VUMY Technologies
vumyo
ProductsCompanyTrustContact Open vumyo
Legal

Security

Last updated 2026-05-07 · v1.1

Security is foundational to the vumyo platform. Identity assurance, signature integrity, and customer data isolation are enforced at the platform level — not delegated to integrations or operational policy. This page summarizes how the platform is built, operated, and audited.

Hosting and tenant isolation

The platform is hosted on globally distributed, enterprise-grade infrastructure with redundancy across regions. Customer data is logically isolated per workspace; tenant boundaries are enforced at the data layer on every authorized request, with no shared application state across customers.

Encryption

  • In transit: industry-standard transport encryption on all client and service connections.
  • At rest: managed encryption across primary data stores, with additional field-level encryption applied to personally identifiable information and identity artifacts.
  • Identity material is never stored in plaintext and is redacted automatically on retention expiry.

Identity assurance and signatures

  • Real-time validation of signing certificates against issuing authorities for every signed envelope.
  • Government-issued identity verification with regional support for Aadhaar (India), with confidence-scored outcomes and full audit trail.
  • Liveness and voice-attestation flows operated under controlled, customer-scoped endpoints.
  • Verification outcomes remain inside the customer workspace at all times. They are never sold or shared with third parties.

Authentication and access

Workspace authentication is performed using signed sessions with server-side revocation. Single sign-on via OAuth is available on the Business tier; SCIM-based provisioning is on the enterprise roadmap. Role and access changes are auditable.

Audit logging

Every material workspace event — role change, decision, signature, verification outcome, and access to sensitive records — is captured and available for export in customer-controlled formats.

Compliance posture

  • GDPR-aligned. The Data Processing Addendum is available at vumy.net/dpa. A current subprocessor disclosure is provided to customers under the data processing terms of their agreement.
  • CCPA-aligned. Data subject rights are documented in the privacy policy.
  • India DPDP-aligned. Identity-data handling, retention, and redaction obligations are integrated into platform behavior.
  • SOC 2 Type II — readiness program in progress; independent auditor engagement scheduled.

Vulnerability disclosure

Vulnerabilities should be reported via the responsible disclosure page. Safe harbor for good-faith security research is documented there, and credited researchers are recognized in our regular transparency updates.

Questions about this document? legal@vumy.net