Security at VaaniYantra
Last updated: July 18, 2026
Businesses trust VaaniYantra with their customer calls. This page describes the controls we run in production today. Questions, vulnerability reports, or security questionnaires: contact us.
Encryption
All traffic is served over TLS (HTTPS/WSS). Provider credentials and integration secrets — telephony auth tokens, OAuth refresh tokens, API keys you connect — are encrypted at rest with AES-256-GCM. Platform API keys are stored only as salted hashes and shown once at creation.
Access control
Every workspace is isolated per organization. Role-based access control (Owner, Admin, Member, Viewer) is enforced on every page and API route. Sign-in uses Firebase Authentication (email/password or Google). Administrative actions — agent changes, member changes, key management, data purges — are recorded in an audit log visible to your admins.
Data retention & deletion
You control how long call content lives. Organization owners can set a retention window (in days); transcripts, recordings, summaries and extracted data older than the window are deleted automatically. You can also delete individual calls, documents, and your account — data deletion instructions.
Recording consent
Agents can be configured to announce at the start of every call that the call may be recorded, helping you meet consent requirements in your jurisdiction.
Reliability
Infrastructure runs on Google Cloud with independent uptime monitoring and alerting on both the web application and the realtime voice service. Databases are backed up nightly to separate cloud storage with automatic lifecycle management. Current availability is published on our status page.
API security
The public API authenticates with per-organization keys and is rate-limited. Outbound webhooks are signed (HMAC-SHA256) so your systems can verify authenticity. Inbound telephony webhooks are verified against provider signatures to reject spoofed requests.
Subprocessors
We rely on a small set of infrastructure providers to deliver the service: Google Cloud (hosting, AI models, speech), Firebase (authentication), Twilio and Exotel (telephony, bring-your-own accounts supported), Meta (WhatsApp messaging), and Cashfree (payments). Each processes only the data needed for its function.
Responsible disclosure
If you believe you have found a vulnerability, please report it to us with reproduction details. We investigate every report and will acknowledge within two business days.