security & compliance
Dedicated, isolated infrastructure per customer. No shared tables or storage
Customer data processed transiently. No storage, logging, or model training
Zero Transcript Retention
Extract → Structure → Delete. No full transcripts stored
SOC 2 Type II Certified
Independently audited. All vendors SOC 2 compliant.
Incident Response
Automated detection, documented escalation, customer notification
LS 1.2+ in transit. AES-256 at rest via AWS KMS.
Business Continuity
RTO 4hrs, RPO 1hr. Continuous backups. Annual DR
Enterprise Authentication
SSO via SAML 2.0 / OpenID Connect. MFA enforced. RBAC
FAQ
How is customer data isolated?
Zero-sharing architecture with dedicated database instances (Neon PostgreSQL) and S3 buckets per customer. No shared tables, no shared storage. Each client has dedicated credentials. Complete removal via instance de-provisioning.
Is customer data used to train AI models?
No. Enterprise APIs from OpenAI, Anthropic, and Google with zero data retention. Customer data is processed transiently — never stored, logged, or used for model training. Contractually guaranteed.
What compliance certifications does Virgil hold?
SOC 2 Type II certified, independently audited. All downstream vendors (AWS, Azure, Google Cloud, OpenAI, Anthropic, Neon, Vercel, Clerk) maintain SOC 2 Type II compliance.
How does Meeting Intelligence work without storing transcripts?
Extract → Structure → Delete. Structured data (action items, metrics, decisions) extracted, source audio/transcript immediately discarded. No recordings stored on any server, ever.
How is data encrypted?
Transit: HTTPS with TLS 1.2+. At rest: AES-256 via AWS KMS for database and file storage. All API keys in Vercel Environment Variables and AWS Secrets Manager
What authentication methods are supported?
SSO via SAML 2.0 and OpenID Connect with Microsoft Entra ID and Okta. MFA enforced via customer SSO. Role-based access control with minimum-permission provisioning.
What are your disaster recovery capabilities?
RTO: 4 hours. RPO: 1 hour. MTOD: 24 hours. Continuous database backups with 30-day retention. Cross-region replication available. Annual DR testing.
How do you handle security incidents?
Formal incident response with automated detection, documented escalation, containment protocols, and customer notification without undue delay. Continuous monitoring via Sentry.
Do you perform penetration testing?
Comprehensive pen testing at least annually on all surfaces. Automated tools: GitHub Dependabot, Snyk, Cursor Bugbot. Formal SDLC with peer code reviews and environment segregation.
Can we get a copy of your SOC 2 report?
Yes. Provided under NDA to prospective and current customers. Contact [security@virgil.ai](mailto:security@virgil.ai) or your account representative
Where is our data hosted?
AWS and Azure data centers with Vercel edge delivery and CloudFlare DDoS protection. Data location configurable — US default, EU available. VPC isolation for all environments.
How do you handle financial services regulatory requirements?
Architecture designed for SEC, FINRA, and GLBA compliance. Zero transcript retention addresses archival/discoverability. Dedicated isolation addresses information barriers. Full audit logging for examinations. We work with each customer’s compliance team during onboarding.