The 4 Pillars of Trust

We build AI systems with security, transparency and ethics at the core.

Data Sovereignty

CH/EU Hosting

Your data resides in Switzerland and Europe. All sub-processors are contractually bound to EU/CH data protection standards. Where data transfers occur outside the EU/EEA, they are protected by Standard Contractual Clauses (SCCs) or adequacy decisions under applicable regulations.

What This Means for You:

  • Servers in ISO 27001 certified data centers
  • GDPR and Swiss privacy law compliant
  • Daily GPG-encrypted backups. Conversation data: zero retention — processed in real-time, never stored. Long-term medical data retention: responsibility of the treating physician
  • Disaster recovery tested quarterly
ISO 27001 aligned, GDPR-compliant

AI Transparency

Automatic Disclosure

Every interaction starts with a clear notice: "I am an AI virtual assistant". Your customers always know who they are talking to.

What This Means for You:

  • Mandatory AI disclosure at the start of every call
  • Human agent transfer option always available
  • Conversation metadata and outcomes logged
  • No "masking" of AI identity
AI disclosure per Art. 50 EU AI Act (Reg. 2024/1689)

Consent & Privacy

Consent-Gate

Responsible outbound automation: proactive calls only with explicit consent. Opt-out always respected with audit trail.

What This Means for You:

  • Explicit consent required for outbound automation
  • Instant opt-out with a simple voice command
  • Immutable record of every consent and revocation
  • Right to be forgotten: data deletion within 30 days
Compliance: GDPR Art. 6-7, Swiss DPA

Audit & Accountability

Immutable Logs

Every action is recorded. Immutable logs, conversation metadata, consent records. No "black holes" in AI interactions.

What This Means for You:

  • Immutable logs of every call and action
  • Conversation metadata with precise timestamps
  • Audit trail for consents and revocations
  • Data export in machine-readable format (JSON)
Infrastructure hosted on SOC 2 Type II certified providers and ISO 27001 data centers

Technical Security

Multi-Tenant Isolation

Complete data separation between clients. Zero possibility of cross-tenant data leaks.

JWT & Role-Based Access

Strong authentication with JWT. Granular role-based access control.

Rate Limiting

Intelligent anti-abuse rate limiting. Integrated DDoS mitigation.

Encrypted at Rest & in Transit

TLS 1.3 for data in transit. AES-256-GCM (authenticated encryption) for data at rest. Zero compromises.

Vulnerability Scanning

Automated daily scans. Critical patches applied within 24 hours.

Incident Response Plan

Documented and tested procedure. Breach notification without undue delay per GDPR Art. 33.

Application Security

Protection measures built into application code, validated by the security audit of February 12, 2026.

SQL Injection Prevention

Parameterized queries with column whitelisting on all endpoints. No string concatenation in SQL queries.

XSS Prevention

Systematic innerHTML escaping, SVG upload blocking and tojson|safe output protection in Jinja2 templates.

Path Traversal Protection

Filename sanitization with whitelist validation. Prevention of unauthorized directory access.

Webhook Signature Verification

HMAC-SHA256 and JWT verification on all incoming webhooks. Automatic rejection of unsigned payloads.

Advanced Rate Limiting

Granular per-endpoint limits: 5-10 requests/hour on uploads, brute-force protection on authentication and critical APIs.

PII Masking

Automatic masking of emails and personal data in application logs. No sensitive data in plaintext in logs.

Upload Size Limits

MAX_CONTENT_LENGTH = 10MB. File type and size validation on all upload endpoints.

Security You Can See in Action

Request a demo to see our audit logs, transcripts and compliance controls in action.

Request Security Demo Read Privacy Policy