Trust · Security & data protection

Your data, your rules

How daita protects your data, who processes it, and the controls that keep you compliant. Written plainly — ask us for the full DPA.

Data residency

Data residency

Your data at rest is stored in a European database (Google Cloud, eur3 / Europe). Communications are encrypted in transit, and every agent action is written to an immutable audit log. For regulated workloads we offer full EU-region or on-premises deployment of the entire stack on the Sovereign plan.

  • Data at rest in the EU by default
  • Encrypted in transit (TLS)
  • Immutable, exportable audit logs
  • Full EU-region / on-prem on the Sovereign plan
EU eur3data residency
GDPR · EU AI Act · DPA on request
Sub-processors

Who processes data, and where

We use best-in-class providers under data-processing agreements. Each is listed with its role and data-residency posture — transparently.

EU

Google Cloud (Firestore, eur3)

Primary data store: leads, bookings, transcripts, audit logs

EU

Jina AI (Berlin, Germany)

Neural reranking for retrieval quality

US · EU-region / on-prem available

Anthropic (Claude)

Core reasoning & language understanding

US · EU-region / on-prem available

ElevenLabs

Neural text-to-speech (default voice)

US · EU-region / on-prem available

Twilio

Phone & WhatsApp connectivity

US · EU-region / on-prem available

Resend

Transactional email (confirmations, invites)

Opt-in · outside the EU

OpenAI (gpt-realtime)

Native real-time voice — only if you enable it

Security

Engineered to keep data safe

Encryption in transit

All traffic is served over TLS; secrets are held in a managed secret store, never in code.

Verified webhooks

Phone & WhatsApp callbacks are cryptographically signature-verified before anything runs.

Ephemeral voice tokens

Live voice uses short-lived tokens minted server-side — provider keys never reach the browser.

Least-privilege access

The admin console is password-gated; client workspaces are isolated and token-scoped.

Immutable audit trail

Every lead, booking and action is logged with timestamps for full traceability.

Bounded retention

Temporary artifacts auto-expire (voice clips ~1h, call state ~24h, analytics events ~30d).

Your rights & compliance

GDPR & EU AI Act, by design

You remain the controller of your data. We act as your processor under a DPA, and we never use your data to train third-party models.

Access, export and erasure on request
Data-processing agreement (DPA) available
Your data never trains third-party models
EU AI Act-aligned: transparency, logging, human oversight
Non-EU options are strictly opt-in, clearly flagged
daita · München

Need our DPA or a security review?

We are happy to share documentation and answer your security and compliance team’s questions.

This page summarises our practices in plain language and is not a contract. Email info@daita-ai.com for the full Data Processing Agreement and sub-processor list.