audit trails
Every action, access event, and data change is permanently logged with typed security events. Structured PDF export ready for any regulator, on demand.
Anonymous by architecture
Reporter identity is structurally separated from the data. IPs, sessions, and identifying metadata are never surfaced to organization administrators — by code, not policy.
EU-resident, deletion-protected
All data stored in Frankfurt (eu-central-1) on ISO 27001 infrastructure. Aurora deletion protection, 7-day automated backups, S3 versioning, and 99.9% uptime commitment.
Security questions, answered clearly
Everything you need to know about how we protect your data and your reporters.
All data is stored on ISO 27001-certified AWS infrastructure in the EU (Frankfurt, Germany — eu-central-1). Application containers and the database run in private subnets with no public IP addresses. Access is strictly role-based with four permission tiers, 16 granular per-user permission flags, and department-scoped case visibility. PostgreSQL Row-Level Security enforces tenant isolation at the database layer — cross-tenant data access is impossible even with a valid session token.
Reporters submit cases without creating an account or providing any identifying information. A unique secure token is issued for follow-up communication. Reporter IP addresses are retained only at the platform security level for abuse prevention and are never accessible to organization administrators at any role or permission level. hCaptcha protects all public submission forms from automated abuse.
In transit: TLS 1.3 is the preferred protocol (TLS 1.2 minimum; 1.0 and 1.1 are fully blocked) using AWS ELBSecurityPolicy-TLS13-1-2-2021-06. HTTP port 80 returns a 301 permanent redirect — zero plaintext traffic is permitted. At rest: Aurora PostgreSQL is encrypted via a dedicated AWS KMS key (AES-256). S3 file attachments use AES-256 (SSE-S3) with versioning enabled. All 16 application secrets are stored in AWS Secrets Manager encrypted with a dedicated KMS key. HSTS, CSP, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are applied to every response.
Multi-tenant isolation is enforced at three levels. First, every API request is validated through BaseApiHandler which checks the organization ID header, verifies the user's role and permission flags, and sanitizes all input UUIDs. Second, PostgreSQL Row-Level Security ensures database queries are scoped to the authenticated tenant — even a valid session token cannot access another organization's data. Third, department-scoped case visibility within an organization restricts which cases each user can see.
AWS WAF is attached to the Application Load Balancer with five rule groups: OWASP Core Rule Set (SQLi, XSS), Known Bad Inputs (Log4Shell, SSRF, RFI), auth endpoint rate limiting (300 requests/5 minutes), AI endpoint rate limiting (500 requests/5 minutes), and global rate limiting (3,000 requests/5 minutes per IP). hCaptcha is enforced on all public submission endpoints. The three-tier security group chain ensures the ALB accepts public HTTPS, ECS only accepts traffic from the ALB SG, and Aurora only accepts connections from the ECS SG.
The CI/CD pipeline uses GitHub Actions with OIDC federation to authenticate to AWS — no long-lived credentials are stored in source code or CI configuration. Container images are pushed to ECR with immutable SHA tags and automatic vulnerability scanning on push. The 16 application secrets are injected at container startup from AWS Secrets Manager via task definition ARN references — they never appear in plaintext in the ECS task definition, API output, or deployment logs. New tasks are deployed in private subnets with no public IP, and must pass a health check before receiving traffic.
Yes. VoiCase maintains an immutable audit trail for every case action, access event, authorization failure, and data change. All events are captured through a typed security audit logger that records the user, organization, action type, and timestamp. Audit records can be exported in structured PDF format. The full export history is timestamped and attributed — ready for GDPR supervisory authority, internal compliance, or legal review.
Infrastructure is hosted on ISO 27001-certified AWS in the EU (Frankfurt). Platform controls are designed to align with SOC 2 Trust Criteria and ISO 27001 Annex A. AWS Managed WAF protects against OWASP Top 10 patterns. Built-in GDPR workflows cover data subject access requests (Articles 15–22), retention review with scheduled expiry, and legal-hold actions. All deployment credentials use short-lived OIDC tokens, and database authentication uses IAM token-based access — no long-lived passwords.
Questions about security?
Our security team is available to walk you through any of our protection measures in detail.