Trust

Security

Last updated June 4, 2026

This page describes how we secure rohait.com and the voice agent that fronts our inquiry line. Each product in our portfolio (RohaChart, QuicPass, RohaVerify) maintains its own controls and customer documentation; this page covers the corporate surface and any data that flows through it.

Architecture in one paragraph

rohait.com is a static site served from Amazon S3 via CloudFront with a managed TLS 1.2/1.3 certificate from AWS Certificate Manager. The voice agent runs on Amazon ECS Fargate behind an Application Load Balancer with the same managed certificate. The agent has no database of its own; secrets are read at startup from AWS Systems Manager Parameter Store and never logged.

Transport & HTTP security

  • HTTPS-only with HSTS (max-age=63072000; includeSubDomains) on both the marketing site and the voice agent.
  • TLS 1.3 preferred (ELBSecurityPolicy-TLS13-1-2-2021-06); legacy TLS 1.0/1.1 are not accepted.
  • Response headers enforced at the edge and at the origin: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy, Permissions-Policy, and a strict Content-Security-Policy on the marketing site.
  • No cookies. No third-party trackers. No analytics scripts.

Authentication at trust boundaries

  • Every Twilio webhook is verified by HMAC-SHA1 signature against the X-Twilio-Signature header. In production the service runs in strict mode: a missing auth token causes a hard 503, never a fail-open.
  • The operator console (GET /tickets) requires a shared token compared in constant time.
  • Request bodies are capped server-side; unknown JSON fields are rejected.

Data handling

  • Inbound voice audio is streamed through the agent and is not retained after the call ends. We retain structured lead information (caller, topic, contact) and a 14-day operational log of request metadata.
  • Server logs do not contain authentication tokens, OpenAI API keys, or full audio.
  • All data at rest in AWS is encrypted with AES-256 (S3 server-side encryption and CloudWatch Logs).

Supply chain

  • The voice agent is built from a multi-stage Dockerfile, runs as a non-root user on distroless/static, and ships no shell.
  • Go dependencies are pinned by go.sum checksums.
  • Container images live in a private Amazon ECR registry with image scanning enabled.

Change management

  • Every change is reviewed and lands in main via GitHub. Static site deploys run on push via GitHub Actions assuming an OIDC-scoped IAM role; no long-lived AWS access keys.
  • Agent deploys roll one task at a time behind health checks; failed deploys roll back automatically.
  • All infrastructure-modifying commands are logged in AWS CloudTrail.

Reporting a vulnerability

We take security reports seriously. Please email security@rohait.com (or support@rohait.com if your client cannot route the former) with the details. We acknowledge within one business day and aim to confirm a fix or mitigation within thirty calendar days for valid reports. We will credit you publicly if you wish, and we do not pursue legal action against good-faith research that respects user privacy and our service.

Limits of this page

This page describes controls in place today. We do not currently hold third-party certifications such as SOC 2 or HIPAA attestations at the parent-company level; statements on the home page about "HIPAA-aligned controls" describe the engineering practices we use in regulated products, not a third-party audit of Roha IT Solutions as a whole. Customers with regulatory obligations should request product-level documentation and a Business Associate Agreement where applicable.