// Trust & Security Report
Voiceflow, Inc.
Enterprise conversational AI platform for building, launching, and scaling AI agents across chat, voice, and phone channels; includes the visual agent builder, observability suite, and production deployment environment
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on voiceflow.com“SOC II Compliant / SOC II Type 2 Report [listed in trust center documents section]. Homepage and security page state: 'SOC-2 Type II: Excellence from design to operation: data privacy, processing integrity, and confidentiality stay top of mind.'”
Verify on voiceflow.com“ISO 27001 Compliant / ISO27001 Certificate - 2025 [listed in trust center documents section]. Security page states: 'ISO/IEC 27001:2022: The highest organizational standards for information security management, ensuring your data stays private.'”
Verify on voiceflow.com“Trust center lists 'GDPR Compliant'. GDPR page (voiceflow.com/legal/gdpr) states 'Voiceflow follows all processes and policies for GDPR compliance' and, for transfers outside the EEA, that 'appropriate safeguards, such as standard contractual clauses or security certifications, are in place'. The DPA (voiceflow.com/legal/dpa) incorporates the EU SCCs (European Commission Implementing Decision 2021/914) for restricted transfers.”
Verify on voiceflow.com“HIPAA Compliant / HIPAA report [listed in trust center]. Security page states: 'HIPAA Compliant: Safeguarded systems designed to keep protected health information (PHI) secure.' NOTE: HIPAA BAA availability is not explicitly documented on any public-facing page; must be confirmed with sales.”
> Show 5 unconfirmed / not-held certifications
source: app.drata.comNo CSA STAR Level 1 or Level 2 certification found. Trust center lists a 'CSA Consensus Assessment Initiative Questionnaire (CAIQ)' document, which is a self-assessment questionnaire only, not a third-party CSA STAR audit or certification.
source: voiceflow.comNo mention of PCI DSS on security page, trust center, or any other vendor-domain page reviewed.
source: voiceflow.comNo mention of ISO/IEC 42001 on any vendor-domain page reviewed.
source: voiceflow.comNo mention of ISO 27017 or ISO 27018 on any vendor-domain page reviewed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Headquartered in Toronto, Canada (Voiceflow, Inc.). Subprocessors in the trust center are listed with data locations in US/EU; infrastructure runs on AWS and GCP. No explicit EU-only or US-only residency option documented publicly.
Trust center explicitly states: 'Voiceflow does not use customer data to train any machine learning or AI models. Customer data is only used to provide and operate the service. Any model providers integrated through Voiceflow (e.g., OpenAI, Anthropic, Google) are configured with zero data retention and do not use submitted data for training.' Note: this commitment appears in the trust center but is not replicated in the DPA or privacy policy text.
// Security controls
Encryption at rest
Strong encryption at rest with customer-managed keys; daily database backups across regions
voiceflow.comVulnerability management
Quarterly vulnerability scans; continuous vulnerability scanning; automated security patches
app.drata.comBug bounty
Yes - responsible disclosure program via security@voiceflow.com; documented safe harbor policy
voiceflow.comInfrastructure
Built on AWS and GCP; multi-AZ deployment; Infrastructure as Code; isolated environments
voiceflow.comNetwork security
CDN-backed WAF and DDoS protection; firewalled segmented architecture; denial of public SSH
app.drata.comAccess controls
Least-privilege access; SSO (enterprise); MFA enforced; granular audit logging
voiceflow.comBCDR
Annually tested disaster recovery; business continuity plan; point-in-time recovery for databases
voiceflow.com// Products & data scope
data: Processes conversation flows, agent logic, and customer interaction data. Supports omnichannel deployment (web chat, phone, mobile API).
Team and enterprise tiers available. Enterprise includes SSO, granular access controls, and audit logging.
data: Allows bring-your-own LLM; supports OpenAI, Anthropic, Google and custom models. LLM providers configured with zero data retention per trust center.
Model lock-in avoidance is a stated design principle.
data: LLM-powered evaluations of agent conversations; logs, metrics, and performance data retained on Voiceflow infrastructure.
Conversation-level logs visible to workspace administrators.
// What to watch
- HIPAA BAA availability is not explicitly documented on any public-facing page. The HIPAA compliance claim is backed by a trust-center HIPAA report, but healthcare customers must confirm BAA availability directly with Voiceflow sales before relying on HIPAA-covered use cases.
- No-AI-training commitment appears only in the trust center's 'Additional details' section; it is absent from the DPA and privacy policy text. These documents should be aligned for contractual enforceability.
- CSA CAIQ document available in trust center is a self-assessment questionnaire only, not a third-party CSA STAR audit. Marketing that implies a CSA certification from this CAIQ would be an over-claim.
- Data residency: subprocessors listed as US/EU but no explicit EU-only or US-only isolation configuration is documented publicly. Customers with strict data residency requirements should confirm with Voiceflow directly.
// At a glance
Pricing model
Freemium with paid tiers; agency/partner usage-based billing; enterprise custom pricing (contact sales)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Voiceflow, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
app.drata.com