Trust

Security at Vogata

Security

Built light. Built to protect your people's data.

Vogata holds candid, sensitive things: objectives, evaluations and private 1:1 notes about real people. We treat that data with the care it deserves. This page explains, in plain language, how we protect it and what we do and don't do. No buzzwords, no hand-waving.

Current as of June 2026 · Questions? [email protected]

Vogata is an early-stage startup, and we'd rather be straight with you than impressive. We are not SOC 2 certified today. We build to be SOC 2‑aligned, our infrastructure runs on AWS and Cloudflare, two providers with mature security programs and their own independent audits. As we grow, formal certification is on the roadmap. Until then, we won't claim a badge we haven't earned.

Encryption

In transit

Every connection to Vogata, in the browser, the app and our APIs, is encrypted with TLS (HTTPS). We enforce HTTPS and use HSTS so browsers refuse to fall back to an unencrypted connection. There is no plain-HTTP path into your data.

At rest

Your data is stored in AWS and encrypted at rest by default. Application records live in Amazon DynamoDB with encryption enabled; any related storage uses AWS-managed encryption keys. Backups inherit the same encryption.

Multi-tenant isolation

Vogata is multi-tenant: many organizations share the same infrastructure, but never each other's data. Every record is bound to a single organization, and every request is scoped to the caller's organization and role before any data is read or written. One company can never see, query or report on another company's objectives, evaluations or notes. Isolation is enforced in the application layer on every operation, not just at login.

Authentication and access

  • Managed identity. Sign-in is handled by Amazon Cognito, a managed identity service. We don't roll our own auth, and we don't store raw passwords. Passwords are salted and hashed by Cognito following modern standards.
  • Bot protection at signup. Account creation is protected by Cloudflare Turnstile, a privacy-respecting CAPTCHA, to keep automated abuse and fake accounts out.
  • Role-based access inside your org. What each person can see and do, their own plan, their team, the whole organization, is governed by their role. People see the view that fits them and nothing beyond it.
  • Session security. Sessions use short-lived, signed tokens over HTTPS and can be ended by signing out.

Private 1:1 notes stay private

This one matters, so we're explicit about it. Private notes you take during a 1:1 belong to you, their author. They live in your own space, never surface in anyone else's view, and never appear in team or organization-level reports or aggregates. A manager's private notes aren't visible to their report, and a report's private notes aren't visible to their manager. Only what's explicitly shared, agreed objectives, recorded commitments and progress, is shared. Privacy here is a design decision, not a setting you have to remember to turn on.

Infrastructure

Vogata runs on a serverless architecture, which means fewer moving parts to misconfigure and a smaller attack surface than a fleet of servers we'd have to patch by hand.

  • AWS (region us-east-2). Compute runs on AWS Lambda, data on Amazon DynamoDB, and transactional email through Amazon SES. AWS handles the physical security, patching and resilience of the underlying platform.
  • Cloudflare. Our site and DNS run on Cloudflare, with Turnstile guarding signup. Cloudflare sits in front of traffic providing TLS termination and protection against common network-level abuse.
  • Least privilege by default. Each function gets only the permissions it needs to do its job, nothing more.

Data and AI

The AI coach is powered by Anthropic's Claude. We use it deliberately and with clear limits.

  • Your data is not used to train models. Content we send to Anthropic to power the coach is not used to train their models. Your objectives, notes and evaluations stay yours.
  • The coach assists, it never decides. The AI drafts, checks and suggests, sharper objectives, a SMART review, a 1:1 agenda, a first draft of an evaluation. A human always reviews and decides. It never grades anyone for you.
  • We send only what's needed. The coach receives the relevant context for the task at hand, not your whole organization's data.

Backups and resilience

Your data is backed up so an accident doesn't become a loss. We rely on AWS's managed durability and point-in-time recovery capabilities for our databases, with backups encrypted at rest like everything else. The serverless design also means there's no single server whose failure takes the product down.

Internal access management

We are a small team, and we keep internal access tight. Access to production systems is limited to the people who genuinely need it, protected by individual accounts and multi-factor authentication, and granted on a least-privilege basis. We don't read your private notes or browse your data out of curiosity, we'd only ever access organization data with your knowledge, to support you or to resolve an issue you've raised.

Responsible disclosure

If you believe you've found a security vulnerability in Vogata, please tell us before disclosing it publicly. Email [email protected] with enough detail to reproduce the issue. We'll acknowledge your report, work with you to understand and fix it, and we won't pursue action against good-faith research that respects our users' privacy and avoids degrading the service. We genuinely appreciate the help.

Have a security question?

Whether you're evaluating Vogata for your team or you've spotted something we should fix, we want to hear from you. We answer security questions directly and honestly.

Email us Contact us