Jan 1, 2025
Jul 10, 2025
1. Introduction
VoiceAIWrapper ("we," "us," or "our") is a white-label Software-as-a-Service (SaaS) platform operated by New XP Technologies Limited, a Hong Kong-based company, under the Supafunnel brand. We provide voice AI agent management and distribution services that enable automation and AI service agencies to package their voice AI projects under their own brand and domain.
This Security Policy outlines the comprehensive security framework implemented by New XP Technologies Limited for the VoiceAIWrapper platform. As a SOC 2 Type II certified organization, we maintain the highest standards of security controls and procedures to protect our clients' data and ensure the integrity of our voice AI white-labeling services.
VoiceAIWrapper operates under a shared responsibility model, clearly delineating security obligations between our platform, underlying infrastructure providers, and voice AI service providers. This policy establishes our security posture, defines responsibilities, and demonstrates our commitment to maintaining enterprise-grade security standards.
2. Company Certification & Commitment
New XP Technologies Limited maintains SOC 2 Type II certification, demonstrating our commitment to the highest standards of security and validating our implementation of rigorous security controls across five key trust principles:
Security: Protection of system resources against unauthorized access
Availability: Ensuring system accessibility and usability as agreed
Processing Integrity: System processing completeness, validity, accuracy, and authorization
Confidentiality: Protection of confidential information as committed or agreed
Privacy: Collection, use, retention, disclosure, and disposal of personal information
Our SOC 2 Type II certification is audited annually by independent third-party auditors and demonstrates our ongoing commitment to security excellence. The certification report is available to qualified parties under appropriate non-disclosure agreements.
3. Shared Responsibility Model
VoiceAIWrapper operates under a clearly defined shared responsibility model that allocates security responsibilities across three distinct layers. This model ensures comprehensive security coverage while maintaining clear accountability boundaries.
Security Domain | AWS Responsibility | Voice AI Provider Responsibility | VoiceAIWrapper Responsibility |
---|---|---|---|
Infrastructure Security | Physical security, network infrastructure, hypervisor, AWS services security | N/A | AWS service configuration, VPC security, access management |
Voice Processing Security | Underlying infrastructure for voice AI providers | Voice data processing, AI model security, telephony security, recording security | API integration security, metadata handling |
Application Security | Platform infrastructure services | Voice API security endpoints | Application code, user authentication, data access controls, white-label security |
Data Security | Storage encryption, backup security | Voice recording security, transcript protection | Customer data protection, billing data security, analytics data security |
Compliance | Infrastructure compliance certifications | Voice-specific compliance (recording consent, data retention) | Platform compliance, client onboarding compliance, data processing compliance |
3.1 AWS Infrastructure Layer
Amazon Web Services (AWS) provides the foundational infrastructure security for VoiceAIWrapper. AWS maintains responsibility for:
Physical security of data centers and hardware
Network infrastructure and DDoS protection
Hypervisor security and host operating system patching
Service availability and infrastructure resilience
Compliance certifications (SOC 2, ISO 27001, FedRAMP, etc.)
3.2 Voice AI Provider Layer
Voice AI providers (includes: Vapi AI, Retell AI, ElevenLabs) maintain responsibility for:
Voice data processing and storage security
AI model security and privacy
Telephony infrastructure security
Voice recording and transcript protection
Real-time communication security
Voice-specific compliance requirements
3.3 VoiceAIWrapper Application Layer
VoiceAIWrapper maintains responsibility for:
Application security and code integrity
User authentication and authorization
Customer data protection and privacy
White-label security and tenant isolation
API security and integration protection
Billing and payment data security
Analytics and reporting security
4. VoiceAIWrapper Security Framework
Our security framework encompasses multiple layers of protection, aligned with our SOC 2 Type II certification requirements and industry best practices.
4.1 Application Security
4.1.1 Secure Development Lifecycle
Code Security: Secure coding practices with regular security reviews
Version Control: Secure code repository management via GitHub with access controls
Dependency Management: Regular security scanning of third-party dependencies
Security Testing: Automated security testing integrated into CI/CD pipeline
Code Review: Mandatory security-focused code reviews for all changes
4.1.2 Authentication and Authorization
Multi-Factor Authentication: Required for all administrative access
Role-Based Access Control: Granular permissions based on job function
Session Management: Secure session handling with automatic timeouts
API Security: OAuth 2.0 and API key management for external integrations
Privilege Escalation Prevention: Strict controls on administrative privileges
4.2 Data Protection and Privacy
4.2.1 Data Classification and Handling
Data Minimization: Collection of only necessary data for service provision
Data Classification: Systematic classification of data based on sensitivity
Purpose Limitation: Data processing strictly limited to stated purposes
Data Retention: Automatic deletion of data after defined retention periods
Data Portability: Secure data export capabilities for customer requests
4.2.2 Encryption Standards
Data at Rest: AES-256 encryption for all stored data
Data in Transit: TLS 1.3 for all communications
Database Encryption: Full encryption of RDS instances
Key Management: AWS Key Management Service (KMS) for key lifecycle management
Certificate Management: AWS Certificate Manager for SSL/TLS certificates
4.3 Infrastructure Configuration Security
4.3.1 Network Security
Virtual Private Cloud: Isolated network environment with custom VPC configuration
Security Groups: Restrictive firewall rules limiting access to required ports
Network Segmentation: Logical separation of application tiers
DDoS Protection: AWS Shield Standard and CloudFront protection
Intrusion Detection: AWS GuardDuty for threat detection
4.3.2 Container and Compute Security
Container Security: ECS security best practices with least privilege access
Image Security: ECR vulnerability scanning for container images
Compute Isolation: EC2 instances with security hardening
Patch Management: Regular security patching and updates
Resource Monitoring: CloudWatch monitoring for security events
4.4 White-Label Security
4.4.1 Multi-Tenancy Security
Tenant Isolation: Logical separation of client data and configurations
Custom Domain Security: Secure SSL/TLS for client-branded domains
Data Segregation: Database-level isolation preventing cross-tenant access
Access Controls: Client-specific permission boundaries
Audit Trails: Separate audit logs for each tenant
4.4.2 Agency Client Security
Client Onboarding: Secure verification and setup procedures
API Key Management: Secure handling of third-party API credentials
Billing Security: Encrypted handling of Stripe integration data
Customer Data Protection: Secure handling of agency client customer data
Service Level Isolation: Logical separation of client services
5. Monitoring and Incident Response
5.1 Security Monitoring
Our SOC 2 Type II certified monitoring framework includes:
24/7 Monitoring: Continuous security monitoring and alerting
AWS CloudWatch: Comprehensive logging and metrics collection
Security Information and Event Management (SIEM): Centralized security event correlation
Automated Threat Detection: AWS GuardDuty and AWS Security Hub integration
Vulnerability Management: Regular security assessments and remediation
5.2 Incident Response
Our incident response procedures align with SOC 2 Type II requirements:
Incident Classification: Systematic categorization of security events
Response Team: Dedicated security incident response team
Escalation Procedures: Clear escalation paths for different incident types
Communication Plans: Stakeholder notification procedures
Recovery Procedures: Systematic approach to service restoration
Post-Incident Review: Lessons learned and process improvement
6. Third-Party Security Management
6.1 Vendor Security Assessment
All third-party service providers undergo security assessment:
Security Questionnaires: Comprehensive security capability assessment
Compliance Verification: Validation of relevant certifications and standards
Risk Assessment: Evaluation of security risks and mitigation strategies
Contractual Security Requirements: Mandatory security clauses in agreements
Ongoing Monitoring: Regular review of vendor security posture
6.2 Integration Security
Security measures for third-party integrations:
API Security: Secure authentication and authorization for all integrations
Data Minimization: Limiting data shared with third parties to essential information
Encryption Requirements: Mandatory encryption for all data exchanges
Access Logging: Comprehensive logging of third-party data access
Regular Security Reviews: Periodic assessment of integration security
7. Business Continuity and Disaster Recovery
7.1 Backup and Recovery
Automated Backups: Regular automated backups with 7-day retention
Cross-Region Replication: Geographic distribution of backup data
Recovery Testing: Regular testing of backup restoration procedures
Recovery Time Objectives: Defined targets for service restoration
Data Integrity Verification: Validation of backup data consistency
7.2 Service Continuity
High Availability Architecture: Multi-AZ deployment for service resilience
Load Balancing: Distributed traffic handling for fault tolerance
Failover Procedures: Automated failover mechanisms
Capacity Planning: Proactive scaling to handle demand fluctuations
Service Health Monitoring: Real-time monitoring of service availability
8. Compliance and Governance
8.1 Regulatory Compliance
VoiceAIWrapper maintains compliance with applicable regulations:
GDPR: General Data Protection Regulation compliance for EU data subjects
CCPA: California Consumer Privacy Act compliance for California residents
SOC 2 Type II: Ongoing compliance with trust services criteria
Industry Standards: Alignment with relevant industry security standards
Regional Requirements: Compliance with applicable regional data protection laws
8.2 Security Governance
Security Committee: Regular security governance meetings and oversight
Policy Management: Regular review and updating of security policies
Risk Management: Systematic identification and mitigation of security risks
Audit and Assessment: Regular internal and external security audits
Continuous Improvement: Ongoing enhancement of security posture
9. Employee Security
9.1 Security Training and Awareness
Security Orientation: Comprehensive security training for all new employees
Ongoing Education: Regular security awareness training and updates
Phishing Simulation: Regular phishing awareness testing
Incident Response Training: Specialized training for incident response procedures
Security Culture: Promotion of security-conscious organizational culture
9.2 Access Management
Background Checks: Security screening for employees with access to sensitive data
Least Privilege Access: Minimum necessary access rights for job functions
Access Reviews: Regular review and validation of employee access rights
Termination Procedures: Immediate access revocation upon employment termination
Privileged Access Management: Enhanced controls for administrative access
10. Security Contact and Reporting
10.1 Security Contact Information
Security Officer: SP Parasar
Email: sp@newxp.co
Security Reporting: team@newxp.co
10.2 Vulnerability Reporting
We encourage responsible disclosure of security vulnerabilities. Security researchers and users who identify potential security issues should report them through our established channels:
Email security concerns to: team@newxp.co
Include detailed information about the vulnerability
Allow reasonable time for investigation and remediation
Avoid accessing or modifying data without authorization
11. Policy Updates and Reviews
This Security Policy is reviewed annually and updated as necessary to reflect:
Changes in regulatory requirements
Evolution of security threats and landscape
Updates to technical infrastructure and services
Results of security audits and assessments
Feedback from stakeholders and security incidents
Policy updates are communicated to relevant stakeholders and made available to clients upon request.
Document Control:
This document is maintained by New XP Technologies Limited and is subject to our document control procedures as part of our SOC 2 Type II compliance framework.