Trust Center - Famulor

At Famulor.io, we believe that Data Sovereignty is a fundamental requirement for modern AI communication. This Trust Center provides full transparency regarding our infrastructure, our specialized sub-processors, and the technical safeguards we employ to protect sensitive data. This page serves as the dynamic Annex to our Data Processing Addendum (DPA) and is updated regularly to reflect our current technical stack. For definitions of terms such as LLM, STT, TTS, SIP trunk, or realtime models, see the glossary.

Infrastructure Security

Every layer of our platform is designed with security-first principles.

Encryption

AES-256 encryption at rest, TLS 1.3 in transit. All voice data, transcripts, and customer information are encrypted end-to-end throughout the entire call lifecycle.

Access Control

Role-based access control (RBAC) and least-privilege principles across all systems. Every access event is logged and auditable.

Monitoring & Detection

24/7 security monitoring with intrusion detection systems, anomaly alerts, and comprehensive audit logging for all system activities.

Business Continuity

Automated backups, disaster recovery procedures, and 99.9% uptime SLA. Redundant infrastructure across multiple availability zones.

Incident Response

Documented incident response plan with defined escalation procedures, 72-hour GDPR breach notification compliance, and post-incident analysis.

Vendor Security

All AI sub-processors (ElevenLabs, OpenAI, Deepgram, Cartesia) are vetted for security compliance. ElevenLabs Enterprise partnership enables EU-routed voice processing.

1. Our Sovereignty Commitments

To meet the strict requirements of the European market (including Art. 9 GDPR for healthcare and sensitive sectors), we operate under four core principles:

Principle	Description
EEA-First Policy	All core processing of voice and text data occurs on servers located within the European Economic Area (EEA).
No-Training Guarantee	We contractually ensure that none of our AI providers are permitted to use your data (audio, transcripts, or prompts) to train or improve their foundational models.
Zero Retention Capability	We provide a “Zero Retention Mode” for highly sensitive environments, where data is processed in-memory and purged immediately after the interaction.
Encryption Excellence	All data is encrypted in transit using TLS 1.2+ and at rest using AES-256.

2. System Status & Availability

Transparency regarding our system performance is key to a reliable partnership. You can monitor our live status at any time: Live Status Monitor: https://status.famulor.io/

3. Infrastructure & Platform Hosting

These providers host the Famulor.io platform, including the backend logic, databases, and customer dashboard.

Provider	Purpose	Processing Location
Amazon Web Services (AWS)	Core Platform, Databases & API Logic	Frankfurt, Germany (EU)
Vercel Inc.	Frontend & Web Interface	Frankfurt, Germany (EU)

4. Artificial Intelligence (LLM)

These models handle the reasoning and conversation logic. We utilize Enterprise-grade instances to ensure data isolation and sovereignty. Note: LLM, STT, TTS, and SIP trunk providers are optionally selectable per assistant, depending on the use case.

Provider	Model / Service	Processing Location
Microsoft Ireland (Azure)	OpenAI Models (GPT-4o, o1, etc.)	Sweden Central (EU)
Microsoft Ireland (Azure)	OpenAI GPT OSS	Sweden Central (EU)
Google Cloud (Vertex AI)	Gemini models	EU Regions (EU Data Residency)
Anthropic, PBC	Claude Models (via EU Partners)	EU Regions
Microsoft Ireland (Azure)	Meta Llama 3 (Open Source)	EU Regions (Sweden/Germany)

5. Speech Services (STT & TTS)

Specialized providers for real-time transcription (Speech-to-Text) and voice synthesis (Text-to-Speech). Note: LLM, STT, TTS, and SIP trunk providers are optionally selectable per assistant, depending on the use case.

Provider	Category	Service / Purpose	Processing Location
Deepgram, Inc.	STT	Speech-to-Text (Nova/Flux API)	EU endpoint available (`api.eu.deepgram.com`); GDPR-aligned processing possible via EU region setup.
Soniox, Inc.	STT	High-Precision Transcription Compliance & Standards: SOC 2 Type 2 – auditing standard that evaluates an organization’s controls for security, availability, processing integrity, confidentiality, and privacy over an extended period of time. ISO/IEC 27001:2022 – internationally recognized standard for Information Security Management Systems (ISMS). GDPR – European Union regulation that governs the collection, processing, and protection of personal data and privacy rights. HIPAA – U.S. regulatory framework that establishes requirements for protecting sensitive healthcare data, including Protected Health Information (PHI).	EU Region (per DPA)
ElevenLabs Inc.	STT & TTS	Scribe (STT) and Voice Models (TTS)	EU data residency (Enterprise) and EU endpoints available; GDPR support options incl. Zero Retention for EU workloads.
Gladia SAS	STT	Realtime and batch Speech-to-Text	GDPR-compliant according to Compliance Hub; EU and US workloads are processed separately.
Cartesia AI, Inc.	TTS	Ultra-Low Latency Voice (Sonic)	GDPR compliant according to provider; EU region usage supported.
Microsoft Ireland (Azure)	TTS	Azure Neural Speech (Text-to-Speech)	Azure Speech supports multiple EU regions; data stays in the region where the resource is created.
Microsoft Ireland (Azure)	STT (Realtime)	OpenAI Realtime speech models	Sweden Central (EU)
Google Cloud (Vertex AI)	STT (Realtime)	Gemini Flash Live models	EU Regions (Vertex AI EU Data Residency)
LiveKit Inc.	Realtime Infrastructure	Virtual conversation rooms (realtime sessions)	EU SCC. Famulor uses the most privacy-friendly setup: with region pinning, data does not leave the European region according to the provider.

6. Business Operations & Billing

Providers used for transactional security and administrative management.

Provider	Purpose	Processing Location
Stripe Payments Europe	Secure Payment Processing	Ireland (EU)
Twilio Ireland Limited	Telephony, SIP trunking, SMS, and WhatsApp Business messaging	Ireland (EU). Regional processing via Twilio Regions (incl. IE1).
SendGrid (Twilio)	Transactional & System Emails	EU Regions (EU Data Processing Locations)

7. WhatsApp Business Processing

For WhatsApp Business, the following applies:

WhatsApp is integrated via the Twilio connection.
You can use either your own WhatsApp-enabled phone number or a number from the Famulor number pool (depending on setup/verification).
If you use your own number, the number owner must complete verification directly in Meta Business Manager.
Incoming WhatsApp messages are processed via configurable LLM workflows.
Responses are returned as an AI-generated reply.
Text, images, and voice messages can be processed within the enabled assistant configuration and used for response generation.

8. Website Analytics & Tag Management

For website and product analytics, we use:

Provider	Purpose	Note
Google Analytics (GA4)	Usage analytics and performance measurement	Measurement ID: `G-WPTBT13HB0`; GDPR-relevant EU contracting/privacy entity: Google Ireland Limited (Dublin).
Google Tag Manager (GTM)	Management of tracking and marketing tags	Container: `GTM-PWRN3XX7`
Microsoft Clarity	Product analytics and session insights	Provider: Microsoft Ireland Operations Limited; processing aligned with Microsoft privacy/compliance documentation.
Meta Pixel API (Facebook)	Conversion tracking and campaign measurement	EEA provider entity: Meta Platforms Ireland Limited; processing under Meta Business Tools Terms/DPA framework.

9. Providers: Legal Entity & Address

Below is the legal entity we use for each provider, including publicly listed company address information (as of March 2026).

Provider	Legal Entity / Company	Address	Source
AWS	Amazon Web Services EMEA S.à r.l.	38 Avenue John F. Kennedy, L-1855 Luxembourg, Luxembourg	ICO Register
Vercel	Vercel Inc.	440 N Barranca Ave #4133, Covina, CA 91723, USA	Vercel Terms
Microsoft (Azure)	Microsoft Ireland Operations Limited	70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland	LEI Register
Google Cloud	Google Cloud EMEA Limited	70 Sir John Rogerson’s Quay, Dublin 2, Ireland	Google Contracting Entity
Google Analytics / GTM	Google Ireland Limited	Gordon House, Barrow Street, Dublin 4, Ireland	Google Privacy & Terms
Anthropic	Anthropic, PBC	548 Market Street, PMB 90375, San Francisco, CA 94104, USA	OpenGov
Soniox	Soniox, Inc.	1045 Helm Ln, Foster City, CA 94404, USA (EU office: Cesta v Gorice 34B, 1000 Ljubljana, Slovenia)	Soniox Contact
ElevenLabs	Eleven Labs Inc.	169 Madison Ave #2484, New York, NY 10016, USA	ElevenLabs Help
Deepgram	Deepgram, Inc.	548 Market St, Suite 25104, San Francisco, CA 94104-5401, United States	EU Endpoint Announcement
Gladia	GLADIA SAS	6B, rue du Bas Village, 35510 Cesson-Sevigne, France	Gladia Legal Notice
Cartesia	Cartesia AI, Inc.	1766 18th Street, Suite 1200, San Francisco, CA, USA	Company info
LiveKit	LiveKit Inc.	4285 Payne Avenue, Suite 9154, San Jose, CA 95157, United States	Region pinning (LiveKit Docs)
Stripe	Stripe Payments Europe, Limited	One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland	LEI Register
Twilio	Twilio Ireland Limited	70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland	LEI Register
SendGrid (Twilio)	Twilio Ireland Limited	70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland	LEI Register
Microsoft Clarity	Microsoft Ireland Operations Limited	70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland	Microsoft Privacy
Meta (Pixel API & WhatsApp Business Platform)	Meta Platforms Ireland Limited	4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland	Meta Business Tools Terms

10. International Data Transfers & Safeguards

For providers with US-based parent companies (e.g., Microsoft, Google, Vercel, Soniox), Famulor ensures compliance via:

Data Residency: Configuring services to process data exclusively on EU-based nodes.
Legal Frameworks: Utilization of the EU-U.S. Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
Enterprise Agreements: Specialized contracts that prevent third-party access and data usage for model training.
TIA upon request: For Enterprise customers, Famulor provides a Transfer Impact Assessment (TIA) upon request in line with EDPB Recommendations 01/2020 for all providers with a US parent company. The TIA documents implemented safeguards and the legal risk assessment of the third-country framework.

Transfer Legal Basis per US Provider

Provider	Category	Transfer Legal Basis
Deepgram	STT	SCCs (2021/914/EU) + EU endpoint (`api.eu.deepgram.com`)
Soniox	STT	SCCs + EU data residency (contractually restricted to EU nodes)
Gladia	STT	SCCs (2021/914/EU), separate EU/US workloads
Cartesia	TTS	SCCs + EU data residency
LiveKit	Realtime	SCCs + region pinning (according to provider, data does not leave EU region)
ElevenLabs	STT/TTS	Enterprise DPA + EU data residency
Vercel	Hosting	DPF (certified) + EU region (Frankfurt)
Anthropic	LLM	SCCs via EU partners
OpenAI (via Azure)	LLM	DPF (via Microsoft) + Azure EU nodes

For all providers without DPF certification (Deepgram, Soniox, Gladia, Cartesia, LiveKit), Famulor has executed the EU Standard Contractual Clauses under European Commission Decision 2021/914/EU (Module 2: controller to processor). These are available to Enterprise customers upon request. To independently verify DPF certifications of individual providers, see the official list: Data Privacy Framework Participants List

11. Data Retention

Retention periods are available in the account settings and configurable per data category.

Data Category	Default	Configurable Range (Maximum)
Calls	Account default (visible in the account)	1 to 24 months
Leads	Account default (visible in the account)	1 to 24 months
Chats	Account default (visible in the account)	1 to 24 months
SMS	Account default (visible in the account)	1 to 24 months

12. Technical and Organizational Measures (TOMs)

Our security framework is designed for maximum accountability and isolation:

Measure	Description
Multi-Tenancy	Strict logical separation of customer data. Every account operates in an isolated environment.
Agency & Whitelabel Architecture	We offer a specialized Agency Dashboard that allows partners to manage multiple, fully isolated sub-accounts from a central interface.
Access Control	Access is restricted to one authorized user per account to ensure clear accountability. The implementation of native Multi-Factor Authentication (MFA) is currently on our development roadmap. We recommend securing access via SSO providers (Google/Microsoft) with enabled MFA.
User-Controlled Data Retention	To support the GDPR principle of storage limitation, users can independently configure automatic deletion schedules (1 to 24 months) for Calls, Leads, Chats, and SMS.
Audit Logging	Comprehensive logging of all system-critical actions for traceability.
Continuity	Automated daily backups stored encrypted within the European Union.

13. Governance & Maintenance

This list is reviewed quarterly.
Changes to the provider stack are documented in the changelog.

Last Updated: 26.03.2026

Introduction

For Developers

Platform

AI Assistants Overview

Example Prompts

Custom Dashboards

Phone Numbers

Inbound Calls

Outbound Calls

WhatsApp Business

AI Prompting & Conversation Design

Automation & Integrations

Costs & Pricing

SIP Phone Numbers

Number Provisioning

Troubleshooting & FAQs

MCP

Whitepapers & Resources

Sales & Best Practices

Legal Information

Support

​Infrastructure Security

​Encryption

​Access Control

​Monitoring & Detection

​Business Continuity

​Incident Response

​Vendor Security

​1. Our Sovereignty Commitments

​2. System Status & Availability

​3. Infrastructure & Platform Hosting

​4. Artificial Intelligence (LLM)

​5. Speech Services (STT & TTS)

​6. Business Operations & Billing

​7. WhatsApp Business Processing

​8. Website Analytics & Tag Management

​9. Providers: Legal Entity & Address

​10. International Data Transfers & Safeguards

​Transfer Legal Basis per US Provider

​11. Data Retention

​12. Technical and Organizational Measures (TOMs)

​13. Governance & Maintenance

​Related