Security, Privacy & Compliance
Enterprise-Grade Trust Infrastructure
Governance systems operate on trust. If a governance platform cannot guarantee the security of its participants' data, the integrity of its governance records, and compliance with applicable regulations, it cannot fulfill its fundamental purpose. Vora's security, privacy, and compliance architecture is designed to meet the requirements of the most demanding enterprise environments while maintaining the accessibility that makes customer governance universally available.
Security Architecture
Infrastructure Security
Vora's platform infrastructure is deployed on cloud-native services that meet SOC2 compliance standards. The infrastructure layer provides:
Encryption in transit. All data transmitted between clients and Vora's platform is encrypted using TLS (Transport Layer Security) with current best-practice cipher suites. API communications, webhook deliveries, and all user-facing interactions are protected by encryption.
Encryption at rest. All governance data stored in Vora's data layer is encrypted at rest using AES-256 encryption or equivalent. This includes vote records, proposal data, user profiles, XP balances, and all analytics data.
Network isolation. The platform's internal services communicate through isolated network environments with strict access controls. External access is limited to well-defined API endpoints protected by authentication and rate limiting.
Access control. Administrative access to production infrastructure is governed by role-based access control (RBAC) with the principle of least privilege. All administrative access is logged and auditable.
Application Security
Authentication. Vora supports standard authentication methods (email-based, single sign-on) with strong password policies, session management, and protection against common authentication attacks (brute force, credential stuffing).
Authorization. Governance actions are protected by a multi-layered authorization model that ensures participants can only access governance spaces, proposals, and actions they are entitled to. Voter eligibility is enforced at the governance layer, not just the presentation layer.
Input validation. All user input is validated and sanitized to protect against injection attacks, cross-site scripting, and other input-based vulnerabilities.
Rate limiting. API endpoints are protected by rate limiting calibrated to each pricing tier (1,000 API calls/day for Starter through unlimited for Enterprise), preventing abuse and ensuring fair resource allocation.
Vote immutability. Once a vote is cast, it cannot be modified or deleted through any application interface. This is enforced at the governance layer level and independently guaranteed by the blockchain layer.
Blockchain Security
The security properties of Vora's blockchain layer are detailed in the Blockchain Transparency Layer section. Key security properties include:
Open-source, verified smart contracts auditable by anyone
Cryptographic integrity of vote batches through Merkle tree construction
Inheritance of Base Mainnet and Ethereum Mainnet network security
Independent verifiability of all governance records through public block explorers
Enterprise Security Features
Enterprise tier deployments receive additional security capabilities:
Dedicated infrastructure. Isolated compute, storage, and network resources not shared with other Vora tenants.
Dedicated RPC infrastructure. Private blockchain access through AWS Managed Blockchain, eliminating dependency on shared RPC providers.
Custom data residency. Configurable data storage locations to meet jurisdictional requirements.
Custom SLA. Contractual availability and performance guarantees with defined remediation procedures.
White-label deployment. Complete branding control ensures that the governance experience is fully under the organization's brand identity, with no Vora-branded elements visible to end users.
Privacy Architecture
GDPR Compliance
Vora is designed for full compliance with the European Union's General Data Protection Regulation (GDPR). The platform implements:
Consent management. Vora collects and processes personal data only with explicit, informed consent. Consent records are maintained and can be verified. Participants are informed of what data is collected, how it is used, and their rights regarding that data.
Data minimization. Vora collects only the personal data necessary for governance participation. The platform does not engage in secondary data collection, behavioral tracking beyond governance activity, or data monetization.
Right of access. Participants can request and receive a complete export of their personal data held by Vora, in a structured, machine-readable format, as required by GDPR Article 15.
Right to data portability. Governance data can be exported in standard formats, enabling participants and organizations to maintain copies of their governance records independent of Vora's platform.
Right to erasure. Participants can request deletion of their personal data. Vora processes erasure requests in compliance with GDPR Article 17, with the following important caveat:
Blockchain records and the right to erasure. Governance records anchored to the blockchain are immutable by design --- this is a fundamental property of the trust guarantee. Personal data is never stored on-chain. On-chain records contain only cryptographic hashes, Merkle roots, aggregate results, and metadata that cannot be used to identify individual participants. The separation of personal data (stored off-chain, deletable) from governance records (stored on-chain, immutable but non-identifying) is a deliberate architectural decision that reconciles GDPR compliance with blockchain immutability.
Data Protection Impact Assessment (DPIA). Vora has conducted a Data Protection Impact Assessment for its governance processing activities, identifying and mitigating privacy risks associated with governance data collection, blockchain anchoring, and analytics computation.
Data Processing Agreements (DPA). Organizations using Vora's platform operate as data controllers, with Vora as a data processor. Vora provides standard Data Processing Agreements that define the scope, purpose, and safeguards for data processing.
Privacy-by-Design Principles
Vora's privacy architecture follows the privacy-by-design framework (Cavoukian, 2009):
Proactive, not reactive. Privacy protections are built into the architecture, not retrofitted.
Privacy as the default. The platform's default configuration provides maximum privacy protection. Additional data sharing requires explicit configuration by the governance designer.
Privacy embedded into design. Privacy is not a feature; it is a property of the system architecture.
Full functionality --- positive-sum. Privacy and governance functionality coexist without tradeoff. Participants do not sacrifice privacy for governance participation.
End-to-end security. Data is protected through its entire lifecycle, from collection through processing, storage, and eventual deletion.
Visibility and transparency. Privacy policies, data practices, and processing activities are documented and accessible.
Respect for user privacy. The participant's interests are central to every privacy decision.
Compliance Framework
SOC2 Infrastructure
Vora's platform infrastructure meets SOC2 compliance standards, addressing:
Security. Protection of system resources against unauthorized access
Availability. System accessibility as stipulated by service-level agreements
Processing integrity. System processing that is complete, valid, accurate, timely, and authorized
Confidentiality. Information designated as confidential is protected as committed
Privacy. Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments
Open-Source Smart Contracts
Vora's on-chain governance contracts are open-source and verified on block explorers. This means:
Anyone can read the complete source code of the smart contracts
The deployed bytecode is verified to match the published source code
Security researchers, auditors, and community members can independently assess the contracts' behavior
Any vulnerability or unexpected behavior can be publicly identified and reported
Open-source smart contracts are a transparency commitment that goes beyond what is typical in the customer engagement industry. By making the most trust-critical component of the platform publicly auditable, Vora eliminates the need for participants to trust Vora's claims about on-chain behavior --- they can verify it directly.
Regulatory Awareness
Vora's compliance framework is designed to accommodate evolving regulatory requirements across multiple jurisdictions:
EU General Data Protection Regulation (GDPR): Full compliance as detailed above.
EU Digital Services Act (DSA): Vora's platform design aligns with DSA transparency requirements for digital services operating in the EU.
EU Corporate Sustainability Reporting Directive (CSRD): Vora's governance records provide auditable evidence of stakeholder engagement processes that can support CSRD reporting requirements.
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): Vora's privacy architecture supports the rights and obligations defined by California's privacy regulations for organizations serving California residents.
UK Data Protection Act 2018: Vora's GDPR compliance framework is consistent with UK data protection requirements post-Brexit.
Audit and Reporting
Vora provides governance data export capabilities that enable organizations to generate audit reports for:
Internal governance reviews
External compliance audits
Regulatory reporting
Stakeholder communications
Data export includes full governance activity records, analytics outputs, and references to on-chain records that can be independently verified.
Incident Response
Vora maintains an incident response framework that includes:
Monitoring. Continuous monitoring of platform security, availability, and integrity metrics with automated alerting for anomalous conditions.
Classification. Defined incident severity levels with corresponding response procedures and escalation paths.
Response. Documented response procedures for security incidents, data breaches, and service disruptions.
Communication. Commitment to transparent communication with affected organizations in the event of a security incident, in compliance with GDPR breach notification requirements (72-hour notification window).
Post-incident review. Systematic review of incidents to identify root causes and implement preventive measures.
Shared Responsibility Model
Vora's security architecture operates under a shared responsibility model:
Vora is responsible for:
Platform infrastructure security
Application security
Blockchain layer integrity
Smart contract security
Data encryption (in transit and at rest)
GDPR compliance at the platform level
Incident monitoring and response
Ongoing security maintenance and patching
The organization (Vora customer) is responsible for:
Governance space configuration appropriate to their use case
Voter eligibility management (whitelists, role assignments)
Content moderation within Idea Challenges
Communication of governance processes and outcomes to their communities
Compliance with regulations specific to their industry and jurisdiction
Management of administrative access credentials
This shared responsibility model ensures that security is a collaborative effort, with Vora providing the secure infrastructure and the organization providing the contextual governance design appropriate to their community.
Last updated