Security & Compliance at Vocito

All PII tables (calls, leads, organizations, users, agents, recordings) have ENABLE ROW LEVEL SECURITY with org-membership policies. Cross-org reads only possible via signed service-role on the backend.

Every admin action, impersonation, and PII access is written to audit_logs with prevent_audit_update + prevent_audit_delete Postgres rules — append-only by design.

Self-service via /preferences/privacy in the dashboard OR vocito.ai/forget-me for non-customers (HMAC-signed email confirmation). Deletes propagate to Twilio recordings and ElevenLabs agents.

30 / 90 / 180 / 365 days per organisation. A daily 03:00 UTC cron purges transcripts, anonymises lead names, and deletes Twilio recordings past the retention window.

The security_incidents table feeds a 30-minute cron that pages the DPO mailbox until notified_at is set. Internal runbook documents containment + 72-hour AP notification.

Every customer agent has a per-language recording disclaimer in its first_message — the backend rejects any custom greeting that omits it. No "silent recording" surprises.

For enterprise customers and high-sensitivity niches (legal, healthcare, financial), transcripts can be AES-256-GCM encrypted at the application layer with a key only the backend holds.

For callers from DE / AT / CH / PL, an optional pre-call DTMF prompt asks for explicit consent before the recording starts. Toggleable per organisation.

Full list published with regions, role, and safeguards. Customers are notified 30 days before any new sub-processor goes live (Art. 28.3) via automated email.