Security is not a feature we added — it is how TensorSound is built. Every architectural decision, from credential storage to breach response, is made with your data and your customers' data in mind.
TensorSound's core processing infrastructure — voice AI, telephony orchestration, database, and all call recordings — runs on servers physically located in the United Kingdom. Voice data, transcripts, and customer records are processed and stored in the UK and do not leave our infrastructure.
Our website is delivered globally via Cloudflare's CDN, which provides DDoS protection, edge caching, and DNS security as a separate layer in front of our origin servers. Sub-processors used for ancillary functions (transactional email, payment processing) are listed in Section 6 and documented in full in our MSA.
The following controls are implemented in production and applied uniformly across all customer tenants.
All credentials, API keys, and database passwords are held in HashiCorp Vault — a dedicated secrets management system used by banks and large enterprises. Nothing sensitive is stored in code, configuration files, or on disk.
User passwords are hashed using bcrypt at cost factor 12 before storage. The original password is never retained. Even in the event of a database breach, passwords cannot be recovered or reversed.
Every database query is scoped to the requesting tenant at the application layer. It is architecturally impossible for one customer's data to appear in another's session or API response.
Platform users access only the data their assigned role permits. Roles are enforced server-side on every request — not just in the interface. Privilege escalation attempts are blocked and logged automatically.
Authentication endpoints enforce progressive lockout. After repeated failed attempts, access is blocked for escalating durations — from one minute up to 24 hours — making automated credential attacks ineffective.
All connections use TLS 1.3. HTTP is automatically redirected to HTTPS. HTTP Strict Transport Security (HSTS) is enforced, preventing downgrade attacks. Connections not meeting this standard are rejected.
Every response includes Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — preventing clickjacking, MIME sniffing, and cross-site injection at the browser level.
Every payment event from Stripe carries a cryptographic signature we verify before processing. We do not store card numbers. Payment data is handled within Stripe's PCI-DSS certified environment.
TensorSound maintains a permanent, immutable audit trail across all platform activity. Every login, admin action, role change, and data access event is written to a tamper-evident log with a precise timestamp, user identity, IP address, and outcome.
In the event of an incident — whether internal or external — we can reconstruct exactly who accessed what, when, and from where. Logs are retained for a rolling 12-month period and are available to enterprise customers as part of their contractual audit rights.
Our authentication monitor detects anomalous patterns in real time — including repeated failed logins, access from unexpected locations, and privilege escalation attempts — and raises alerts for investigation.
Domixir Ltd (trading as TensorSound) is registered with the UK Information Commissioner's Office under registration number ZC108035. We are the data controller for data processed in connection with our platform and marketing website.
Compliance is built into the product, not applied retrospectively:
Our full privacy practices are set out in our Privacy Policy.
The OWASP Top 10 is the globally recognised standard list of the most critical security risks in web applications — covering SQL injection, broken access control, cross-site scripting, cryptographic failures, and more. It is the baseline enterprise security teams use when evaluating vendor platforms.
TensorSound has conducted a full internal review of the OWASP Top 10 (2021 edition) across the complete platform — Go API, Rust context service, and Next.js frontend. All identified findings have been remediated. This is an ongoing practice, not a one-time exercise.
We use a small number of carefully selected third-party processors. Each is bound by a data processing agreement, and each transfer outside the UK is covered by an appropriate legal mechanism (UK IDTA, UK-US Data Bridge, or Standard Contractual Clauses).
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Telnyx LLC | Telephony — voice calls and SMS | USA | UK-US Data Bridge / UK IDTA |
| Stripe | Payment processing | USA | EU-US Data Privacy Framework & SCCs |
| Cloudflare | CDN, DDoS protection, DNS | Global | Cloudflare UK DPA |
| SMTP2GO | Transactional email | Australia / USA | Standard Contractual Clauses |
| Netlify | Marketing website hosting | USA | Standard Contractual Clauses |
Core platform processing — AI orchestration, database, call recordings, voice infrastructure — runs exclusively on UK-based servers operated directly by Domixir Ltd. No voice data or customer records are transferred to any sub-processor.
Every TensorSound customer is covered by two documents that set out our security and data protection commitments in legally binding terms:
Enterprise customers may exercise their audit rights under the DPA. We will provide relevant documentation, configuration summaries, and — where applicable — third-party assessment reports in response to reasonable audit requests.
We take vulnerability reports seriously. If you believe you have found a security issue in TensorSound — on our website, platform, or API — we ask that you disclose it to us responsibly before publishing or sharing it publicly.
Email security@tensorsound.com with a clear description of the issue, steps to reproduce it, and any supporting evidence (screenshots, request logs, proof-of-concept). We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days of validation, depending on severity.
We ask that you do not access, modify, or exfiltrate customer data; do not disrupt the service; and do not disclose the issue publicly until we have had a reasonable opportunity to remediate it. We commit to acting in good faith toward researchers who follow these guidelines.
We are transparent about where we are and where we are heading. TensorSound is a growing platform and we are committed to raising our security posture as we scale.
| Item | Status |
|---|---|
| UK GDPR compliance & ICO registration | Complete |
| PECR-compliant outbound calling controls | Complete |
| OWASP Top 10 internal review & remediation | Complete |
| Security headers (CSP, HSTS, X-Frame-Options) | Complete |
| Secrets vault — HashiCorp Vault | Complete |
| Immutable audit logging | Complete |
| Independent penetration test | Planned — 2026 |
| SOC 2 Type II certification | Planned — 2027 |
This page will be updated as each milestone is reached. If you have a specific compliance requirement not addressed here, contact us at security@tensorsound.com — we will tell you honestly whether and when we can meet it.
For security enquiries, vulnerability reports, DPA requests, or compliance questions: