Security
Vodia Analytics is designed for production deployment with multiple layers of security.
Authentication
- JWT tokens with 8-hour access tokens and 7-day refresh tokens
- Passwords hashed with bcrypt
- JWT secret minimum length validation
- Automatic super admin seeding on first boot
Network
- HTTPS — automatic TLS via Caddy and Let's Encrypt
- CORS — locked to the configured domain only
- Rate limiting — Redis-backed sliding window per IP
- IP Whitelisting — restrict which PBX IPs can push CDR/recording data
- UFW firewall — configured during installation (ports 80, 443, 22 only)
- Security headers — HSTS, CSP, X-XSS-Protection, X-Content-Type-Options, Permissions-Policy via Caddy
AI Privacy
- Transcription is 100% local — sherpa-onnx runs inside the worker container, no audio is sent externally
- Only transcript text (not audio) is sent to OpenAI for analysis, and only if an API key is configured
- Auto-summarize can be disabled per tenant