This page summarises our compliance posture for security teams, procurement, and enterprise customers conducting a vendor review. We update it as new controls land. For a structured questionnaire response (SIG, CAIQ, SOC2 readiness statement), email trust@vaitl.ai.
01Compliance posture
- GDPR
- Aligned · DPA available
- EU AI Act
- Transparency & provider disclosure implemented
- SOC 2 Type II
- Readiness in progress · audit window {{AuditWindow}}
- ISO 27001
- Mapped · certification on roadmap
- App Store / Google Play
- Privacy labels & data-safety forms current
- Apple ATT / DSA
- Compliant
02GDPR readiness
- Lawful basis identified for every processing activity (see Privacy Policy §8).
- Records of Processing Activities (RoPA) maintained internally.
- Data Processing Agreement (DPA) and Standard Contractual Clauses available on request.
- Data Protection Officer (DPO) appointed for EU operations.
- Data subject rights handled within 30 days (export, deletion, rectification, portability).
- Privacy by design and by default — verified through architectural review for every major release.
- Sub-processor list published; 30-day notice for any material change.
03EU AI Act readiness
- SpeechKey falls under limited-risk AI per the AI Act classification.
- AI-generated content is clearly labelled in-app and on exports.
- Users are informed they are interacting with AI (in-app onboarding, ToS, AI Disclaimer).
- Provider model list and routing logic are inspectable by enterprise admins.
- We do not use customer audio or transcripts to train models.
04Privacy-first architecture
- BYOK by default — audio goes directly from your device to your chosen AI provider; there is no SpeechKey server in the data path.
- Keys and transcripts are encrypted on-device (iOS Keychain); end-to-end TLS 1.3 to the provider.
- Region pinning available for EU and APAC enterprise deployments.
05Data minimisation
- Live audio is not persisted.
- Transcript history is opt-in.
- Analytics is opt-in and aggregated; no raw conversation content ever leaves your tenant.
- Logs are redacted; payload content is excluded from telemetry by default.
06Enterprise controls
- SSO — SAML 2.0 and OIDC; SCIM provisioning.
- RBAC — granular roles for admin, billing, audit-viewer and end user.
- BYOK management — central provider key rotation with audit trail.
- Region routing — restrict providers and data flow per organisation.
- Retention policy — customisable per tenant.
- Customer-managed keys (CMK) — available on request.
07Auditability
- Tamper-evident audit logs for admin actions, key access and policy changes.
- Export to SIEM via webhooks or scheduled object-storage drop.
- Retention configurable per tenant; legal-hold supported.
08Security practices
See the dedicated Security page. Highlights:
- Hardware-key MFA for production access.
- Quarterly access reviews; annual third-party penetration tests.
- Documented incident-response playbooks with 72-hour breach notification under GDPR Art. 33.
09User control
- Export your data at any time — JSON for structured records, plain text for transcripts.
- Delete transcripts and keys from in-app settings at any time; everything is stored only on your device, so deletion is immediate and local.
- Transcript history and crash reporting are controlled in-app; there is no account and no analytics to consent to.
10Certification roadmap
- SOC 2 Type II — readiness assessment {{Q1}}; first audit window {{AuditWindow}}.
- ISO 27001 — controls mapped; certification target {{ISOTarget}}.
- HIPAA — evaluation paused; will resume when meaningful healthcare adoption emerges.
11Contact
- Trust & compliance
- trust@vaitl.ai
- Enterprise
- enterprise@vaitl.ai
- Security
- security@vaitl.ai
Need a DPA, security questionnaire response or signed NDA? Contact trust@vaitl.ai — standard turnaround is 3 business days.