Security Checklist
VoicePing publishes a detailed information security checklist. VoicePing Security Sheet.pdf| Category | Evaluation Item | Description | Status |
|---|---|---|---|
| Security | Public Certification | ISMS, Privacy Mark, etc. | ISO/IEC 27001:2022 / JIS Q 27001:2023 certified (Certificate: IS 820960, issued by BSI, valid 2025-04-25 to 2028-04-24) |
| Security | Third-party Evaluation | Measures against unauthorized intrusion, operation, data acquisition | Regular BSI surveillance audits (next scheduled: April 2026) |
| Security | Data Handling Environment | Access restrictions to user data | Restricted to specific IP addresses via AWS Security Groups |
| Security | Communication Encryption Level | Encryption strength of communications | TLS 1.3 only |
| Security | Virus Protection | Virus scanning | Continuous detection of unauthorized activities via AWS GuardDuty |
| Data Protection | Backup Data | Encryption, storage location | AWS Tokyo Region |
| Data Protection | Data Separation Between Companies | Information isolation between companies | Logical separation via database |
Data Protection
Communication Encryption
- Application and audio/video data use TLS 1.3 only
- HTTPS communication enforced (configured via AWS ELB)
Backup
- Backup Cycle: Monthly backups via AWS Database
- Retention Period: Server access logs are stored in S3 for security monitoring and incident investigation. Application logs are designed not to output direct personal data (such as names, email addresses, or transcription content). If identifiers that may relate to an individual are present in log records (e.g., IP addresses), such identifiers are deleted or irreversibly anonymized within 30 days after a valid deletion request. Logs are retained only for the minimum operational/security period and are not retained long-term.
- BCP Measures: Remote storage across multiple regions on AWS Database
Data Access Restrictions
- Database and server access restricted to specific IP addresses via AWS Security Groups
- Data between companies is logically separated via database
Availability
Uptime
- Service Hours: 24 hours, 365 days in principle
- SLA: 99.9% or higher
- Track Record: 99.99% or higher (no server downtime exceeding several tens of minutes since service launch)
Incident Response
- Source code differential backups and DB backups available, enabling immediate rollback (recovery) at any time 24/7
- All server processes and system states are visualized via AWS CloudWatch or our proprietary alert system
- Alert notifications in case of any downtime
Planned Maintenance
- Updates scheduled around 21:00 every Friday, with possible connection interruptions of a few seconds
- Real-time notification via Email or text chat support (Intercom) if updates are required during business hours
Support System
Incident Notifications
- Contact Method: Notification via Email and in-app text chat service (Intercom)
Emergency Contact
- Support available via text chat service (Intercom) or Contact Form
- Response within 5 minutes during business hours (9:00-18:00)
User Management
Account Management
- One account per user
- Users can physically delete accounts upon resignation or transfer
Password Management
- Users can change passwords
- Two-factor authentication via Email token available
Web Application Security
VoicePing implements the following security measures.SQL Injection Prevention
- Backend uses ORM middleware for database operations
- All SQL statement construction uses placeholders
- Appropriate permissions assigned to database accounts (accounts with only necessary READ/WRITE permissions)
OS Command Injection Prevention
- Shell execution is basically not performed
- When shell-level logic is required, execution only through verified safe libraries
Path Parameter/Directory Traversal Prevention
- Data stored on external hosting or database
- No direct file access functionality on web server
- Random filenames used, making them unpredictable
Session Management
- Session IDs use unpredictable, sufficiently long random strings
- Session IDs stored in Cookies (not in URL parameters)
- Cookies for HTTPS communication use Secure attribute
- Pages requiring login are separated from publicly accessible pages
Cross-Site Scripting (XSS) Prevention
- Using compatible frontend libraries
- HTTPS enforced via AWS ELB
- Character encoding (charset) specified in Content-Type field of HTTP response headers
- HttpOnly attribute added to Cookies
CSRF Prevention
- Backend-side access control via POST method
- Referer verification
- Automatic email notification to registered email address for important operations
HTTP Header Injection Prevention
- Using header output API in backend middleware
Clickjacking Prevention
- X-Frame-Options header field output
- Execution not possible without valid session
- Important operations designed so they cannot be executed using mouse alone
Buffer Overflow Prevention
- Using Node.js, which does not allow direct memory access
- Regular library checks via GitHub, with PRs raised for vulnerable libraries and timely updates
Access Control and Authorization
- Two-factor Email token authentication available for manager privileges
- Authorization control implemented in addition to authentication, preventing logged-in users from impersonating others
System Architecture
Overview of VoicePing’s system architecture. All communications are protected via HTTPS or encrypted connections.
- Desktop App (Windows / Mac / Linux)
- Mobile App (iOS / Android)
- Web App (Browser Compatible)
- Cloudflare CDN (Content Delivery Network)
- Google Cloud Storage (Static Hosting)
- Load Balancer (AWS)
- Business Server (API Key Authentication)
- Translation & Transcription Server (On-Premise Available, API Key Authentication)
- Database (Google Cloud SQL / RDB)
- JSON Storage (S3) for audio, transcription, and image data
- External API / Third-party Services (API Key Authentication)