Trust · Compliance

Compliance Overview

Last reviewed: 2026-05-15 For procurement & security teams

This page summarises our compliance posture for security teams, procurement, and enterprise customers conducting a vendor review. We update it as new controls land. For a structured questionnaire response (SIG, CAIQ, SOC2 readiness statement), email trust@vaitl.ai.

01Compliance posture

  • GDPR
    Aligned · DPA available
  • EU AI Act
    Transparency & provider disclosure implemented
  • SOC 2 Type II
    Readiness in progress · audit window {{AuditWindow}}
  • ISO 27001
    Mapped · certification on roadmap
  • App Store / Google Play
    Privacy labels & data-safety forms current
  • Apple ATT / DSA
    Compliant

02GDPR readiness

  • Lawful basis identified for every processing activity (see Privacy Policy §8).
  • Records of Processing Activities (RoPA) maintained internally.
  • Data Processing Agreement (DPA) and Standard Contractual Clauses available on request.
  • Data Protection Officer (DPO) appointed for EU operations.
  • Data subject rights handled within 30 days (export, deletion, rectification, portability).
  • Privacy by design and by default — verified through architectural review for every major release.
  • Sub-processor list published; 30-day notice for any material change.

03EU AI Act readiness

  • SpeechKey falls under limited-risk AI per the AI Act classification.
  • AI-generated content is clearly labelled in-app and on exports.
  • Users are informed they are interacting with AI (in-app onboarding, ToS, AI Disclaimer).
  • Provider model list and routing logic are inspectable by enterprise admins.
  • We do not use customer audio or transcripts to train models.

04Privacy-first architecture

  • BYOK by default — audio goes directly from your device to your chosen AI provider; there is no SpeechKey server in the data path.
  • Keys and transcripts are encrypted on-device (iOS Keychain); end-to-end TLS 1.3 to the provider.
  • Region pinning available for EU and APAC enterprise deployments.

05Data minimisation

  • Live audio is not persisted.
  • Transcript history is opt-in.
  • Analytics is opt-in and aggregated; no raw conversation content ever leaves your tenant.
  • Logs are redacted; payload content is excluded from telemetry by default.

06Enterprise controls

  • SSO — SAML 2.0 and OIDC; SCIM provisioning.
  • RBAC — granular roles for admin, billing, audit-viewer and end user.
  • BYOK management — central provider key rotation with audit trail.
  • Region routing — restrict providers and data flow per organisation.
  • Retention policy — customisable per tenant.
  • Customer-managed keys (CMK) — available on request.

07Auditability

  • Tamper-evident audit logs for admin actions, key access and policy changes.
  • Export to SIEM via webhooks or scheduled object-storage drop.
  • Retention configurable per tenant; legal-hold supported.

08Security practices

See the dedicated Security page. Highlights:

  • Hardware-key MFA for production access.
  • Quarterly access reviews; annual third-party penetration tests.
  • Documented incident-response playbooks with 72-hour breach notification under GDPR Art. 33.

09User control

  • Export your data at any time — JSON for structured records, plain text for transcripts.
  • Delete transcripts and keys from in-app settings at any time; everything is stored only on your device, so deletion is immediate and local.
  • Transcript history and crash reporting are controlled in-app; there is no account and no analytics to consent to.

10Certification roadmap

  • SOC 2 Type II — readiness assessment {{Q1}}; first audit window {{AuditWindow}}.
  • ISO 27001 — controls mapped; certification target {{ISOTarget}}.
  • HIPAA — evaluation paused; will resume when meaningful healthcare adoption emerges.

11Contact


Need a DPA, security questionnaire response or signed NDA? Contact trust@vaitl.ai — standard turnaround is 3 business days.