Skip to content
Security · Compliance

Data protection is a product feature.

Rufen handles phone calls — the most personal channel a business has. We treat your customers' voice and transcripts with the same care a German hospital treats patient records: encrypted, EU-resident, audit-logged, deleted on schedule.

Request our security packRead the privacy policy
Data lifecycle

Every call traced — from ring to deletion.

Voice data flows through four supervised stages. Each has its own controls, retention schedule, and audit trail.

  1. 01 · Collection

    Captured at the edge.

    • Inbound audio captured by an EU-regulated SIP carrier — no third-country hop.
    • Caller is informed an AI is on the line (EU AI Act, Art. 50).
    • Only data needed for the call is recorded — no caller location, no device fingerprinting.
  2. 02 · Processing

    Encrypted, isolated, observed.

    • TLS 1.3 in transit between every internal hop.
    • STT, LLM, and TTS happen in EU regions on your chosen provider keys.
    • Each call gets a unique trace id — every prompt, token, and tool call is logged.
  3. 03 · Storage

    Schema-per-tenant, AES-256.

    • PostgreSQL schema-per-tenant — your data sits in its own namespace, no shared tables.
    • AES-256 at rest via AWS KMS-managed keys (eu-central-1 by default).
    • Encrypted daily backups with 30-day retention; restore drills quarterly.
  4. 04 · Deletion

    Automatic, verifiable, final.

    • Default 90-day retention for transcripts and recordings — overridable to as low as 1 day per tenant.
    • Automated deletion runs nightly; ledger row written to audit log on every purge.
    • On account closure, full tenant data is purged within 30 days. Confirmation provided in writing.
GDPR / DSGVO

Compliance is the floor, not the goal.

Built EU-first. We map every safeguard back to a specific GDPR article — no ambiguity, no "trust us."

Art. 25 GDPR

Privacy by design.

Multi-tenant isolation, data minimisation, BYOK key separation, and EU-only sub-processors are baked into the architecture — not added after the fact.

Art. 15–22 GDPR

Data subject rights, end to end.

Access, rectification, erasure, portability, and objection requests are handled inside the console. Most resolve under 7 days; statutory ceiling is 30.

Art. 32 GDPR

Engineered for the worst day.

Encryption in transit and at rest, role-based access control, MFA-enforced admin login, incident response runbook with a 72-hour notification target.

Technical & organisational measures

Concrete controls, not buzzwords.

Every claim below is implemented in the running platform today. Customers on Growth and Platform can request the full TOM document for their security team.

Encryption

  • TLS 1.3 for every network hop — public APIs, internal services, database connections.
  • AES-256 at rest via AWS KMS; keys rotated automatically.
  • BYOK customer model keys envelope-encrypted with a per-row DEK.
  • Phone-audio streams (AudioSocket / SIP) never leave EU regions in cleartext.

Access control

  • MFA enforced for every admin login (TOTP via authenticator apps).
  • 47 fine-grained permissions across 12 resources · 4 system roles + custom roles.
  • Every privileged action written to an immutable audit log.
  • No founder backdoor — engineers access tenant data only via console with consent + audit trail.

Monitoring & response

  • Every call and every LLM completion traced end-to-end with a unique correlation id.
  • Anomalous activity (rate spikes, geo-impossible logins) raises alerts.
  • Incident response runbook with 72-hour breach notification target (GDPR Art. 33).
  • Penetration test before public beta; annual thereafter.

Multi-tenant isolation

  • PostgreSQL schema-per-tenant — physically separated tables, not row-level filtering.
  • Cross-tenant queries cannot be constructed at the ORM level by design.
  • Background jobs run in tenant-scoped contexts; thread-local schema enforced.
  • Each tenant can host its own dedicated voice worker on Platform.
EU data residency

Your customers' voices never leave the EU.

Hosting, processing, and storage all happen in the European Union by default. No US transfers, no transatlantic Standard Contractual Clauses required for the core platform.

  • Primary region: AWS Frankfurt (eu-central-1).
  • Telephony via an EU-regulated SIP carrier (specific provider disclosed on request).
  • Marketing site and CDN run on Cloudflare's EU edge nodes.
  • Sub-processors are limited and listed in the Privacy Policy.
Documentation on request

What your security team gets.

We package these for your DPO, CISO, or procurement team. Most respond in one business day.

Privacy Policy
Published — what we collect, how we use it, who we share with.
Live
Data Processing Agreement (DPA / AVV)
GDPR Art. 28 template — signed mutually before production traffic.
On request
Technical & Organisational Measures (TOM)
Full document mapping every control to the GDPR articles it satisfies.
On request
Sub-processor list
Live list of every vendor that touches customer data, with their region and DPA links.
On request
Request the security pack

Rufen AI is in private beta from Leipzig, Germany. SOC 2 Type I is on the roadmap for our first audit cycle; ISO 27001 will follow once we have enterprise customers requesting it. We will not put a badge here until the audit is real.