Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vorel.ai/llms.txt

Use this file to discover all available pages before exploring further.

This page is the regulator-facing companion to Security overview. The overview covers controls; this page covers the paperwork posture — what we sign, what we disclose, what’s roadmap.

Region model

Each tenant is pinned to one region at creation time, set by the Vorel operator. Three regions ship today (us / eu / me). Region governs:
  1. Primary data storage location.
  2. Sub-processor selection where regional alternatives exist (e.g. us.sentry.io vs. eu.sentry.io).
  3. Which DPA appendix applies.
Region is set at tenant creation and not editable post-creation in v1. Changing region is a data-movement engagement (separate scope). Today, a single Railway US deployment serves all tenants — eu and me regions are declared posture for DPA purposes, with per-region routing landing in v1 once a paying customer in that region triggers the provisioning. Disclosed to tenants via the DPA appendix for their region.

Per-region vendor reconciliation

The DPA appendix discloses, per region, which sub-processors are inside the region versus which transit other regions. Selected entries:
RegionVendorIn-region?Note
usPostgres / RedisRailway US (single-region today)
usVapi (voice)US-hosted
us360dialog (WhatsApp)EU-hosted per Meta partner policy; US-tenant data transits EU
euPostgres / Redis✓ (planned v1)Railway EU on first signed EU customer
euVapi (voice)US-only orchestration; voice metadata transits US
eu360dialogEU ingest — native fit
mePostgres / Redis✓ (planned v1)Railway ME or AWS me-south-1
meVapi (voice)US-hosted; Telnyx UAE pop covers DID; metadata transits US
meGemini (LLM)Vertex asia-southeast1 (Singapore) — closer than us-central1 but extra-region
Voice is the hardest residency story across all regions. The DPA discloses this explicitly rather than burying it. The full per-region reconciliation matrix is generated from apps/web/src/lib/regions.ts — keep the registry in sync if vendor regions change.

PDPL (UAE) + GDPR (EU)

Vorel’s data-protection paperwork posture is documented:
RequirementStatus
PII inventoryDocumented in handoff/docs/security/PII-INVENTORY.md (every column / file / log line that holds end-customer or operator PII).
Data flow diagramDocumented in handoff/docs/security/DATA-FLOW.md.
DPA templatePre-counsel draft at handoff/docs/security/DPA-TEMPLATE.md. Per-region appendices read from lib/regions.ts. Counsel review required before sending to a customer.
Right-to-access endpointPOST /api/tenant/export (operator-gated). Returns a ZIP of conversations + messages + leads + appointments + offerings + knowledge_base + audit_log for a single tenant. Default redacts customer email + phone; opt-out via include_full_pii=true (audit-logged). Includes a chain-of-custody README.
Right-to-erasure endpointPOST /api/tenant/forget (operator-gated, dry-run-by-default). Runs a 7-step scrub for a single customer phone within a single tenant: tombstones conversations, redacts message content, nulls leads/appointments PII, scrubs audit-log JSONB references. Wrapped in a Postgres transaction for atomicity.
Audit-log integrityaudit_log has reject_mutation triggers — UPDATE + DELETE blocked at the DB level. Forensic trail survives platform-level scrubs.
Salted-hash audit referencesThe forget endpoint replaces customer phone in audit log JSONB with sha256(salt + phone) — deletion event is provable without re-introducing the PII. Salt comes from RIGHT_TO_ERASURE_HASH_SALT env var; production refuses to compute the hash if salt is unset.
72-hour breach notificationDocumented in handoff/docs/security/INCIDENT-RESPONSE.md (PDPL Art. 17, GDPR Art. 33).
The DPA template is the artifact tenants ask for. It’s pre-counsel; we’re not sending it to customers without legal review of the per-customer fill-in (entity name, region, scope).

SOC 2

StandardStatus
SOC 2 Type 1Foundational paperwork shipped (PII inventory, data flow diagram, IR playbook, SLOs). Drata / Vanta engagement is on the roadmap; not started today.
SOC 2 Type 2Requires 6 months of operational data after Type 1. Not started.
We can share the underlying foundational documents (PII inventory excerpt, DPA template, SLO doc) under NDA today for a buyer’s due-diligence pass. We don’t have a Type 1 report.

HIPAA

Per-customer engagement only. The clinic vertical pack ships safety guards (forbidden_phrases='diagnose' etc.) but HIPAA is not turn-key. Running a HIPAA-grade workflow requires Business Associate Agreements (BAAs) with every PHI-touching vendor: Telnyx, Vapi, ElevenLabs, Deepgram, Gemini. If you need HIPAA: talk to your Vorel operator before the kickoff call. We can sign per-customer BAAs with the relevant vendors but the timeline + cost is real.

Sub-processor disclosure

The DPA template lists every sub-processor by region. Operators maintain the live list at the URL the DPA points to (TBD — counsel-approved location). Adding a new sub-processor or changing an existing sub-processor’s processing scope: 30 days notice to customers via the operator- configured contact email, with a chance to object. Today’s sub-processor set covers:
  • Cloud + transport: Railway, Cloudflare, AWS (KMS path is dormant; reactivates with EU/ME hosting where AWS me-south-1 is the fallback).
  • Telephony + voice: Telnyx (DID + SIP), Vapi (orchestration, ASR/TTS routing), Deepgram (transcription), ElevenLabs (TTS).
  • Messaging: 360dialog (WhatsApp Cloud).
  • LLM: Google (Gemini API; future Vertex regional pinning).
  • Auth + observability: Clerk (auth), Sentry (errors), Honeycomb (traces).
  • CRM (per-tenant): the configured driver vendor for each tenant — HubSpot, Salesforce, Zoho, Mindbody, Athenahealth, Tekmetric, Odoo.
Per-region in/out matrix in apps/web/src/lib/regions.ts is the canonical reference.

Data retention + deletion

Data classRetention
Customer Data (subscription term)Retained for the duration of the customer’s subscription, plus a 30-day grace period to allow final export.
On terminationDeleted or returned within 60 days, except as required by law.
Voice recordings90-day default; configurable per-tenant 30–365 days.
Audit logAppend-only; survives application-layer right-to-erasure scrubs. Salted-hash references replace raw PII so a deletion is provable.
Webhook deliveriesRetained per the standard DB retention; payloads are append-only (replicate underlying message/lead content).
The right-to-erasure path runs against subset specifically — a single customer phone within a single tenant — with operator-side dry-run-by-default. Mass-erasure (entire tenant) runs at termination via the same primitives.

What we explicitly do NOT do

  • We don’t use customer-collected data to train third-party AI models. No tenant conversations or PII are shipped to model-training pipelines (ours or vendor-side).
  • We don’t sell, share, or analyse customer data across tenants. RLS enforces per-tenant isolation at the DB level (see Security overview).
  • We don’t repurpose tenant data for analytics outside their tenant. Per-tenant analytics surfaces only that tenant’s data; cross-tenant operator views (operator-side) are audit-logged.

Bug bounty + responsible disclosure

We don’t run a formal bug bounty program today. Email security@vorel.ai to report a vulnerability. We acknowledge within 48 hours, triage within 5 business days, and credit reporters in the changelog (with consent) once fixed.