Skip to content
[ VolIoT Inc ]
[ TRUST & SECURITY ]

Customer data stays customer data.

VolIoT builds software, IoT systems, automation, websites, and infrastructure for customers who need real systems they can own and rely on. Security is part of that work from the beginning, not a cleanup task at the end.

This page is a high-level summary of our public security posture. It does not replace a customer agreement, statement of work, business associate agreement, or internal Information Security Policy.

[ DATA ACCESS ]

Built for client-only visibility

Some VolIoT systems store customer data, messages, operational records, telemetry, or dashboard data. That data is kept for the customer's use. Our default rule is simple: the customer and the customer's authorized users can view it; VolIoT employees cannot access it unless there is a specific business, support, security, legal, or customer-authorized reason.

We design systems around least privilege, separation between customers where applicable, and minimal collection. If we do not need a piece of data to provide or secure the service, we should not collect it.

[ CONTROLS ]

Security practices we use

Client-owned data

Data collected for a customer belongs to that customer. We keep it so the customer and their authorized users can use it, not so we can sell it, mine it, or move it into unrelated systems.

Restricted internal access

VolIoT personnel do not browse customer data as a normal course of business. Access is limited to customer-authorized work, support, security, legal compliance, incident response, or operational maintenance, and only for the time and purpose needed.

AWS-hosted infrastructure

Our standard stack uses AWS services such as CloudFront, S3, API Gateway, Lambda, DynamoDB, Cognito, SES, SNS, and Secrets Manager, with infrastructure managed through repeatable deployment code.

Encryption and access controls

We use TLS for data in transit, encryption at rest where supported by the underlying service, least-privilege access, MFA-capable admin systems, and managed secret storage for production credentials.

Logging and abuse controls

Production systems are designed to log operational failures and security-relevant events without intentionally logging secrets or unnecessary sensitive content. Public endpoints use rate limits or other abuse controls where risk warrants it.

Practical retention

We retain personal and operational data only as long as needed to provide the service, meet legal or accounting obligations, resolve disputes, secure systems, or satisfy the customer agreement.

[ HEALTH DATA ]

HIPAA-aligned from the start

VolIoT is preparing its systems and operating practices for healthcare, medicine, and wellness clients. Where a project involves protected health information or electronic protected health information, we expect a written business associate agreement and a customer-specific scope before receiving, creating, maintaining, or transmitting that data.

Our baseline security program is being shaped around the HIPAA Security Rule's administrative, physical, and technical safeguard model: access control, auditability, incident response, workforce responsibilities, secure infrastructure, and practical recovery planning.

VolIoT does not claim that every service is HIPAA-compliant by default. HIPAA-regulated work depends on the customer, the data, the service scope, the signed agreements, and the deployed environment.

[ CONTACT ]

Security questions

Security questions, vendor-review requests, data handling questions, or suspected security issues can be sent to andy@voliotinc.com.

Related documents: Privacy Policy and Terms of Service.