Trust Center

All customer data is classified as Internal or Confidential. Sensitive data is handled according to strict internal security policies on a need-to-know basis.

Role-based access with Multi-Factor Authentication (MFA) and audit logging is enforced across all relevant systems.

We utilize EU-based major cloud providers. For details, see our sub-processors list.

Our AI is classified as limited-risk under the EU AI Act for administrative use with human oversight, but may be high-risk if used for clinical purposes. Learn more.

Detailed audit logs are maintained for all system activity and retained according to our data retention policy. Call logs are also accessible to customers in the dashboard.

• Encryption: AES-256 encryption at rest, TLS 1.3 + TLS-SRTP for media streams in transit.
• Password Requirements (per NIST):
  • Minimum 20 characters
  • Three of four character types (uppercase, lowercase, numbers, special characters)
  • Multi-Factor Authentication (MFA) enforced

Role-based access control (RBAC) plus MFA is enforced across all environments containing confidential or internal data.

Our CI/CD pipeline includes code scanning, security testing, and automated checks to identify vulnerabilities before deployment.

24/7 real-time monitoring of all systems with on-call support. We maintain a public status page for transparency.

We host our services in EU data centers provided by major cloud vendors. See our sub-processors list for details.

Production and non-production environments are strictly isolated. Servers are replicated for fault tolerance and high availability.

We leverage a Zero Trust architecture using WireGuard for secure networking and strict identity-based access controls.

All infrastructure components are monitored 24/7 for performance, availability, and security indicators.

We conduct Data Protection Impact Assessments (DPIA) to identify and mitigate privacy risks.

We fully support GDPR data subject rights (access, rectification, erasure, etc.) with streamlined processes.

We maintain clear guidelines on data lifecycle management, including secure deletion.

Our Privacy Policy and Data Processing Agreement (DPA) are publicly available.

Our platform is classified as a limited-risk AI system under the EU AI Act when used for administrative tasks with human oversight. Use in clinical or diagnostic settings may fall under high-risk classification. Learn more in our EU AI Act page.

We design workflows to ensure human validation and accountability throughout the AI interaction lifecycle.

We apply strict prompt control, link extractions to source transcripts, and leverage Azure OpenAI's content filtering to maintain safe and compliant outputs.

All call transcripts are viewable in the product. When the AI extracts structured data (e.g. date of birth), we clearly show which part of the transcript it was derived from—ensuring auditability and contextual traceability.

We offer a standardized Data Processing Agreement (DPA) to our customers.

We perform security assessments of our third-party processors and update the list of sub-processors regularly.

Our platform usage guidelines and restrictions to prevent misuse and maintain compliance.

We maintain and review our Disaster Recovery (DR) plan on a quarterly basis. The plan outlines key recovery procedures, contact protocols, and infrastructure dependencies across Supabase, Hetzner, and AWS.

Our core database is managed by Supabase in the EU and has daily encrypted backups.

Our current disaster recovery targets include:

• RPO (Recovery Point Objective): ≤ 24 hours
• RTO (Recovery Time Objective): ≤ 4 hours

We target a 99.9% availability SLA across our services, with infrastructure-level monitoring in place to minimize downtime.

We conduct scheduled disaster recovery drills and document outcomes.

We maintain continuous security monitoring and alerting for quick incident detection.

A clearly defined communication workflow ensures timely breach notifications to all stakeholders.

For security incidents or queries view responsible disclosure policy.

We provide RCAs for all security incidents. These are available to affected customers upon request.

Regular automated vulnerability scanning of our infrastructure and applications.