Skip to main content
This page is the regulator-facing companion to Security overview. The overview covers controls; this page covers the paperwork posture: what we sign, what we disclose, what’s roadmap.

Region model

Each tenant is pinned to one region at creation time, set by the Vorel operator. Three regions ship today (us / eu / me). Region governs:
  1. Primary data storage location.
  2. Sub-processor selection where regional alternatives exist (e.g. a vendor’s US ingest endpoint vs. its EU ingest endpoint).
  3. Which DPA appendix applies.
Region is set at tenant creation and not editable post-creation in v1. Changing region is a data-movement engagement (separate scope). Today, a single US deployment on managed cloud infrastructure serves all tenants; eu and me regions are declared posture for DPA purposes, with per-region routing landing in v1 once a paying customer in that region triggers the provisioning. Until then, eu/me tenant data is hosted in our US region and disclosed to tenants via the DPA appendix for their region.

Per-region vendor reconciliation

The DPA appendix discloses, per region, which sub-processors are inside the region versus which transit other regions. Selected entries:
RegionSub-processor categoryIn-region?Note
usDatabase / cacheUS managed hosting (single-region today)
usVoice orchestrationUS-hosted
usWhatsApp ingestEU-hosted per the messaging partner’s policy; US-tenant data transits EU
euDatabase / cache✓ (planned v1)EU managed hosting on first signed EU customer
euVoice orchestrationUS-only orchestration; voice metadata transits US
euWhatsApp ingestEU ingest, native fit
meDatabase / cache✓ (planned v1)ME managed hosting on first signed ME customer
meVoice orchestrationUS-hosted; a UAE telephony point of presence covers DID; metadata transits US
meLLM inferenceClosest regional model endpoint is extra-region
Voice is the hardest residency story across all regions. The DPA discloses this explicitly rather than burying it. The full per-region reconciliation matrix is maintained from a single canonical region registry that the DPA appendices read from, so sub-processor regions stay in sync.

PDPL (UAE) + GDPR (EU)

Vorel’s data-protection paperwork posture is documented:
RequirementStatus
PII inventoryDocumented internally (every column / file / log line that holds end-customer or operator PII).
Data flow diagramDocumented internally.
DPA templatePre-counsel draft maintained internally. Per-region appendices read from the canonical region registry. Counsel review required before sending to a customer.
Right-to-access endpointPOST /api/tenant/export (operator-gated). Returns a ZIP of conversations + messages + leads + appointments + offerings + knowledge_base + audit_log for a single tenant. Default redacts customer email + phone; opt-out via include_full_pii=true (audit-logged). Includes a chain-of-custody README.
Right-to-erasure endpointPOST /api/tenant/forget (operator-gated, dry-run-by-default). Runs a 7-step scrub for a single customer phone within a single tenant: tombstones conversations, redacts message content, nulls leads/appointments PII, scrubs audit-log JSONB references. Wrapped in a Postgres transaction for atomicity.
Audit-log integrityThe audit_log table rejects UPDATE + DELETE at the database level via triggers. Forensic trail survives platform-level scrubs.
Salted-hash audit referencesThe forget endpoint replaces customer phone in audit log JSONB with sha256(salt + phone); deletion event is provable without re-introducing the PII. The salt is supplied by a required environment variable; production refuses to compute the hash if the salt is unset.
72-hour breach notificationDocumented in the incident-response playbook (PDPL Art. 17, GDPR Art. 33).
The DPA template is the artifact tenants ask for. It’s pre-counsel; we’re not sending it to customers without legal review of the per-customer fill-in (entity name, region, scope).

SOC 2

StandardStatus
SOC 2 Type 1Not yet certified; targeted for Q4 2026. Foundational evidence is shipped (PII inventory, data-flow diagram, incident-response playbook, control matrix, SLOs). The target date is contingent on selecting and onboarding a compliance-automation platform; that decision is still pending.
SOC 2 Type 2A Type 2 follow-on (covering a multi-month operational observation window) may follow Type 1 for enterprise customers. No observation window is open today.
We can share the underlying foundational documents (PII inventory excerpt, DPA template, SLO doc) under NDA today for a buyer’s due-diligence pass. We do not hold a SOC 2 report today; any report will publish on completion of its audit.

PCI DSS

StandardStatus
PCI SAQ-ALive. Vorel’s PCI merchant scope is SAQ-A: outsourced payment processing with no electronic storage, processing, or transmission of cardholder data on Vorel systems. Implemented architecturally via a vault-redirect to a PCI-compliant payment provider. PAN/CVC/expiry never touch Vorel infrastructure. A CI lint gate refuses to merge a pull request that introduces DTMF card capture, PAN/CVC/expiry storage, or persistent tokens outside the provider’s vault. See Payments + PCI.
PCI Level 1Not the path. An internal, audited policy documents the reopener conditions (enterprise customer ≥$100K ACV, conditional contract, policy amendment, ~3 months engineering + ~6mo certification) under which Vorel-as-PCI-L1 would be re-litigated. Until then, vault-redirect is the architectural commitment.

HIPAA

Per-customer engagement only. The clinic vertical pack ships safety guards (forbidden_phrases='diagnose' etc.) but HIPAA is not turn-key. Running a HIPAA-grade workflow requires Business Associate Agreements (BAAs) with every PHI-touching sub-processor in the chain (telephony, voice transcription, speech synthesis, and LLM inference). If you need HIPAA: talk to your Vorel operator before the kickoff call. We can sign per-customer BAAs with the relevant sub-processors but the timeline + cost is real.

Sub-processor disclosure

The DPA template lists every sub-processor by region. Operators maintain the live list at the URL the DPA points to (TBD, counsel-approved location). Adding a new sub-processor or changing an existing sub-processor’s processing scope: 30 days notice to customers via the operator- configured contact email, with a chance to object. Today’s sub-processor set covers the following categories. The DPA names each specific vendor; the public summary describes them by function:
  • Cloud + transport: managed cloud hosting and edge/CDN providers (the KMS envelope path is dormant today; it reactivates with EU/ME hosting).
  • Telephony + voice: telephony/DID providers, a voice-orchestration provider, a speech-to-text transcription provider, and a text-to-speech provider.
  • Messaging: a WhatsApp Cloud business-messaging provider.
  • Payments: a PCI-compliant payment provider operating the vault-redirect and acting as merchant of record for payment collection on restaurant / salon / auto_service packs. PAN/CVC/expiry never touch Vorel infrastructure.
  • LLM: large-language-model inference providers for chained-mode reasoning and, where applicable, voice (see Voice pipelines).
  • Auth + observability: an authentication provider, an error-monitoring provider, and a distributed-tracing provider.
  • CRM (per-tenant): the configured driver vendor for each tenant: HubSpot, Salesforce, Zoho, Mindbody, Athenahealth, Tekmetric, Odoo, Toast.
The canonical region registry is the reference for the per-region in/out matrix.

Data retention + deletion

Retention windows are policy-locked: changing them requires a code change + a git-history-visible policy amendment, not a UI toggle. Per-tenant overrides exist for narrowing retention below the platform default; widening past the platform default requires an amendment to the internal, audited retention policy. See Data retention for the full four-class taxonomy and architectural invariants.
The architectural commitment is “your conversation transcripts live in your CRM, not in Vorel.” Vorel-side rows that hold transcript content or PII (class-(c)) are cached only until a successful CRM mirror, then purged on the ADR-frozen schedule.

Class (c): transcripts + PII

Vorel-side rowPlatform-default retention
messages (per-turn transcript)7 days post-insert AND post CRM-write success
conversations30 days post-close AND post CRM-write success
customers + customer_profiles + leads30 days post-update AND post CRM-write success
appointments60 days post-scheduled-end AND post CRM-write success
cases + case child tables90 days post-close AND post CRM-write success
qa_evaluations (aggregate)365 days post-insert AND post CRM-write success
resolution_events365 days post-classification AND post CRM-write success

Class (b): operational telemetry (selected entries)

Vorel-side rowPlatform-default retentionPurpose
voice_call_cost365 daysBilling reconciliation
voice_call_cost.payment_resolution365 daysPCI reconciliation
voice_turn_latency90 daysLatency regression window
llm_calls90 daysLLM usage analytics
webhook_deliveries30 daysForensic-only after delivery
shadow_dispatch_comparisons30 daysPipeline cutover research artifact
quality_signals + quality_failures365 daysQuality dashboards

Class (d): audit-only (long-lived)

audit_log, billing_events, tenants, users, voice_cutover_event, lora_adapters, offerings, knowledge_base_entries, webhooks, voice_numbers, incidents, api_keys, and the configuration / prompt-management surfaces. Audit log retention is governed by the existing N-3 retention regime; the rest are long-lived by structural design with per-table rationale documented.

Subscription-term context

  • Customer Data, subscription term. Vorel retains tenant-scoped data for the duration of the subscription plus a 30-day grace period to allow final export, subject to the per-class TTL windows above (the class-(c) post-CRM-write purges run continuously during the subscription).
  • On termination. Deleted or returned within 60 days, except as required by law.
  • Audit log. Append-only; survives application-layer right-to-erasure scrubs. Salted-hash references replace raw PII so a deletion is provable without re-introducing the PII.
The right-to-erasure path runs against subset specifically (a single customer phone within a single tenant) with operator-side dry-run-by-default. Mass-erasure (entire tenant) runs at termination via the same primitives.

What we explicitly do NOT do

  • We don’t use customer-collected data to train third-party AI models. No tenant conversations or PII are shipped to model-training pipelines (ours or vendor-side).
  • We don’t sell, share, or analyse customer data across tenants. RLS enforces per-tenant isolation at the DB level (see Security overview).
  • We don’t repurpose tenant data for analytics outside their tenant. Per-tenant analytics surfaces only that tenant’s data; cross-tenant operator views (operator-side) are audit-logged.

Bug bounty + responsible disclosure

We don’t run a formal bug bounty program today. Email security@vorel.ai to report a vulnerability. We acknowledge within 48 hours, triage within 5 business days, and credit reporters in the changelog (with consent) once fixed.