Security & Data Privacy

Security and privacy are foundational to Voiseback. When your customers share voice feedback, they are trusting you with their words, tone, and sometimes personal details. This page explains the measures Voiseback takes to protect that data at every layer — from widget embedding through storage and access control.

Domain Allow-List

The domain allow-list restricts which websites can load and submit feedback through your widget, preventing unauthorized embedding and spam submissions. Requests from unlisted domains are rejected by the server.

For setup instructions, see the domain allow-list section in Widget Installation.

Database-Level Access Control

All data in Voiseback is stored in a secure database with database-level access controls enabled on every table. These controls ensure that queries automatically filter data based on the authenticated user, making cross-tenant data access impossible at the database level.

• Projects, prompts, and replies are scoped to the project owner. You can only see and manage data that belongs to your account.
• Subscriptions and payments are scoped to the individual user. No other user can view your billing information.
• Access controls are enforced at the database level, ensuring complete data isolation between accounts regardless of application behavior.

Authentication

Voiseback uses industry-standard protocols to handle user authentication, providing robust security for account management.

Supported Methods

• Email and password — with mandatory email verification. You must verify your email address before accessing the dashboard.
• Google OAuth — sign in with your Google account for a passwordless experience. Voiseback receives only your email and basic profile information from Google.

Session Management

Authentication sessions are managed with secure, HTTP-only cookies. Sessions are refreshed automatically and expire after a period of inactivity. All dashboard routes are protected by middleware that verifies the session before rendering any content.

Data Storage

Voiseback stores two types of data: audio recordings and structured metadata. Both are secured with encryption and access controls.

Audio Recordings

• Stored in encrypted secure cloud storage.
• Each recording is associated with a specific feedback reply and scoped to the project owner through access control policies.
• Audio files are accessible via signed or public URLs depending on the use case (e.g., testimonials require public access for display on your testimonial page).

Structured Data

• Feedback metadata, transcripts, AI analysis results, and account information are stored in a secure, encrypted database.
• The database is encrypted at rest and connections use TLS encryption in transit.
• All tables are protected by access control policies as described above.

Webhook Security

When a webhook secret is configured, Voiseback signs outgoing webhook requests with an HMAC-SHA256 signature, allowing your receiving endpoint to verify that payloads are authentic and unmodified. Webhook URLs are validated and private or internal network addresses are blocked to prevent server-side request forgery (SSRF). For implementation details and code examples, see Webhooks & Integrations.

Rate Limiting

Rate limits are applied per IP address on all endpoints to prevent abuse and ensure fair usage. When a rate limit is reached, the server responds with a 429 Too Many Requests status code. Rate-limited responses include X-RateLimit-Remaining and Retry-After headers to help your application handle limits gracefully.

Input Validation

All user inputs — including text submissions, email addresses, URLs, and file uploads — are validated and sanitized before processing. This protects against common injection attacks and ensures data integrity throughout the system.

Data Retention

Understanding how long your data is stored is important for both compliance and peace of mind.

Feedback Data

All feedback submitted through your widget — including transcripts, AI analysis results, and metadata — is retained for as long as your account is active. There is no automatic expiration or deletion of feedback data while your account remains in good standing.

• Feedback data persists across subscription renewals. Renewing or changing your plan does not affect existing data.
• You can manually delete individual feedback replies from your dashboard at any time.
• Deleted replies are permanently removed and cannot be recovered.

Audio Recordings

Voice feedback recordings are stored in secure cloud storage and are retained for as long as your account is active. Audio files follow the same retention policy as feedback data — they persist until you manually delete the associated reply or delete your account entirely.

• Audio files are associated with their corresponding feedback reply. Deleting a reply also removes its audio recording.
• Audio files used in approved testimonials remain accessible for as long as the testimonial is published on your testimonial page.

Account Deletion

When you delete your account, all associated data — projects, prompts, feedback, audio recordings, testimonials, and billing records — is permanently removed. For full details on the deletion process, visit Settings in your dashboard.

GDPR and Privacy Considerations

Voiseback is designed with data privacy in mind. While specific GDPR compliance obligations depend on your use case and jurisdiction, the platform provides the tools you need to handle personal data responsibly.

• Secure data hosting — Data is hosted in secure cloud infrastructure with encryption at rest and in transit.
• User-initiated data deletion — account owners can request full account deletion from Settings in your dashboard, which removes all projects, prompts, feedback replies, audio recordings, and account data permanently.
• Consent for testimonials — the testimonial workflow includes explicit consent collection. Feedback is only published as a testimonial after the user has given permission.
• Minimal data collection — Voiseback collects only what is necessary: the feedback itself, optional contact information (if the user provides it), and browser metadata for context. No tracking cookies or third-party analytics are added by the widget.

No Third-Party Tracking

The Voiseback widget does not include any third-party tracking scripts, analytics pixels, or advertising cookies. Feedback data stays within your Voiseback account and is not shared with, sold to, or accessed by any third parties. Voice feedback is processed by a third-party AI service for transcription and analysis. Audio data is sent securely over encrypted connections and is not retained by the processing service.

API Key Security

Voiseback uses project-level API keys (UUID format) to identify which project a widget belongs to. These keys are designed to be embedded in client-side code and are not secret — they function as project identifiers, similar to a public API key.

• Project API keys are safe to include in your embed script. They identify your project but do not grant access to your dashboard or data.
• Domain allow-listing adds a second layer of protection by restricting which origins can submit feedback using your project key.

Summary

Next Steps

For common security-related questions, see the Troubleshooting & FAQ page.