Security

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Global edge network with DDoS protection
• Isolated tenant environments for enterprise customers
• Regular third-party penetration testing

We maintain SOC 2 Type II certification and support HIPAA-compliant deployments for healthcare customers. GDPR data processing agreements are available for EU customers.

• Role-based access control (RBAC) for team accounts
• API key scoping and rotation
• SSO / SAML for enterprise plans
• Audit logs for all administrative actions

If you discover a security vulnerability, please report it to security@vapi.click. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours.