This page is the user-facing view of how Aitelier handles your data. The full Data Processing Addendum and Privacy Policy live under /dpa and /privacy — this is the practical summary.
Where your data lives
All primary data — your project configuration, your knowledge base, your call recordings, your transcripts, your usage records — lives in the European Union. We host on dedicated Hetzner infrastructure in Germany and Finland. Backups stay in the EU.
A small number of sub-processors sit outside the EU because they have no EU-resident equivalent: OpenAI (USA, for the realtime voice model on the hot path), Anthropic (USA, for the slower analysis path), Stripe (USA / Ireland, for payment processing). For each, the transfer is covered by EU Standard Contractual Clauses plus supplementary measures including content minimisation — the platform sends the minimum prompt it needs to do its job, not the entire context.
The full sub-processor list is published in the DPA. We commit to 30-days notice before adding any new sub-processor.
Tenant isolation
Every business-data table in our database carries a tenant_id. Every database query goes through a repository layer that injects the tenant id automatically. A linter rule blocks direct ORM access outside the repositories — meaning a programmer cannot accidentally write a query that reads another tenant's row.
This is row-level isolation, not table-level. From the outside it looks like every tenant has its own copy of the platform.
Encryption
- In transit — TLS 1.3 minimum on every public endpoint. SIP uses TLS. WebRTC media is DTLS/SRTP.
- At rest — AES-256 for databases, object storage and backups.
- Plugin secrets, API keys, webhook signing keys — column-level AES-256-GCM encryption on top of the at-rest layer. The encryption key for production rotates on a schedule and is accessible only via SSO + 2FA.
Once a secret enters the platform, you do not see it again — we hash and store; the UI shows the last four characters for identification, never the full value.
Authentication
You sign in with a magic link sent to your email — six-digit code, ten-minute expiry. No password to remember, no password database to breach.
Once signed in, you hold a short-lived JWT (15-minute lifetime) plus a refresh token (30-day rolling rotation). If a device is compromised, revoking the refresh kills it within a quarter-hour.
For accounts with billing or admin scope on a tenant, two-factor authentication is mandatory. We default to TOTP (Google Authenticator, 1Password, etc.) and support hardware keys (WebAuthn) on request.
API keys
Every API key is scoped — you grant it only the operations it needs, never more. A key with outbound:trigger cannot read a transcript; a key with sessions:read cannot trigger a call. This is enforced at the API layer.
Keys are shown once at creation, hashed at rest, and revocable at any time. Activity is audit-logged.
Roles and permissions
Within a project, three roles:
- Owner — full control including billing, members, deletion
- Editor — can configure plugins, edit scenarios, run tests, but not change billing or remove members
- Viewer — read-only access, including transcripts (or excluding, per your policy)
Owners can be either user-specific or cross-tenant — agencies typically grant their staff editor access on their clients' projects without merging tenants.
Audit logs
Every privileged action is recorded in a tamper-evident audit log:
- Project creation, deletion, settings changes
- Plugin connection / disconnection
- API key creation / revocation / rotation
- Member invites / role changes / removals
- Recording exports, transcript exports, DSAR queries
- Tenant billing mode switches, manual balance adjustments
Audit logs are retained for 7 years. You can export them in the Billing → Audit tab.
Data retention
Default retention, configurable per project:
- Call recordings — 90 days; configurable from 0 (no recording) up to "max permitted by law" — whichever your jurisdiction allows.
- Transcripts and structured session data — 12 months
- Usage events for billing — 7 years (legal requirement)
- Audit logs — 7 years
When you delete a project, the platform queues a deletion job that wipes recordings, transcripts and knowledge base within 30 days. Billing records survive (legal requirement) but are anonymised — your tenant id is preserved, the project's identifying data is not.
Data subject requests (DSAR)
If a caller asks you to delete their data — typically the recordings and transcripts of their calls — you have an obligation under GDPR (and similar laws) to act within 30 days.
The platform gives you the tooling:
- Search by phone in the project's calls list. Type the number in E.164.
- Bulk delete — select the matching sessions, click Delete. Recordings vanish from object storage, transcripts vanish from the database, billing records keep an anonymised stub.
- Audit log records the deletion with your user as the actor — useful when you need to prove you acted.
We can also accept DSARs directly at privacy@aitelier.org if a caller reaches us instead of you; we route the request to the right tenant and confirm completion to both sides.
Caller consent
The agent identifies as an AI receptionist at the start of every call by default. You can customise the disclosure wording per scenario; in jurisdictions that require disclosure (an increasing list, every quarter), do not turn it off.
Recording disclosure is similarly default-on with editable wording. If your jurisdiction requires explicit consent, the scenario can prompt for it before continuing.
Vulnerability reporting
If you find a security issue, please report it to security@aitelier.org. We acknowledge within two business days, aim to remediate critical issues within 14 days, and credit reporters in our hall of fame (with permission). PGP key on request.
Compliance roadmap
Current state:
- GDPR-aligned with signed DPA, EU residency, DSAR tooling, sub-processor transparency
- SOC 2 Type I — audit in progress, Type II window starts Q3 2026
- HIPAA-ready — BAA available on request for healthcare deployments; PHI handling configurable per project
- ISO 27001 — on the roadmap, post-SOC 2
If your compliance team needs something specific (a particular regional certification, a custom DPA term, a regulator-friendly architecture diagram), reach out at security@aitelier.org — most requests are answerable, and the answers tend to also be the answer for other customers in the same regulatory space.