Trust & Security

Voice is sensitive data.
We treat it that way.

GDPR Article 9 classifies voice as biometric data. Most voice-AI providers retain audio "for quality improvement." We don't retain it at all — it transits through Durable Object memory and is discarded on STT acknowledgment. Below is what we promise, in writing.

What we don't do

We don't store your audio. Voice transits through DO memory and is discarded on STT ack. Zero bytes at rest.
We don't train on your audio. Not on your transcripts either. Not now, not ever — written into ToS §4.2.
We don't share your data with sub-processors beyond a minimal disclosed list (Bandwidth, Cloudflare, Stripe).
We don't sell your data. Not to advertisers. Not to your competitors. The anti-clone clause prohibits us from training similar systems for parties competitive to you.
We don't fingerprint your callers. We hash phone numbers with a daily-rotating salt. The hash can't be reversed across days.
We don't retain transcripts beyond what you explicitly enable. Default: 0 days. Optional: up to 90 days for your dashboard, your retention key.

What we do

End-to-end encryption: TLS 1.3 in transit, AES-256 for any data at rest.
US data residency by default; EU residency for EU customers (Frankfurt + Ireland regions).
STIR/SHAKEN attestation A on all outbound. Carrier-level caller-ID verification.
TCPA compliance baked in: first-turn AI disclosure on every call, opt-out keyword honored.
Audit logs accessible via API for 90 days (call metadata only, no audio).
Webhook signatures HMAC-SHA256 with raw-body verification — no CSRF, no replay.
Per-customer 32-byte cache_salt: prevents cross-tenant prefix-cache leakage.
Rate limits + abuse defense (premium-prefix blocklist, geo-restrictions, IRSF defense).

The anti-clone ToS clause

Founding-customer accounts include this clause as part of the master service agreement:

"Toolkit shall not train any voice model, LoRA, fine-tune, or derivative system on Customer's audio data, transcripts, or system prompts, nor offer any voice persona substantially similar to Customer's persona to any party operating in the same vertical within Customer's geographic market, for the duration of the MSA and 24 months thereafter. This protection survives termination."

Standard customers get a baseline no-training promise; founding customers get the full anti-clone radius.

Compliance roadmap

TCPA complianceliveDay 30

GDPR DPA template (signable)liveDay 30

EU data residency (Frankfurt + Ireland)liveDay 30

SOC 2 Type Iin-flightDay 90

SOC 2 Type IIin-flightDay 270

HIPAA BAA (healthcare voice)in-flightDay 180

PCI DSS (payment-collection calls)scopedDay 365

Sub-processors

Disclosed minimum-viable list. Adding any new sub-processor requires 30 days written notice to Customer.

CloudflareEdge network, KV, D1, Pages, WorkersGlobal

BandwidthCarrier (US) — voice + SMSUSA

TelnyxCarrier (EU + redundancy)USA + EU

StripeBilling onlyUSA

ResendTransactional emailUSA

Reporting a security issue

Email security@toolkit-llm.com. PGP key on request. We acknowledge within 24 hours, triage within 72, and disclose responsibly per a 90-day window. We don't sue researchers for good-faith disclosure.

Reading the small print? Standard Terms · Privacy Policy. Voice-specific DPA available on request — include "DPA" in your founding-beta application.

Voice is sensitive data.We treat it that way.