VantaWeb
  • Solutions
  • Industries
  • AI Receptionist
  • Results
  • Blog
  • Pricing
  • Affiliates
  • Agencies
  • About
  • Contact
Solutions Industries AI Receptionist Results Blog Pricing Affiliates Agencies About Contact Get Started

Security & Trust

Last updated: July 10, 2026

VantaWeb answers phones, messages, and bookings for real businesses, which means customers trust us with their call recordings, contact details, and schedules. This page describes how we protect that data in production today — not aspirationally. If a practice changes, this page changes with it.

Infrastructure and hosting

VantaWeb runs on dedicated cloud servers hosted by Hetzner in Ashburn, Virginia (United States). All public traffic is fronted by Cloudflare, which provides DNS, CDN, TLS termination at the edge, and a web application firewall. Application services run in isolated Docker containers; host firewalls restrict every server to the minimum required ports, and internal telemetry travels only over a private WireGuard network.

Encryption

  • In transit: all connections use TLS — at the Cloudflare edge and on to origin servers. Plain-HTTP access is not served.
  • At rest (backups): every database backup is encrypted with modern authenticated encryption (age / X25519) before it leaves the origin server.
  • Payment data: never stored on VantaWeb systems at all — see payment security.

Backups and disaster recovery

We operate continuous database write-ahead-log archiving with point-in-time recovery, giving a recovery point objective of roughly five minutes, alongside daily encrypted full backups. Copies are stored off-site with a second provider (Backblaze B2) with 30-day version retention. Backup health is checked automatically every hour, and we run restore drills against real backups — most recently in July 2026 — because a backup that hasn't been restored is a hope, not a plan.

Access control

  • Administrative server access is limited to public-key SSH; there is no shared-password access.
  • Application containers follow least privilege — for example, no application container has access to the Docker control socket; container introspection for health checks goes through a dedicated read-only proxy.
  • Production secrets live in server-side environment stores, never in the codebase or client-side code.

Application and deployment security

  • All application code reaches production exclusively through CI/CD (GitHub Actions) — no manual builds on servers.
  • The main branch is protected: changes go through pull requests with automated review, including a dedicated security review pass.
  • Container images are scanned for known vulnerabilities on every build (Trivy); builds fail on fixable high-severity findings.
  • Deployed images are versioned with an immediate rollback path.
  • Security headers (HSTS, CSP, X-Frame-Options) are enforced on public surfaces.

Monitoring and alerting

Production is monitored with metrics-based alerting (host, container, database, and application-level), external uptime checks, and real-time alert delivery to the operations team. Alerting is tested against live metrics, not assumed.

Payment security (PCI DSS)

All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. Cardholder data is entered directly into Stripe-hosted fields and never touches VantaWeb servers, which qualifies VantaWeb for PCI DSS SAQ A self-assessment — the scope reserved for merchants who fully outsource card handling.

Data protection and privacy

How we collect, retain, and delete personal data is documented publicly:

  • Privacy Policy
  • Data Processing Agreement (GDPR Article 28 terms for customers)
  • Sub-processor list — with 30 days advance notice before any addition
  • Data retention policy — including call recordings and transcripts

Healthcare practices should see our HIPAA-compliant deployment options.

Compliance status

  • PCI DSS SAQ A: self-assessed; card handling fully outsourced to Stripe.
  • CAIQ (CSA Cloud Controls Matrix): a completed Consensus Assessment Initiative Questionnaire is available to prospects on request via security@vantaweb.io.
  • Security questionnaires: we answer vendor security questionnaires directly — typical turnaround is a few business days.
  • SOC 2: not yet certified; on our roadmap as customer demand warrants. This page and the documents above describe the controls we operate today.

Coordinated vulnerability disclosure

We welcome good-faith security research. If you believe you've found a vulnerability in a VantaWeb service, email security@vantaweb.io with enough detail to reproduce the issue. Machine-readable contact details are published at /.well-known/security.txt (RFC 9116).

Scope: vantaweb.io and its subdomains (app, api, partners), and the VantaWeb chat/voice widgets.

Out of scope: denial-of-service or volumetric testing, social engineering or phishing of staff or customers, physical attacks, spam, and findings on third-party services we don't operate (report those to the vendor).

What we commit to:

  • Acknowledgement within 3 business days.
  • An assessment and remediation timeline once the report is validated.
  • Credit for the finding if you'd like it, once fixed.

Safe harbor: we will not pursue or support legal action against researchers who make a good-faith effort to follow this policy — accessing only what is necessary to demonstrate the issue, avoiding privacy violations and service disruption, and giving us reasonable time to remediate before public disclosure. We do not currently operate a paid bug bounty.

Questions

Security questionnaires, CAIQ requests, subprocessor questions, or anything else on this page: security@vantaweb.io.

VantaWeb

AI websites + voice receptionists for service businesses.

Official Claude Partner Network member — powered by Anthropic

Platform
  • Build
  • Industries
  • Pricing
  • AI Receptionist
  • Benchmark
  • Missed Call Calculator
Company
  • About
  • Contact
  • Blog
  • Affiliate Program
  • Agency Partners
Resources
  • Compare AI Receptionists
  • VantaWeb vs Smith.ai
  • VantaWeb vs Rosie
  • VantaWeb vs Goodcall
  • VantaWeb vs Ruby
  • AI vs Answering Service
  • AI vs Virtual Receptionist
  • HIPAA AI Receptionist
  • ServiceTitan Integration
Legal
  • Privacy Policy
  • Terms of Service
  • Data Processing Agreement
  • Retention Policy
  • Security & Trust
  • privacy@vantaweb.io
Account
  • Get Started Free
  • Sign In
VantaWeb VantaWeb · © 2026 +1 (656) 333-8526

We use cookies to improve your experience. Privacy Policy