Compliance the buyer actually reads.
Every certification, sub-processor, retention policy, and encryption choice we make, written for the person who has to sign off on your security review rather than the person whose job it is to sell you anything.
Eight frameworks, one conversation.
AI-specific compliance (ISO 42001, EU AI Act) sits in the same row as classic infrastructure compliance (SOC 2, ISO 27001), because they should.
- SOC 2 Type IIIndependently audited. Report available under NDA via your account team.Audited
- ISO 27001Information security management system certification.In progress, Q4 2026
- ISO 42001AI management system standard, the AI-specific extension of 27001.In progress, Q1 2027
- HIPAA + BAABusiness Associate Agreement signed on every healthcare master agreement. The BAA is non-optional, not a customization.Signed by default for healthcare deployments
- GDPR · UK GDPREU and UK data subject rights honored. DPA available under standard terms.Compliant
- EU AI ActHigh-risk AI system controls aligned with AGS-2 conformance criteria.Aligned
- PCI DSS 4.0No card data ever touches Vorel infrastructure. Payment surfaces redirect to PCI-scoped vaults.Not in scope by design
- TCPA + per-stateOutbound voice and SMS enforce TCPA consent and per-state quiet-hours by default.Enforced at runtime
Every byte, every boundary.
Your data stays where you said it would.
Pick a region at contract time. Customer data does not leave it. Vorel never cross-replicates customer payloads between regions. Operational telemetry is the only thing that does, and that telemetry contains no PII.
North America
US-East and US-West regions on AWS. Default for US-headquartered customers.
European Union
eu-west-1 (Ireland) and eu-central-1 (Frankfurt). Data does not leave the region.
United Kingdom
eu-west-2 (London). UK-GDPR aligned.
GCC + Middle East
me-central-1 (UAE). Sovereign-data deployment available.
India
ap-south-1 (Mumbai).
Latam + APAC
Expansions in flight. Talk to us if you need a specific region today.
We don't keep what we don't need.
The full supply chain.
Every third party Vorel relies on, what they do for us, and where they sit. We notify customers at least thirty days before a new sub-processor is added.
| Sub-processor | Purpose | Region |
|---|---|---|
| AWS | Compute, storage, networking | Per residency selection |
| Twilio / Vonage | Voice and SMS carrier interconnect | Per residency |
| Anthropic, OpenAI, Google | Foundation model providers (multi-vendor, redacted payloads) | Per residency |
| Datadog | Observability (no PII) | US / EU |
| Stripe | Billing meter and invoicing | Global |
| Clerk | Operator console authentication | US |
Found something? Tell us first.
Responsible disclosure goes to [email protected]. PGP public key on request. We acknowledge within twenty-four hours, fix within the contract SLA, and credit the reporter unless they prefer otherwise.
What security teams ask
How do I report a security issue?
Where are the legal documents?
How are sub-processor changes communicated?
Do you train models on our customer data?
Bring your security questionnaire.
We'll bring the audit trail. Thirty minutes with the team that wrote this page.