Security at Vizitor
Your workplace data matters. We built Vizitor with security at the foundation not bolted on later. Here's exactly how we protect it.
Keeping your workplace physically secure
Every person who walks through your door should be there for a reason. Vizitor makes sure of that with identity checks, screening, and a complete log of every entry and exit, automatically.
Watchlist screening
Every visitor is checked against your watchlist at sign-in. If there's a match, your security team gets an instant alert before the visitor gets any further.
Government ID scanning
Visitors scan their ID using the iPad camera at check-in. Details are verified and stored no manual entry, no false records.
OTP verification
Visitors confirm their phone number with a one-time password before check-in is complete. A simple step that keeps unverified entries out.
Photo on every entry
A photo is taken of each visitor at sign-in and stored with their record. There's always a face to go with the name, visible right on your dashboard.
NDA and document signing
Visitors sign NDAs or any compliance document at the kiosk. The signed copy is saved automatically to their visitor record no paperwork to chase later.
Visitor badge printing
Badges print on check-in showing name, host, and authorised area. Anyone without one is easy to spot and flag.
Flexible entry controls across locations
Set global entry standards and tailor them for each location to align with local requirements and internal policies.
Sign-out tracking
Visitors check out via kiosk or their host signs them out through the app. If someone's still showing as on-site past their expected time, your team gets a flag.
Your data is encrypted always
All visitor data is encrypted at rest using AES-256. Data moving between your devices and our servers is protected with TLS 1.2, so nothing is exposed in transit.
Customer data is stored in a shared infrastructure, but strict application-level privacy controls prevent any cross-customer data access. We run unit, integration, and regression tests every time a change is made to the platform.
- AES-256 encryption at rest for all visitor and workplace data
- TLS 1.2 encryption for all data in transit
- SSL certificates: 2048-bit RSA, signed with SHA-256
- Tamper-proof audit log for every entry, exit, and signed document
- Role-based access controls your team sees only what they need to
- GDPR consent captured at check-in and stored per visitor record
Built on AWS enterprise-grade from day one
Vizitor runs entirely in the cloud on Amazon Web Services (AWS). We don't manage our own physical servers, routers, or DNS. AWS data centers are SSAE 16 certified, with multi-layer physical and digital access controls.
- All services hosted on AWS in certified, secure data centers
- Private virtual cloud (VPC) with strict network access control lists
- Separate VPC environments for production and development
- Automated snapshots taken at frequent intervals as a backup strategy
- Full database backups run daily no data is permanently lost
- RDS encryption used for all database instances and snapshots at rest
- Firewalls in place at every layer to block unauthorised access
Who can see your data
We keep strict controls over who inside Vizitor can access customer data. In practice, that's almost no one.
Strict internal access
Almost no one at Vizitor can access customer data. Those who can are bound by formal confidentiality policies before they touch any internal system.
Signed privacy agreements
All Vizitor employees and contractors sign data privacy and security agreements as a condition of working here. We treat this as a basic operating standard, not a legal formality.
Real-time access monitoring
All application access is logged and monitored in real time. If something unusual is happening, we know about it quickly not after the fact.
Application security, top to bottom
Our API and all application endpoints are TLS/SSL only. We use strong cipher suites and have Perfect Forward Secrecy enabled which means past sessions stay private even if a future key is ever compromised.
Vizitor is tested regularly by third-party security firms through Vulnerability Assessment and Penetration Testing (VAPT). If something is found, we fix it.
- All API and application endpoints are HTTPS only no exceptions
- Perfect Forward Secrecy enabled on all connections
- Regular third-party VAPT testing on all production systems
- Automated tests run on every platform update to catch regressions before production
- All access to Vizitor applications is logged and continuously monitored
Independently audited. Not self-declared.
Vizitor meets the security and compliance standards that enterprise customers expect certified by independent auditors.
Frequently Asked Questions
Every visitor is automatically checked against your watchlist the moment they start signing in. If there's a match, your security team gets an instant alert before the visitor is granted entry. You can build your own watchlist inside Vizitor or connect a third-party screening service.
Vizitor prints a visitor badge automatically when someone checks in. If someone is walking around your office without one, your team can spot it immediately. Badges include the visitor's name, photo, host, authorised area, and visit date, so there's no ambiguity about whether someone belongs there.
Yes. When logging contractors or third-party vendors, you can set authorised zones and time windows for their visit. If they're only cleared for the ground floor between 9am and 1pm, that's exactly what gets recorded and your team has a clear log if anything falls outside those boundaries.
Visitors can sign themselves out at the kiosk, or their host can check them out through the Vizitor app. If someone is still showing as on-site past their expected time, your team gets an automatic flag so nothing slips through unnoticed.
Visitor consent is captured at the point of check-in, not assumed after the fact. You control what visitors consent to, how long their data is retained, and who inside your organisation can access it. Records are stored securely and can be deleted on request. The whole flow is designed so your compliance team doesn't have to chase paperwork or make manual updates.
Yes. You can add any document to your check-in flow NDAs, health declarations, liability waivers, safety acknowledgements. Visitors sign on the kiosk screen before they're granted entry. Each signed document is stored automatically with their visitor record, with a timestamp and their verified identity attached.
Every check-in, sign-out, ID scan, NDA signature, watchlist flag, and badge print is recorded with a timestamp. Records are encrypted and cannot be edited or deleted retroactively. When an audit comes up, you export the report you need you don't dig through folders or piece together spreadsheets.
Yes. Each location can have its own check-in rules, data retention settings, and compliance documents while you manage everything from one central dashboard. If GDPR applies in your European offices and different rules apply elsewhere, you configure them independently without affecting other locations.
All visitor data is encrypted at rest using AES-256 and in transit using TLS 1.2. Data is hosted on AWS infrastructure. Vizitor undergoes regular third-party Vulnerability Assessment and Penetration Testing (VAPT), and the platform is ISO 27001 certified.
Only the admins you designate. Vizitor uses role-based access controls, so your reception team, security staff, and executives each see exactly what they need to do their job nothing more. All access to visitor records is logged.
You set the retention period. Vizitor can automatically delete visitor records after a defined number of days to comply with your data policies. You stay in control of what's kept and for how long.
Have questions about security?
We're happy to walk you through how Vizitor handles your data, or share our security documentation with your IT team.