Security/The foundation

Stays between you and your customer.

Built for operators whose reputation lives on every call. Encryption on every byte, isolation on every workspace, and a promise your conversations are never used to train AI.

01 / 03

Encrypted, everywhere.

AES-256 at rest. TLS 1.2+ in transit. Hardware-backed key management. There are no unencrypted endpoints.

02 / 03

Never training data.

Your conversations are not used to train, fine-tune, or improve any AI model. Not by us. Not by any partner.

03 / 03

Isolated, yours.

Workspace-scoped by default. Dedicated infrastructure for Enterprise. Exportable and deletable on demand.

The one that matters

Your data is not training data.

Most policies bury it. Ours is three words: we don't.

Models process your data to run the conversation and your analytics — then it's yours. Never recycled into anyone's model weights.

We do notsell your data.
We do notshare your data with third parties for marketing.
We do notuse your conversations to train or fine-tune any AI model.
We do notbenchmark or demo your data to other customers.
We do notread your data, except for support — when you ask us to.
Eight pillars

How we protect every byte.

The controls behind every conversation, API call, and row. No marketing; just what we do.

01 / 08
Encryption, everywhere
AES-256 at rest on every byte we store. TLS 1.2+ in transit on every connection. Hardware-backed key management with automatic rotation.
AES-256TLS 1.2+HSM keys
02 / 08
No AI training on your data
Your audio, transcripts, documents, and analytics are never used to train or fine-tune any model. Not by us. Not by any partner.
No trainingNo fine-tuneContractual
03 / 08
Hardened infrastructure
Tier-1 hyperscale cloud. 24/7 physical security. Redundant power, private-backbone networking, and global DDoS mitigation at the edge.
24/7 securityDDoS edgeRedundant
04 / 08
Identity & access
Google SSO for teams. Invite-only workspace gating. Scoped, cryptographically fingerprinted API keys with one-click revocation.
Google SSOScoped keysInvite-only
05 / 08
Workspace isolation
Every workspace is a logically isolated container. Every read and write is gated by a workspace check. No query path returns another workspace's data.
Multi-tenantIsolatedNo bleed
06 / 08
Application controls
Rate limiting on every public endpoint. Input sanitization. Secrets scrubbed from logs. No PII in error reports. Dependency hygiene, actively patched.
Rate limitNo PII logsPatched
07 / 08
Monitoring & incident response
24/7 automated monitoring. Alerting that pages engineering in minutes. Graceful failure — a carrier outage does not take down your dashboard.
24/7 on-callGraceful failPost-mortem
08 / 08
Residency, retention, deletion
Enterprise customers pick the region. Retention is configurable. Any agent, conversation, or workspace is deletable — and exportable — on demand.
RegionalExportOn-demand
Data flow

Microphone to database, and not a step further.

Exactly what happens from call connect to storage — and where it doesn't go.

01 / Capture
Customer audio
Mic → phone or web widget.
02 / Transport
Encrypted in transit
TLS 1.2+ over private-backbone fiber.
03 / Process
Hardened AI boundary
In-memory processing. Discarded at session end.
04 / Store
Your workspace
AES-256 at rest. Scoped to you.
05 / Never
Not a training set
Never added to any AI model. Anywhere.
Telephony partners
Twilio and Telnyx — tier-1 global carriers with their own published security programs.
Infrastructure
Hyperscale cloud provider with 24/7 physical security, redundant power, and hardware-backed key management.
AI models
Enterprise model providers under contractual no-retention, no-training commitments.
Our approach to compliance

Honest beats vague. Every time.

We don't currently hold independent security certifications, and we won't claim ones we haven't earned. What we offer instead: concrete controls — the kind your compliance program depends on.

What we do, today
Encryption at rest (AES-256) and in transit (TLS 1.2+)
Binding commitment that your data is never used to train AI
Workspace isolation with no cross-workspace data access
Scoped, cryptographically stored API keys with audit and revocation
Origin allowlists and authenticated mode for the web widget
Rate limiting and abuse controls on every public endpoint
Detailed audit logging of administrative and authentication events
Data export, retention control, and on-demand deletion
Region-scoped deployments for Enterprise customers
A responsible disclosure program for security researchers
Need a bespoke arrangement? Enterprise buyers get custom DPAs, regional hosting, retention policies, and deletion confirmations.
FAQ

The short answers.

Procurement questions, answered plainly. Anything else: contact@eclatira.com.

No. Not us, not any partner. Never.
Yes. AES-256 at rest, TLS 1.2+ in transit. Hardware-backed key management.
Tier-1 hyperscale cloud, in the region associated with your account. Enterprise picks the region.
Workspace members you've invited, and a small number of Eclatira engineers and support under strict access controls. All administrative access is logged.
Only with operational partners strictly needed to run the service — Twilio and Telnyx for phone, plus our infrastructure provider. None may use your data for their own purposes.
One click in the dashboard or an API call. Data is removed from primary storage. Written deletion confirmation available to Enterprise.
Yes. Every transcript, recording, and analytics record is exportable via API or dashboard. Portable, not locked in.
No. Shown once at creation. We store only a cryptographic fingerprint — even our engineers cannot retrieve the raw key.
In progress. We'll publish certifications only once earned. Meanwhile, the controls listed above meet most compliance obligations today.
For Enterprise, yes. Bespoke data processing terms tailored to your requirements.
Google sign-in today. Additional identity federation available on Enterprise.
Configurable per agent and channel. Opening-line consent announcements where local law requires.
Enterprise security

Dedicated deployments.

For regulatory, sovereignty, or contractual requirements beyond our standard platform. Isolated infrastructure, flexible to match your compliance program.

01
Infrastructure isolation. Dedicated data stores and processing capacity for your account.
02
Regional data residency. Choose the geography where your data lives and is processed.
03
Custom retention. Set exactly how long recordings, transcripts, and analytics are kept.
04
Custom uptime SLAs. Commitments tailored to your operational needs.
05
Custom subdomain. calls.yourbrand.com instead of a shared domain.
06
Named account contact. A real person for security and operational escalations.
Talk to our team →
Security questions?

Bring us your toughest questionnaire.

Checklist, DPA draft, or a live security review. Plain answers, in writing, with specifics.

Book a security review →contact@eclatira.com