Security · Trust · Data handling

A call is a record.
A record is a liability.
We treat it like one.

Every call Assay places or answers becomes a piece of regulated data the second it lands. We built the storage, retention, and access controls around that assumption — not bolted on after the first audit.

CCPA compliantUS servers onlyTLS 1.3 in transitAES-256 at restHIPAA-eligible workflow · roadmap90-day default retentionFederal & state DNC checked

The trust pillars first, in plain English.

The three things you need to know first

Where it lives. Who can see it. When it disappears.

Where it lives

US-based, region-locked, never crosses a border.

All call audio, transcripts, and Assay Scores live on Hetzner infrastructure in a US-deployed region, replicated only within that region. No EU mirroring. No third-country processing. Enterprise customers can choose a dedicated US deployment region.

Who can see it

You, your team, and a tiny set of named engineers.

Customer data is gated behind role-based access. Engineering access is break-glass only — every read of customer audio or transcript is logged with a justification, reviewed weekly, and exported to your audit log if you ask. No support agent can listen to a call without a customer ticket open against that call ID.

When it disappears

90 days by default. 7 days on request. Never trained on.

Call audio is purged 90 days after the call. Transcripts and scores can be retained longer in your CRM if you choose. Enterprise can dial retention down to 7 days. Your call data is never used to train the underlying model, ever.

Now follow the data.

The data flow

Where a call goes, in order.

Five hops. Each one happens inside a boundary you can name. Nothing waits in a queue; nothing gets emailed to a vendor; nothing leaves the region.

01CaptureRetell AI handles call routing and voice infrastructure. Audio streams encrypted in transit via TLS 1.3.Retell AI · TLS 1.3
02TranscribeSpeech-to-text runs within Retell AI's infrastructure. Audio chunks held in memory only, never written to disk.Retell AI · in-memory
03ScoreScoring model runs inline. Inputs and outputs encrypted at rest.Hetzner VPS · US region
04DispatchOutbound to your CRM/calendar via signed, scoped, short-lived tokens.Your stack · OAuth scoped
05RetainAudio purged at 90 days. Score + reasoning retained until you delete it.Your retention window

Everything below is the buyer-facing detail. Drop it into your security review.

The full detail

Buyer-facing detail.
Built for security reviews.

Assay is a CCPA-covered Service Provider, not a third-party data seller. We accept end-user deletion requests routed through your account at any time and complete them within 45 days as required. Right-to-know requests against an account's underlying contact list are returned in machine-readable form within 30 days.

Our subprocessor list (Retell AI, ElevenLabs, Gemini 2.0 Flash, Supabase, Hetzner, Stripe) is published and versioned at getassay.io/legal/subprocessors. Customers are notified by email 30 days in advance of any subprocessor change.

Assay is HIPAA-eligible on the Enterprise tier with a signed Business Associate Agreement. The HIPAA-eligible workflow is on the roadmap and includes a dedicated deployment region, audit logging at the field level, and a configurable retention floor down to 7 days for call audio. We do not commit to a public ship date for it.

Dental, medical, and mental-health practices currently on Starter or Professional tier should run with PHI-minimization scripts — we publish vertical-specific script templates that avoid capturing diagnosis-level information until after a human handoff.

Every outbound dial goes through a four-step gate: federal DNC check, state DNC check, internal DNC check (numbers you've flagged), and time-of-day gate per recipient timezone. Numbers flagged by the recipient during a call are added to your internal DNC list automatically and never re-dialed.

Consent capture is logged on every call. The full transcript is available as evidence in the event of a TCPA complaint, and we will produce it without subpoena if you ask. For a full breakdown of what the TCPA requires for AI-generated outbound calls, see our practical compliance guide.

All transport uses TLS 1.3 with certificates rotated every 60 days. At rest, customer data uses AES-256-GCM with per-tenant keys. Key access is logged; key rotation is automatic every 90 days; customer-managed keys are available on the Enterprise tier.

Call audio is never written to disk in unencrypted form. Transcripts are encrypted at the row level in our database.

SSO via Google Workspace and Microsoft Entra is standard on all paid tiers. SAML 2.0 is available on Enterprise. Multi-factor authentication is required for every admin account by default and cannot be disabled.

Role-based access lets you give clients read-only access to their own data, give your agency team read-write to their assigned accounts, and reserve admin functions to a named owner. Every action is logged to an exportable audit log retained for 365 days.

Every admin action, every data export, and every break-glass engineering access is logged with timestamp, actor, and resource. The full log is exportable as JSON or CSV from your dashboard at any time and is retained for 365 days. Enterprise customers can stream the audit log to their own SIEM in real time via webhook or Splunk HEC.

We conduct annual third-party security reviews. Our coordinated vulnerability disclosure policy is available at /legal/security. We do not currently operate a public bug bounty program.

The complete list of subprocessors, with the data they process and the region they process it in:

  • Retell AI — voice orchestration, STT, call handling. US-hosted.
  • ElevenLabs — speech synthesis (TTS). US inference.
  • Gemini 2.0 Flash (Google) — LLM decision engine. No-retention enterprise endpoint.
  • Supabase — database. US region.
  • Hetzner — compute and storage. US deployment for Assay.
  • Stripe — payment processing. No call data transmitted.

Incidents involving customer data are disclosed by email to the named account owner within 24 hours of detection, and to all affected accounts within 72 hours, regardless of severity. Public post-mortems are published at /status within 14 days for any P0 or P1 incident.

Enterprise customers can select a dedicated deployment region within the United States. We do not currently offer non-US data residency, and we will not pretend otherwise.

Need a deeper look?

BAA, vulnerability disclosures, audit support.
Available on request.

Email [email protected] from a domain matching your account. We respond within one business day.

Email security →