Customer data stays customer data.
VolIoT builds software, IoT systems, automation, websites, and infrastructure for customers who need real systems they can own and rely on. Security is part of that work from the beginning, not a cleanup task at the end.
This page is a high-level summary of our public security posture. It does not replace a customer agreement, statement of work, business associate agreement, or internal Information Security Policy.
Built for client-only visibility
Some VolIoT systems store customer data, messages, operational records, telemetry, or dashboard data. That data is kept for the customer's use. Our default rule is simple: the customer and the customer's authorized users can view it; VolIoT employees cannot access it unless there is a specific business, support, security, legal, or customer-authorized reason.
We design systems around least privilege, separation between customers where applicable, and minimal collection. If we do not need a piece of data to provide or secure the service, we should not collect it.
Security practices we use
Client-owned data
Data collected for a customer belongs to that customer. We keep it so the customer and their authorized users can use it, not so we can sell it, mine it, or move it into unrelated systems.
Restricted internal access
VolIoT personnel do not browse customer data as a normal course of business. Access is limited to customer-authorized work, support, security, legal compliance, incident response, or operational maintenance, and only for the time and purpose needed.
AWS-hosted infrastructure
Our standard stack uses AWS services such as CloudFront, S3, API Gateway, Lambda, DynamoDB, Cognito, SES, SNS, and Secrets Manager, with infrastructure managed through repeatable deployment code.
Encryption and access controls
We use TLS for data in transit, encryption at rest where supported by the underlying service, least-privilege access, MFA-capable admin systems, and managed secret storage for production credentials.
Logging and abuse controls
Production systems are designed to log operational failures and security-relevant events without intentionally logging secrets or unnecessary sensitive content. Public endpoints use rate limits or other abuse controls where risk warrants it.
Practical retention
We retain personal and operational data only as long as needed to provide the service, meet legal or accounting obligations, resolve disputes, secure systems, or satisfy the customer agreement.
HIPAA-aligned from the start
VolIoT is preparing its systems and operating practices for healthcare, medicine, and wellness clients. Where a project involves protected health information or electronic protected health information, we expect a written business associate agreement and a customer-specific scope before receiving, creating, maintaining, or transmitting that data.
Our baseline security program is being shaped around the HIPAA Security Rule's administrative, physical, and technical safeguard model: access control, auditability, incident response, workforce responsibilities, secure infrastructure, and practical recovery planning.
VolIoT does not claim that every service is HIPAA-compliant by default. HIPAA-regulated work depends on the customer, the data, the service scope, the signed agreements, and the deployed environment.
Security questions
Security questions, vendor-review requests, data handling questions, or suspected security issues can be sent to andy@voliotinc.com.
Related documents: Privacy Policy and Terms of Service.