Security
How we protect your data and our platform
1. Security Overview
Security is foundational to Vizaye. We handle sensitive business data — product catalogs, customer enquiries, pricing and lead information — and we treat the protection of that data as a core responsibility, not an afterthought.
This page describes the security measures we implement to protect Vizaye's platform, your data, and your customers' information. We continuously review and improve our security posture as threats evolve.
2. Infrastructure Security
2.1 Cloud infrastructure
Vizaye is hosted on Amazon Web Services (AWS), operating in multiple AWS regions to ensure availability and resilience.
2.2 Network security
- All traffic to Vizaye is encrypted using TLS 1.3 with modern cipher suites
- HTTPS is enforced across all endpoints — no unencrypted connections are permitted
- DDoS protection is provided through AWS Shield and CloudFront
- Web Application Firewall (WAF) filters malicious traffic before it reaches our application layer
- Private networking: application servers are not directly internet-accessible
2.3 Availability
We target 99.9% platform availability. Our infrastructure uses auto-scaling, load balancing and multi-availability zone deployment to maintain service continuity.
3. Data Security
3.1 Encryption at rest
All data stored by Vizaye is encrypted at rest using AES-256 encryption. This includes your product catalog data, customer enquiry logs, lead information and account data.
3.2 Encryption in transit
All data transmitted between your browser or app and Vizaye's servers is encrypted using TLS 1.3.
3.3 Database security
- Databases are not publicly accessible — all access is through private network connections
- Database credentials are rotated regularly and stored in AWS Secrets Manager
- Point-in-time recovery is enabled for all production databases
- Database activity logging is enabled for audit purposes
3.4 Backups
Automated backups are performed daily with 90-day retention. Backup restoration is tested quarterly. Backups are stored in a separate AWS region from primary data.
4. Access Control
4.1 Internal access
- Principle of least privilege: staff access only the data and systems required for their specific role
- Multi-factor authentication (MFA) is mandatory for all staff accessing production systems
- All privileged access is logged and monitored
- Access is reviewed quarterly and revoked immediately on role change or departure
4.2 Customer access
- Each Vizaye account is isolated — customers cannot access other customers' data
- Session tokens expire after inactivity
- Failed login attempts trigger account lockout after multiple failures
4.3 Third-party access
We conduct security assessments of all third-party vendors who access or process Vizaye data. Data processing agreements are in place with all processors.
5. WhatsApp & AI Security
5.1 WhatsApp Business API
Vizaye uses Meta's official WhatsApp Business API. All messages are transmitted through Meta's encrypted infrastructure. We do not have access to end-to-end encrypted personal WhatsApp messages.
5.2 AI assistant data handling
Your catalog data used to train the AI assistant is stored securely and is not shared with other Vizaye customers. Conversation logs are retained for 12 months for quality assurance and dispute resolution, then deleted.
5.3 AI content safety
Our AI assistant has content safety guardrails to prevent generation of harmful, misleading or inappropriate content, tested regularly as part of our quality assurance process.
6. Incident Response
In the event of a security incident affecting your data, we will notify you within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Our incident response process includes:
- Immediate containment: isolating affected systems within minutes of detection
- Assessment: determining the scope, cause and data affected
- Notification: notifying affected customers and regulatory authorities within required timeframes
- Remediation: addressing the root cause and implementing preventive measures
- Post-incident review: documenting lessons learned and improving our processes
To report a suspected security incident: security@vizaye.com
7. Compliance & Certifications
| Framework / Regulation | Applicability | Status |
|---|---|---|
| GDPR | European users and data | Compliant |
| UK GDPR | United Kingdom users | Compliant |
| DPDPA 2023 | Indian users and data | Compliant |
| Meta WhatsApp Business API terms | WhatsApp assistant feature | Compliant |
| ISO 27001 | Information security management | Planned — Q3 2026 |
| SOC 2 Type II | Security, availability, confidentiality | Planned — Q4 2026 |
8. Reporting Security Vulnerabilities
We take security vulnerabilities seriously and appreciate the security community's efforts in responsibly disclosing potential issues.
If you discover a potential security vulnerability in Vizaye, please report it to security@vizaye.com. We will acknowledge within 24 hours and provide an update within 5 business days.
We ask that you do not access or modify data belonging to other users, do not perform actions that could impact platform availability, and give us reasonable time to investigate before public disclosure.