VoxWel Security Architecture: A Technical Whitepaper for CISOs and Security Teams

Document Version: 2.1 Last Updated: April 2026 Classification: Public Intended Audience: CISOs, Security Architects, Compliance Officers, IT Risk Managers

---

Executive Summary

VoxWel is an anonymous employee reporting platform built on a zero-knowledge security architecture. This whitepaper provides a detailed technical analysis of the platform's encryption standards, data handling practices, threat model, and compliance posture for security teams evaluating the platform.

Key Security Properties:

• Client-side AES-256 encryption -- report content is encrypted before leaving the reporter's device
• Zero-knowledge architecture -- VoxWel operators cannot access report plaintext or reporter identity
• EU data residency -- all data stored exclusively on European infrastructure
• No IP logging or metadata collection -- complete source anonymization
• SOC 2 Type II certified -- independently audited controls

---

1. Architecture Overview

1.1 System Design Principles

VoxWel's security architecture is built on three core principles:

1. Zero-Knowledge by Design The platform operator (VoxWel) holds encrypted data but never holds the keys to decrypt it. Report content is encrypted on the reporter's device using keys derived from the organization's credentials. VoxWel cannot read reports, identify reporters, or comply with subpoenas for reporter identity -- because this data does not exist in our systems.

2. Minimal Data Collection VoxWel collects only the data necessary to deliver the service. No IP addresses, no device fingerprints, no browser telemetry, no third-party analytics cookies, no advertising trackers.

3. Defense in Depth Multiple independent security controls protect every layer: transport encryption, application-level encryption, database encryption, access controls, audit logging, and infrastructure hardening.

1.2 High-Level Data Flow

Reporter Device -> Client-Side Encryption -> TLS Tunnel -> VoxWel API -> Encrypted Database
                     (AES-256-GCM)         (TLS 1.3)    (No plaintext)   (AES-256 at rest)

Critical security property: The decryption key never leaves the organization's admin environment. VoxWel infrastructure handles only ciphertext.

---

2. Encryption Standards

2.1 Client-Side Encryption

Algorithm: AES-256-GCM (Galois/Counter Mode) Key Derivation: PBKDF2-HMAC-SHA256 with 100,000 iterations Key Length: 256 bits Nonce: 96-bit IV, randomly generated per report Authentication: Built-in GMAC authentication tag

Implementation Details:

• Encryption occurs in the reporter's browser using the Web Crypto API
• The encryption key is derived from a combination of the organization's unique identifier and a per-report random salt
• Neither the key nor the plaintext is ever transmitted to VoxWel servers
• The encrypted payload includes an authentication tag that prevents tampering

2.2 Transport Security

Protocol: TLS 1.3 (mandatory -- TLS 1.2 and below are rejected) Certificate: ECDSA P-256 with SHA-256 Perfect Forward Secrecy: Yes -- ephemeral key exchange using X25519 HSTS: Enabled with 1-year max-age Cipher Suites: TLS_AES_256_GCM_SHA384 only

2.3 Data at Rest

Algorithm: AES-256-XTS for database-level encryption Key Management: Hardware Security Module (HSM) backed Key Rotation: Automatic 90-day rotation cycle Separation: Each organization's data is encrypted with unique keys

---

3. Zero-Knowledge Architecture Deep Dive

3.1 What "Zero-Knowledge" Means in Practice

In a zero-knowledge architecture, the service provider (VoxWel) operates the infrastructure but mathematically cannot access the content being transmitted through it. This is distinct from "end-to-end encryption" (where the provider could technically access data if they modified their software) and from "confidentiality" (where the provider has access but promises not to use it).

3.2 Technical Implementation

Report Submission Flow:

1. Reporter opens the VoxWel reporting form (web link or QR code)
2. The browser loads the encryption library from VoxWel's CDN
3. Reporter completes the form and clicks "Submit"
4. The browser generates a random 256-bit encryption key
5. The form content is encrypted using AES-256-GCM
6. The encrypted payload is transmitted to VoxWel's API
7. VoxWel stores the ciphertext and returns a case token to the reporter
8. The encryption key is discarded from browser memory

Report Retrieval Flow:

1. Admin logs into VoxWel dashboard
2. Dashboard loads a decryption module in the admin's browser
3. Decryption keys are derived from the organization's credentials
4. Encrypted reports are fetched from VoxWel's database
5. Decryption occurs in the admin's browser, not on VoxWel's servers
6. Plaintext is displayed only in the authenticated admin session

3.3 What VoxWel Cannot Do

Because of this architecture, VoxWel is technically incapable of:

• Reading the content of any report
• Identifying the reporter of any anonymous report
• Complying with subpoenas for reporter identity (the data does not exist)
• Performing keyword analysis or content scanning on reports
• Training AI models on report content
• Sharing report data with any third party

---

4. Data Residency and GDPR Compliance

4.1 Infrastructure Location

Primary Region: Frankfurt, Germany (AWS eu-central-1) Backup Region: Paris, France (AWS eu-west-3) CDN Edge Locations: Amsterdam, Dublin, Stockholm, Milan

No data is stored, processed, or backed up outside the European Economic Area.

4.2 GDPR Compliance Mapping

GDPR Article	VoxWel Implementation
Art. 5 -- Principles	Data minimization by design; purpose limitation enforced
Art. 6 -- Lawful basis	Legitimate interest (compliance) + Legal obligation (EU Directive)
Art. 25 -- PbD/PbD	Encryption by default; anonymity by default
Art. 28 -- Processor	DPA available; sub-processors listed; SOC 2 certified
Art. 30 -- Records of processing	RoPA maintained and available on request
Art. 32 -- Security	AES-256, TLS 1.3, HSM key management, access controls
Art. 33 -- Breach notification	24-hour internal SLA; 72-hour supervisory authority notification
Art. 35 -- DPIA	Template DPIA provided; platform designed for low residual risk

4.3 Data Retention

Default retention: 3 years from case closure (configurable by organization) Automated deletion: Cases marked for deletion are purged within 30 days Backup purge: Deleted cases are removed from backups within 90 days Audit logs: Retained for 7 years (administrative actions only, no report content)

---

5. Threat Model and Mitigations

5.1 Threat Actor: External Attacker (Platform Breach)

Scenario: An attacker gains unauthorized access to VoxWel's database.

Impact: The attacker obtains encrypted ciphertext with no decryption keys. Mitigation: AES-256 encryption means the data is computationally infeasible to decrypt without the organization's keys, which are never stored on VoxWel's servers.

5.2 Threat Actor: Malicious Insider (VoxWel Employee)

Scenario: A VoxWel employee attempts to access customer report data.

Impact: The employee can see encrypted data structures but cannot decrypt report content or identify reporters. Mitigation: Zero-knowledge architecture means no VoxWel employee has access to decryption keys or plaintext. Access controls and audit logging provide additional layers of defense.

5.3 Threat Actor: Employer IT Administrator

Scenario: An organization's IT admin attempts to trace who submitted an anonymous report.

Impact: No identifying metadata exists. IP addresses are not logged. Device fingerprints are not collected. Mitigation: Complete source anonymization -- there is no technical mechanism to associate a report with a specific device, network, or individual.

5.4 Threat Actor: Legal Subpoena

Scenario: A court orders VoxWel to disclose the identity of an anonymous reporter.

Impact: VoxWel can provide the encrypted report and the case metadata (timestamps, status). VoxWel cannot provide reporter identity because this data was never collected. Mitigation: Zero-knowledge architecture provides genuine legal protection -- there is nothing to disclose.

---

6. Compliance Certifications and Audits

Certification	Status	Scope
SOC 2 Type II	✅ Certified	Security, Availability, Confidentiality
ISO 27001	✅ Certified	Information Security Management
ISO 27017	✅ Certified	Cloud Security
ISO 27018	✅ Certified	Personal Data Protection
EU Cloud Code of Conduct	✅ Adherent	GDPR compliance for cloud services
CSA STAR Level 2	✅ Certified	Cloud Security Alliance

---

7. Integration with Enterprise Security Infrastructure

7.1 Single Sign-On (SSO)

VoxWel supports SAML 2.0 and OpenID Connect for admin authentication. Reporter-facing submission does not require authentication (by design, for anonymity).

Supported identity providers: Azure AD, Okta, OneLogin, Google Workspace, custom SAML

7.2 Security Information and Event Management (SIEM)

Admin audit logs can be exported in real-time via webhook to:

• Splunk
• Datadog
• Microsoft Sentinel
• Custom SIEM via REST API

Note: SIEM integration covers administrative actions only (logins, case status changes, assignments). Report content is never transmitted to SIEM systems.

7.3 Data Loss Prevention (DLP)

Because VoxWel does not collect or store plaintext report content, traditional DLP integration is not applicable to the reporter-facing channel. Admin dashboard access can be monitored through standard DLP tools.

---

8. Security Assessment Questions

For security teams conducting vendor assessments, here are the answers to the most common questions:

Q: Can VoxWel read our employees' reports? A: No. Client-side encryption means report content is encrypted before reaching our servers. We hold ciphertext only.

Q: Can VoxWel identify anonymous reporters? A: No. We do not log IP addresses, device fingerprints, or any metadata that could identify a reporter.

Q: What happens if VoxWel receives a subpoena? A: We can provide the encrypted data we hold. We cannot provide reporter identity or report plaintext because we do not possess these.

Q: Where is our data stored? A: Exclusively in the EU -- Frankfurt (primary) and Paris (backup). No data leaves the EEA.

Q: How are encryption keys managed? A: Organization-specific keys are derived from your admin credentials. VoxWel never stores these keys. Key derivation occurs in your browser using PBKDF2.

Q: Has VoxWel undergone independent security audits? A: Yes. SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018 certified. Penetration testing conducted annually by independent firms.

---

For a custom security assessment or to schedule a briefing with our security team, contact security@voxwel.com.

Download the one-page Security Architecture Datasheet ->

---

VoxWel -- Security by design, not by promise.