Security Policy

Security Policy

Effective Date:

Effective Date:

Effective Date:

Jan 1, 2025

Last Updated

Last Updated

Last Updated

Jul 10, 2025

1. Introduction

VoiceAIWrapper ("we," "us," or "our") is a white-label Software-as-a-Service (SaaS) platform operated by New XP Technologies Limited, a Hong Kong-based company, under the Supafunnel brand. We provide voice AI agent management and distribution services that enable automation and AI service agencies to package their voice AI projects under their own brand and domain.

This Security Policy outlines the comprehensive security framework implemented by New XP Technologies Limited for the VoiceAIWrapper platform. As a SOC 2 Type II certified organization, we maintain the highest standards of security controls and procedures to protect our clients' data and ensure the integrity of our voice AI white-labeling services.

VoiceAIWrapper operates under a shared responsibility model, clearly delineating security obligations between our platform, underlying infrastructure providers, and voice AI service providers. This policy establishes our security posture, defines responsibilities, and demonstrates our commitment to maintaining enterprise-grade security standards.

2. Company Certification & Commitment

New XP Technologies Limited maintains SOC 2 Type II certification, demonstrating our commitment to the highest standards of security and validating our implementation of rigorous security controls across five key trust principles:

  • Security: Protection of system resources against unauthorized access

  • Availability: Ensuring system accessibility and usability as agreed

  • Processing Integrity: System processing completeness, validity, accuracy, and authorization

  • Confidentiality: Protection of confidential information as committed or agreed

  • Privacy: Collection, use, retention, disclosure, and disposal of personal information

Our SOC 2 Type II certification is audited annually by independent third-party auditors and demonstrates our ongoing commitment to security excellence. The certification report is available to qualified parties under appropriate non-disclosure agreements.

3. Shared Responsibility Model

VoiceAIWrapper operates under a clearly defined shared responsibility model that allocates security responsibilities across three distinct layers. This model ensures comprehensive security coverage while maintaining clear accountability boundaries.

Security Domain

AWS Responsibility

Voice AI Provider Responsibility

VoiceAIWrapper Responsibility

Infrastructure Security

Physical security, network infrastructure, hypervisor, AWS services security

N/A

AWS service configuration, VPC security, access management

Voice Processing Security

Underlying infrastructure for voice AI providers

Voice data processing, AI model security, telephony security, recording security

API integration security, metadata handling

Application Security

Platform infrastructure services

Voice API security endpoints

Application code, user authentication, data access controls, white-label security

Data Security

Storage encryption, backup security

Voice recording security, transcript protection

Customer data protection, billing data security, analytics data security

Compliance

Infrastructure compliance certifications

Voice-specific compliance (recording consent, data retention)

Platform compliance, client onboarding compliance, data processing compliance

3.1 AWS Infrastructure Layer

Amazon Web Services (AWS) provides the foundational infrastructure security for VoiceAIWrapper. AWS maintains responsibility for:

  • Physical security of data centers and hardware

  • Network infrastructure and DDoS protection

  • Hypervisor security and host operating system patching

  • Service availability and infrastructure resilience

  • Compliance certifications (SOC 2, ISO 27001, FedRAMP, etc.)

3.2 Voice AI Provider Layer

Voice AI providers (includes: Vapi AI, Retell AI, ElevenLabs) maintain responsibility for:

  • Voice data processing and storage security

  • AI model security and privacy

  • Telephony infrastructure security

  • Voice recording and transcript protection

  • Real-time communication security

  • Voice-specific compliance requirements

3.3 VoiceAIWrapper Application Layer

VoiceAIWrapper maintains responsibility for:

  • Application security and code integrity

  • User authentication and authorization

  • Customer data protection and privacy

  • White-label security and tenant isolation

  • API security and integration protection

  • Billing and payment data security

  • Analytics and reporting security

4. VoiceAIWrapper Security Framework

Our security framework encompasses multiple layers of protection, aligned with our SOC 2 Type II certification requirements and industry best practices.

4.1 Application Security

4.1.1 Secure Development Lifecycle

  • Code Security: Secure coding practices with regular security reviews

  • Version Control: Secure code repository management via GitHub with access controls

  • Dependency Management: Regular security scanning of third-party dependencies

  • Security Testing: Automated security testing integrated into CI/CD pipeline

  • Code Review: Mandatory security-focused code reviews for all changes

4.1.2 Authentication and Authorization

  • Multi-Factor Authentication: Required for all administrative access

  • Role-Based Access Control: Granular permissions based on job function

  • Session Management: Secure session handling with automatic timeouts

  • API Security: OAuth 2.0 and API key management for external integrations

  • Privilege Escalation Prevention: Strict controls on administrative privileges

4.2 Data Protection and Privacy

4.2.1 Data Classification and Handling

  • Data Minimization: Collection of only necessary data for service provision

  • Data Classification: Systematic classification of data based on sensitivity

  • Purpose Limitation: Data processing strictly limited to stated purposes

  • Data Retention: Automatic deletion of data after defined retention periods

  • Data Portability: Secure data export capabilities for customer requests

4.2.2 Encryption Standards

  • Data at Rest: AES-256 encryption for all stored data

  • Data in Transit: TLS 1.3 for all communications

  • Database Encryption: Full encryption of RDS instances

  • Key Management: AWS Key Management Service (KMS) for key lifecycle management

  • Certificate Management: AWS Certificate Manager for SSL/TLS certificates

4.3 Infrastructure Configuration Security

4.3.1 Network Security

  • Virtual Private Cloud: Isolated network environment with custom VPC configuration

  • Security Groups: Restrictive firewall rules limiting access to required ports

  • Network Segmentation: Logical separation of application tiers

  • DDoS Protection: AWS Shield Standard and CloudFront protection

  • Intrusion Detection: AWS GuardDuty for threat detection

4.3.2 Container and Compute Security

  • Container Security: ECS security best practices with least privilege access

  • Image Security: ECR vulnerability scanning for container images

  • Compute Isolation: EC2 instances with security hardening

  • Patch Management: Regular security patching and updates

  • Resource Monitoring: CloudWatch monitoring for security events

4.4 White-Label Security

4.4.1 Multi-Tenancy Security

  • Tenant Isolation: Logical separation of client data and configurations

  • Custom Domain Security: Secure SSL/TLS for client-branded domains

  • Data Segregation: Database-level isolation preventing cross-tenant access

  • Access Controls: Client-specific permission boundaries

  • Audit Trails: Separate audit logs for each tenant

4.4.2 Agency Client Security

  • Client Onboarding: Secure verification and setup procedures

  • API Key Management: Secure handling of third-party API credentials

  • Billing Security: Encrypted handling of Stripe integration data

  • Customer Data Protection: Secure handling of agency client customer data

  • Service Level Isolation: Logical separation of client services

5. Monitoring and Incident Response

5.1 Security Monitoring

Our SOC 2 Type II certified monitoring framework includes:

  • 24/7 Monitoring: Continuous security monitoring and alerting

  • AWS CloudWatch: Comprehensive logging and metrics collection

  • Security Information and Event Management (SIEM): Centralized security event correlation

  • Automated Threat Detection: AWS GuardDuty and AWS Security Hub integration

  • Vulnerability Management: Regular security assessments and remediation

5.2 Incident Response

Our incident response procedures align with SOC 2 Type II requirements:

  • Incident Classification: Systematic categorization of security events

  • Response Team: Dedicated security incident response team

  • Escalation Procedures: Clear escalation paths for different incident types

  • Communication Plans: Stakeholder notification procedures

  • Recovery Procedures: Systematic approach to service restoration

  • Post-Incident Review: Lessons learned and process improvement

6. Third-Party Security Management

6.1 Vendor Security Assessment

All third-party service providers undergo security assessment:

  • Security Questionnaires: Comprehensive security capability assessment

  • Compliance Verification: Validation of relevant certifications and standards

  • Risk Assessment: Evaluation of security risks and mitigation strategies

  • Contractual Security Requirements: Mandatory security clauses in agreements

  • Ongoing Monitoring: Regular review of vendor security posture

6.2 Integration Security

Security measures for third-party integrations:

  • API Security: Secure authentication and authorization for all integrations

  • Data Minimization: Limiting data shared with third parties to essential information

  • Encryption Requirements: Mandatory encryption for all data exchanges

  • Access Logging: Comprehensive logging of third-party data access

  • Regular Security Reviews: Periodic assessment of integration security

7. Business Continuity and Disaster Recovery

7.1 Backup and Recovery

  • Automated Backups: Regular automated backups with 7-day retention

  • Cross-Region Replication: Geographic distribution of backup data

  • Recovery Testing: Regular testing of backup restoration procedures

  • Recovery Time Objectives: Defined targets for service restoration

  • Data Integrity Verification: Validation of backup data consistency

7.2 Service Continuity

  • High Availability Architecture: Multi-AZ deployment for service resilience

  • Load Balancing: Distributed traffic handling for fault tolerance

  • Failover Procedures: Automated failover mechanisms

  • Capacity Planning: Proactive scaling to handle demand fluctuations

  • Service Health Monitoring: Real-time monitoring of service availability

8. Compliance and Governance

8.1 Regulatory Compliance

VoiceAIWrapper maintains compliance with applicable regulations:

  • GDPR: General Data Protection Regulation compliance for EU data subjects

  • CCPA: California Consumer Privacy Act compliance for California residents

  • SOC 2 Type II: Ongoing compliance with trust services criteria

  • Industry Standards: Alignment with relevant industry security standards

  • Regional Requirements: Compliance with applicable regional data protection laws

8.2 Security Governance

  • Security Committee: Regular security governance meetings and oversight

  • Policy Management: Regular review and updating of security policies

  • Risk Management: Systematic identification and mitigation of security risks

  • Audit and Assessment: Regular internal and external security audits

  • Continuous Improvement: Ongoing enhancement of security posture

9. Employee Security

9.1 Security Training and Awareness

  • Security Orientation: Comprehensive security training for all new employees

  • Ongoing Education: Regular security awareness training and updates

  • Phishing Simulation: Regular phishing awareness testing

  • Incident Response Training: Specialized training for incident response procedures

  • Security Culture: Promotion of security-conscious organizational culture

9.2 Access Management

  • Background Checks: Security screening for employees with access to sensitive data

  • Least Privilege Access: Minimum necessary access rights for job functions

  • Access Reviews: Regular review and validation of employee access rights

  • Termination Procedures: Immediate access revocation upon employment termination

  • Privileged Access Management: Enhanced controls for administrative access

10. Security Contact and Reporting

10.1 Security Contact Information

Security Officer: SP Parasar

Email: sp@newxp.co

Security Reporting: team@newxp.co

10.2 Vulnerability Reporting

We encourage responsible disclosure of security vulnerabilities. Security researchers and users who identify potential security issues should report them through our established channels:

  • Email security concerns to: team@newxp.co

  • Include detailed information about the vulnerability

  • Allow reasonable time for investigation and remediation

  • Avoid accessing or modifying data without authorization

11. Policy Updates and Reviews

This Security Policy is reviewed annually and updated as necessary to reflect:

  • Changes in regulatory requirements

  • Evolution of security threats and landscape

  • Updates to technical infrastructure and services

  • Results of security audits and assessments

  • Feedback from stakeholders and security incidents

Policy updates are communicated to relevant stakeholders and made available to clients upon request.

Document Control:

This document is maintained by New XP Technologies Limited and is subject to our document control procedures as part of our SOC 2 Type II compliance framework.