Secure Infrastructure

Cloud Infrastructure

VIGMA's infrastructure is hosted on SOC 2 Type II compliant cloud platforms that meet the rigorous security and availability standards required for healthcare data processing. These certifications aren't marketing badges — they represent ongoing third-party audits of security controls, change management processes, and incident response capabilities.

Enterprise-Grade Hosting Partners

SOC 2 Type II compliance. Our hosting partners undergo regular third-party audits for security, availability, and confidentiality controls.
Geographic redundancy. Data is replicated across multiple availability zones to ensure resilience against hardware failures, network outages, or regional disruptions.
Isolated tenant environments. Each practice operates in a logically isolated environment. Your data never comingles with other customers' data at the application or database layer.
Physical security controls. Data centers employ 24/7 surveillance, biometric access controls, and strict visitor policies to prevent unauthorized physical access.

The infrastructure underlying VIGMA is designed to meet the security expectations of hospitals and enterprise healthcare organizations, but accessible to practices of any size. You don't need an IT department to benefit from institutional-grade infrastructure.

Encryption Standards

Every byte of data — whether in motion across the network or at rest on disk — is encrypted using current industry-standard cryptographic protocols. This isn't an optional feature or premium add-on. It's the default for every practice, every call, every interaction.

Data in Transit — TLS 1.3

All voice data, API calls, and system communications are encrypted using Transport Layer Security (TLS) 1.3 — the latest and most secure version of the protocol. TLS 1.3 eliminates vulnerable legacy cipher suites, reduces connection latency, and provides forward secrecy by default. Even if encryption keys were compromised in the future, previously recorded sessions remain protected.

Data at Rest — AES-256

Any stored data — call metadata, transcripts, summaries, configuration settings — is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys). AES-256 is the same encryption standard used by the U.S. government for classified information and is approved for use in HIPAA-aware environments.

Encryption keys are managed separately from the encrypted data and rotated on a regular schedule.

Key management follows industry best practices: keys are never stored alongside the data they protect, access to key material is logged and restricted, and automated rotation schedules ensure keys are refreshed before they approach cryptographic expiration thresholds.

These encryption standards apply universally across every customer and every tier. There is no way to disable encryption, and there is no "unencrypted tier." Security is not negotiable.

Access Controls

Not everyone at your practice needs the same level of access to VIGMA. Front desk staff may need real-time call summaries. Administrators may need configuration access. Compliance officers may need audit logs. Providers may need none of it.

VIGMA implements granular role-based access controls (RBAC) so you can define exactly who sees what — and every access event is logged for accountability.

Role-Based Access Control (RBAC)

Principle of least privilege. Users are granted only the minimum access required to perform their role. No one gets admin access "just in case."
Granular permissions. Access is controlled at the feature level: view call summaries, access recordings, modify configurations, view audit logs, manage users.
Multi-factor authentication (MFA). All administrative access requires MFA. Password-only authentication is not sufficient for any privileged actions.
Session timeouts. Inactive sessions are automatically terminated after a defined period to prevent unauthorized access from unattended workstations.
Access logging. Every login, configuration change, data access, and administrative action is logged with timestamp, user identity, and IP address.

For practices subject to HIPAA, these access controls directly support the "minimum necessary" standard and provide the audit trail required to demonstrate compliance with access management requirements.

Uptime & Reliability

When a patient calls your practice, they expect the phone to be answered — not routed to voicemail because a server went down. VIGMA's infrastructure is designed for high availability with automated failover, redundant systems, and real-time monitoring.

99.9% Uptime SLA

Automatic failover. If a server or availability zone experiences an outage, traffic is automatically rerouted to healthy infrastructure within seconds — not minutes.
Redundant systems. Critical components (telephony gateways, AI processing nodes, databases) are deployed in redundant configurations. No single point of failure can take down the service.
Real-time monitoring. Automated monitoring systems track system health, response times, and error rates 24/7. Anomalies trigger immediate alerts to engineering teams.
Proactive maintenance. Infrastructure updates and patches are deployed using rolling update strategies that keep the service online throughout the maintenance window.
Incident response commitments. In the rare event of a service disruption, our SLA defines maximum response times and restoration timelines — and we publish incident reports for transparency.

Uptime isn't just a technical metric — it's a reflection of whether your patients can reach your practice when they need to. We treat it accordingly.

Security Testing

Static defenses are not enough. Security is an evolving discipline, and threats change constantly. VIGMA's infrastructure undergoes regular security assessments to identify vulnerabilities before they can be exploited.

Continuous Security Assessment

Regular penetration testing. Independent security firms conduct penetration tests against VIGMA's infrastructure and application layer to identify exploitable vulnerabilities.
Automated vulnerability scanning. Continuous scanning tools monitor for known vulnerabilities in dependencies, libraries, and server configurations. Critical findings are remediated within defined SLAs.
Responsible disclosure program. Security researchers can report vulnerabilities through a defined disclosure process. Valid findings are acknowledged, remediated, and — when appropriate — rewarded.
Incident response plan. A documented incident response plan defines roles, communication protocols, containment procedures, and post-incident review processes for security events.
Defined remediation timelines. Critical vulnerabilities are patched within 24 hours. High-severity findings within 7 days. All findings are tracked to resolution.

Security testing isn't a one-time event. It's a continuous process of discovering weaknesses, fixing them, and improving defenses over time.

DDoS & Threat Protection

Voice AI systems are attractive targets for denial-of-service attacks, toll fraud, and automated abuse. VIGMA implements multiple layers of protection to detect and mitigate these threats before they impact your practice.

Network-Level Protections

DDoS mitigation. Network-level protections detect and absorb distributed denial-of-service attacks before they reach application infrastructure.
Rate limiting. API endpoints and telephony interfaces enforce rate limits to prevent abuse, toll fraud, and resource exhaustion attacks.
Anomaly detection. Automated systems monitor for unusual traffic patterns, call volumes, or access behaviors that may indicate an attack or compromise.
Automated threat response. When anomalies are detected, automated defenses can temporarily block suspicious IP ranges, throttle traffic, or escalate to security teams for investigation.
Web Application Firewall (WAF). Application-layer protections filter malicious requests, SQL injection attempts, and cross-site scripting attacks before they reach backend systems.

Threat protection is not a passive feature. It's an active, continuously adapting defense system designed to keep your practice's voice AI operational even when under attack.