Documentation

Security & data protection

This page is the user-facing view of how Aitelier handles your data. The full Data Processing Addendum and Privacy Policy live under /dpa and /privacy — this is the practical summary.

Where your data lives

Primary data — your project configuration, your knowledge base, your call recordings, your transcripts, your usage records — is hosted on dedicated Hetzner infrastructure in Germany, with object storage in EU regions.

A number of sub-processors power the AI itself and sit outside the EU: the model and speech providers behind the voice tiers (OpenAI, Anthropic, Google, Deepgram, Cartesia), LiveKit for realtime media, Twilio for telephony, and Stripe for payments. For each, the transfer is covered by EU Standard Contractual Clauses, and the platform sends a provider only the conversation context it needs to run your agent.

The full sub-processor list is published in the DPA. We commit to 30-days notice before adding any new sub-processor.

Tenant isolation

Every business-data table in our database carries a tenant_id. Every database query goes through a repository layer that injects the tenant id automatically. A linter rule blocks direct ORM access outside the repositories — meaning a programmer cannot accidentally write a query that reads another tenant's row.

This is row-level isolation, not table-level. From the outside it looks like every tenant has its own copy of the platform.

Encryption

  • In transit — TLS on every public endpoint. WebRTC media is DTLS/SRTP.
  • Plugin credentials and SIP secrets — column-level AES-256-GCM encryption on top of the at-rest layer.
  • API keys and webhook secrets — API keys are hashed at rest (never recoverable); signing secrets are shown once at creation.

Once a secret enters the platform, you do not see it again — the UI shows an identifying prefix, never the full value.

Authentication

You sign in with a 6-digit code sent to your email — ten-minute expiry, one-time use. No password to remember, no password database to breach.

Once signed in, you hold a short-lived access token (1-hour lifetime) plus a refresh token with 30-day rolling rotation and replay detection — a stolen refresh token that gets reused is detected and the session is killed.

Two-factor authentication (TOTP) is on the near-term roadmap.

API keys

Every API key is scoped — you grant it only the operations it needs, never more. A key with outbound:trigger cannot read sessions; a key with sessions:read cannot trigger a call. This is enforced at the API layer.

Keys are shown once at creation, hashed at rest, and revocable at any time.

Roles and permissions

Within a project, three roles:

  • Owner — full control including billing, members, deletion
  • Editor — can configure plugins, edit scenarios, run tests, but not change billing or remove members
  • Viewer — read-only access

Memberships can cross tenants — agencies typically grant their staff editor access on their clients' projects without merging tenants.

Data retention

Current defaults:

  • Call recordings — kept for 30 days, then expire. Different retention available on request.
  • Transcripts and structured session data — retained while your account is active.
  • Billing and usage records — retained as required for financial compliance.

Deleting a project removes it from your workspace and deletes its knowledge index. For full erasure of the underlying recordings and transcripts, contact privacy@aitelier.org and we complete the wipe.

Data subject requests (DSAR)

If a caller asks you to delete their data — typically the recordings and transcripts of their calls — you have an obligation under GDPR (and similar laws) to act within 30 days.

Send the request to privacy@aitelier.org with the caller's phone number: we locate the caller's sessions, erase the recordings and transcripts, and confirm completion to you so you can close the request with proof. We also accept DSARs directly if a caller reaches us instead of you; we route the request to the right tenant and confirm completion to both sides.

Caller consent

You control the agent's greeting and disclosure wording per scenario. If your jurisdiction requires AI disclosure or recording consent — an increasing list — put it in the scenario's greeting; the agent delivers it on every call, and packs ship with sensible greeting templates to start from.

Vulnerability reporting

If you find a security issue, please report it to security@aitelier.org. We acknowledge within two business days and prioritise critical issues ahead of all other work. PGP key on request.

Compliance roadmap

Current state:

  • GDPR-aligned with signed DPA, EU residency, DSAR handling, sub-processor transparency
  • SOC 2 Type I — audit in progress, Type II window starts Q3 2026
  • HIPAA-ready — BAA available on request for healthcare deployments; PHI handling configurable per project
  • ISO 27001 — on the roadmap, post-SOC 2

If your compliance team needs something specific (a particular regional certification, a custom DPA term, a regulator-friendly architecture diagram), reach out at security@aitelier.org — most requests are answerable, and the answers tend to also be the answer for other customers in the same regulatory space.