Vouchly exists to stop payment fraud, so security isn't a feature — it's the whole product. Here's exactly how we're designed.
We verify a payment request through a channel the attacker can't reach — the vendor's contact of record, not the number or reply-to in the suspicious message. Security comes from the unspoofable channel, not from trying to “detect the deepfake.”
Vouchly is never an inline payment gateway. We don't hold, move, or release money. We observe the request, run the verification, and produce the proof — your own systems still execute the payment.
Connections to email, ERP/AP, and banking are requested read-only wherever possible, scoped to the minimum needed. We're explicit about what each connector can do — some place a hold, others only alert — so you're never misled on “detect vs. act.”
We do not store banking credentials, full account numbers, or payment-authorization secrets. Access tokens are encrypted, and we keep only what's required to perform a verification and produce its record.
Every verification produces a hash-chained, tamper-evident record — who approved, on which channel, against which contact, and when. Export an insurance-evidence pack for your renewal in one click.
High-risk changes require two-person approval. APIs do the proof and AI assists triage; a human always makes the final release decision.
Vouchly is an early-stage company building with our first design partners. We are not yet SOC 2 certified— we're building toward it, and we're glad to walk your team through our architecture, data handling, and roadmap on a call. We'd rather be straight with you than imply a badge we haven't earned.
Data is encrypted in transit (TLS) and at rest. Access to production is restricted and logged. We collect only what we need and retain it only as long as necessary.
Found a security issue? Email security@vouchlyhq.com and we'll respond quickly. We welcome responsible disclosure.
We'll happily take your security or finance team through how it works.
Last updated: May 2026