Where is conversation data stored?

Conversation data is stored in encrypted, SOC 2 compliant infrastructure within a single-tenant environment. Data residency options available for regulated requirements. Specific details provided during security review.

What third-party subprocessors handle our data?

Subprocessor list available under NDA during security evaluation. Standard enterprise procurement process applies.

Can you prevent the AI from hallucinating about our products?

Yes. The AI is grounded in published content. Pre-launch testing specifically validates against hallucination. Continuous monitoring detects drift. The system says "I do not have that information" rather than inventing an answer.

What happened with the Drift breach and how is Vurbalize different?

The Drift/Salesloft OAuth breach (August 2025) cascaded through 700+ organizations because of broad OAuth permissions in shared multi-tenant infrastructure. Three architectural differences in Vurbalize: single-tenant data isolation, narrow OAuth scopes by default, and managed key rotation. These were foundational design choices, not post-incident responses.

What happens if a visitor enters PII in a conversation?

PII masking automatically identifies and redacts personally identifiable information from transcripts and logs before storage. Configurable for different PII categories based on regulatory requirements.

Do you support SSO and role-based access?

Authentication details provided during technical evaluation. Standard enterprise authentication patterns supported. RBAC with admin, manager, and agent permission levels.

Drift was just shut down. How should we evaluate the security posture of its replacement?

Drift was sunset March 6, 2026, following the August 2025 breach that exposed 700+ organizations. For security evaluators, the migration checklist starts with: single-tenant vs. multi-tenant architecture, OAuth scope and rotation policies, PII handling procedures, and whether the vendor security posture was designed in or bolted on after an incident.

CISO, VP Engineering, IT Director

Security Architecture: How is customer data protected?

Each customer's data resides in a dedicated, single-tenant environment. Conversation data, knowledge base, and configuration never touch another customer's environment. This is genuine isolation, not multi-tenant with data partitioning. The significance of this choice became clear after the Drift/Salesloft OAuth breach in August 2025, where broad OAuth permissions in shared infrastructure cascaded into data exposure for more than 700 organizations. Single-tenant architecture eliminates that category of risk by design.

Data protection includes encryption at rest (AES-256) and in transit (TLS 1.2+), managed key rotation, narrow OAuth scopes by default, rate limiting, and bot protection. PII masking automatically strips personally identifiable information from conversation logs before storage, configurable for different categories based on regulatory requirements.

For IT and security evaluators, the orchestration approach means fewer point solutions. One platform handling engagement, routing, enablement, and content intelligence is fewer vendor relationships, fewer integration points, and fewer data flow risks than a stack of separate tools.

WHAT CHANGES

Enterprise architecture designed for security

Three security-first architectural decisions that eliminate categories of risk.

Dedicated

Single-Tenant Architecture

Each customer's data resides in a dedicated environment. Conversation data, knowledge base, and configuration never touch another customer's environment. Genuine isolation, not partitioning.

Tested

Pre-Launch AI Verification

Before the AI represents your brand: batch testing for accuracy validation, hallucination detection, prompt injection resilience, and out-of-domain handling. Guardrails block malicious queries.

24/7

AI Response Monitoring

A trained Evaluation Planner monitors AI responses around the clock. Detects drift, flags concerning patterns, and alerts on aberrations. Production observability for AI systems.

PROOF POINTS

The numbers behind the claim

SOC 2

Type II Certified

Independent audit of security controls, availability, processing integrity, confidentiality, and privacy.

SOC 2 Type II Report

AES-256

Encryption Standard

At rest and TLS 1.2+ in transit. No static tokens. Managed key rotation on scheduled basis.

Vurbalize Security Architecture

Auto

PII Masking

Automatic identification and redaction from transcripts before storage. Configurable by regulatory requirements.

Vurbalize Data Protection

Enterprise

Deployment Scale

Deployed at Fortune 500 scale. Top-10 US bank completed security evaluation and deployment.

Vurbalize customer deployments

Ready to see how this works for your team?

Get Demo

Frequently Asked Questions

: Conversation data is stored in encrypted, SOC 2 compliant infrastructure within a single-tenant environment. Data residency options available for regulated requirements. Specific details provided during security review.
: Subprocessor list available under NDA during security evaluation. Standard enterprise procurement process applies.
: Yes. The AI is grounded in published content. Pre-launch testing specifically validates against hallucination. Continuous monitoring detects drift. The system says "I do not have that information" rather than inventing an answer.
: The Drift/Salesloft OAuth breach (August 2025) cascaded through 700+ organizations because of broad OAuth permissions in shared multi-tenant infrastructure. Three architectural differences in Vurbalize: single-tenant data isolation (not multi-tenant with partitioning), narrow OAuth scopes by default (not broad permissions for convenience), and managed key rotation (not static tokens). These were foundational design choices, not post-incident responses.
: PII masking automatically identifies and redacts personally identifiable information from transcripts and logs before storage. Configurable for different PII categories based on regulatory requirements.
: Authentication details provided during technical evaluation. Standard enterprise authentication patterns supported. RBAC with admin, manager, and agent permission levels.
: Drift was sunset March 6, 2026, following the August 2025 breach that exposed 700+ organizations. For security evaluators, the migration checklist starts with: single-tenant vs. multi-tenant architecture, OAuth scope and rotation policies, PII handling procedures, and whether the vendor's security posture was designed in or bolted on after an incident. The Wrong Lesson from Drift's Shutdown details the five architecture questions, including the OAuth governance question that the breach made non-negotiable.

Want to see this in action?

Get a prototype built on your website, or book a conversation with our team.

Talk to Us