Data Journey, Storage & Security

This article explains how data travels through VoiceB, where it is processed, where it is stored, and how it is protected. It is written for IT, Security, Legal, Procurement, and Enterprise stakeholders who need a clear, auditable view of the platform.

VoiceB is designed EU-first, privacy-by-design, and production-ready for regulated industries.

High-Level Architecture Principles

Before diving into the diagrams, a few non-negotiables:

• EU data residency by default

• Stateless AI reasoning (no LLM data storage or training)

• Clear separation between real-time processing and persistent storage

• Client remains Data Controller at all times

• VoiceB acts strictly as Data Processor

• VoiceB Data Sub-processors list

Process 1 — Inbound Calls (DID / DDI)

Data Flow Diagram

Caller
  |
  v
Inbound Phone Number (DID / DDI)
  |
  v
Twilio (EU)
(Call routing, SIP, optional recording)
  |
  v
Voice Engine
- ElevenLabs (EU – default)
- Bland (US – backup, GDPR-compliant)
  |
  v
LLM Reasoning Layer
- Gemini 2.5 / Gemini 3 (Google – EU processing)
(NO DATA PERSISTENCE)
  |
  v
Voice Response (TTS)
(ElevenLabs)
  |
  v
VoiceB Control Plane
- Vercel (EU)
- PostgreSQL (EU)
  |
  v
Client CRM / Systems

What Happens Here

• The call is received via Twilio (EU)

• Voice is synthesized and understood by ElevenLabs (EU)

• The AI reasoning is executed by Google Gemini, processed in the EU

• Results (transcripts, outcomes, structured data) are stored in Vercel (EU) backed by PostgreSQL

• Business data is pushed to the Client CRM, which becomes the system of record

Storage Summary

• Call recordings: Twilio (EU) if enabled

• Transcripts & metadata: PostgreSQL (EU)

• No data stored in the LLM layer

Process 2 — Click-to-Call (API-Triggered Calls)

Data Flow Diagram

What Changes vs Inbound

• The trigger is an API event, not a phone number

• The rest of the architecture is identical

• No browser audio or frontend PII is stored

Storage Summary

• Same persistence rules as inbound calls

• No additional data captured beyond operational needs

Process 3 — Web VOIP (Widget-Based Calls)

Data Flow Diagram

Additional Notes

• Web widget configuration is stored in Vercel (EU)

• Call recordings (if enabled) are stored only in Twilio (EU)

• Fully compatible with WebRTC security standards

Where Data Is Stored (Clear & Simple)

Stored in the EU

• Call metadata (timestamps, duration, outcomes)

• Transcripts (optional, configurable)

• Structured fields collected during calls

• Prompts, configurations, and audit logs

Not Stored Anywhere

• LLM prompts beyond runtime execution

• Any data inside Gemini

• Any data reused for training

• Any cross-customer data

Data Processing Agreement (DPA)

VoiceB provides a standard GDPR-compliant DPA, aligned with Articles 28–32.

Roles

• Client → Data Controller

• VoiceB → Data Processor

Covered Topics

• Scope and purpose of processing

• Categories of data subjects and data types

• Sub-processors and hosting regions

• Technical and organizational measures

• Incident notification SLAs

• Data subject rights and deletion workflows

Sub-Processors (Default)

• Twilio — EU

• ElevenLabs — EU

• Google (Gemini) — EU

• Vercel — EU

US-based providers (e.g. Bland) are failover-only, GDPR-compliant, and covered by SCCs.

Security Architecture

Infrastructure Security

• EU-based cloud infrastructure

• Logical tenant isolation

• Hardened environments

• Continuous monitoring

Data in Transit

• TLS encryption end-to-end

• Secure SIP and WebRTC channels

• Signed and authenticated APIs

Data at Rest

• Encrypted PostgreSQL databases (EU)

• Encrypted call recordings (Twilio EU)

• Encrypted backups with restricted access

Access Control

• Role-based access (RBAC)

• Least-privilege principle

• Full audit logs

• No internal access to content without authorization

Retention & Deletion

• Retention policies are client-configurable

• Automatic deletion supported

• Manual purge on request

• Full GDPR Right-to-Erasure compliance

• Call recordings can be disabled entirely

What VoiceB Explicitly Does NOT Do

• ❌ No training on customer data

• ❌ No data resale or reuse

• ❌ No hidden storage in AI models

• ❌ No uncontrolled sub-processors

Enterprise Readiness

VoiceB is built to pass:

• Enterprise security reviews

• GDPR and privacy assessments

• Telecom, energy, and banking compliance checks

• Procurement and legal due diligence

Available on request:

• Signed DPA

• Sub-processor list

• Visual data flow diagrams (PDF / slides)

• Security annex

Bottom Line

VoiceB’s data journey is:

• Transparent

• EU-first

• Contractually protected

• Technically locked down

Data flows in, intelligence happens in real time, outcomes flow to your systems—and nothing unnecessary persists.

That’s the architecture. No shortcuts. No ambiguity