# Data Journey, Storage & Security This article explains **how data travels through VoiceB**, **where it is processed**, **where it is stored**, and **how it is protected**.\ It is written for **IT, Security, Legal, Procurement, and Enterprise stakeholders** who need a clear, auditable view of the platform. VoiceB is designed **EU-first**, **privacy-by-design**, and **production-ready for regulated industries**. *** ### High-Level Architecture Principles Before diving into the diagrams, a few non-negotiables: * **EU data residency by default** * **Stateless AI reasoning** (no LLM data storage or training) * **Clear separation** between real-time processing and persistent storage * **Client remains Data Controller** at all times * **VoiceB acts strictly as Data Processor** * [**VoiceB Data Sub-processors list**](https://docs.voiceb.ai/legal-and-compliance/data-sub-processors) *** ### Process 1 — Inbound Calls (DID / DDI) #### Data Flow Diagram ``` Caller | v Inbound Phone Number (DID / DDI) | v Twilio (EU) (Call routing, SIP, optional recording) | v Voice Engine - ElevenLabs (EU – default) - Bland (US – backup, GDPR-compliant) | v LLM Reasoning Layer - Gemini 2.5 / Gemini 3 (Google – EU processing) (NO DATA PERSISTENCE) | v Voice Response (TTS) (ElevenLabs) | v VoiceB Control Plane - Vercel (EU) - PostgreSQL (EU) | v Client CRM / Systems ``` #### What Happens Here * The call is received via **Twilio (EU)** * Voice is synthesized and understood by **ElevenLabs (EU)** * The AI reasoning is executed by **Google Gemini**, processed in the EU * Results (transcripts, outcomes, structured data) are stored in **Vercel (EU)** backed by PostgreSQL * Business data is pushed to the **Client CRM**, which becomes the system of record #### Storage Summary * Call recordings: **Twilio (EU)** if enabled * Transcripts & metadata: **PostgreSQL (EU)** * No data stored in the LLM layer *** ### Process 2 — Click-to-Call (API-Triggered Calls) #### Data Flow Diagram ``` Website / App User | v Click-to-Call API (Vercel – EU) | v Twilio (EU) (Call initiation) | v Voice Engine - ElevenLabs (EU – default) - Bland (US – backup) | v LLM Reasoning Layer - Gemini 2.5 / Gemini 3 (EU) | v Voice Response | v VoiceB Control Plane - Vercel (EU) - PostgreSQL (EU) | v Client CRM / Lead Systems ``` #### What Changes vs Inbound * The trigger is an **API event**, not a phone number * The rest of the architecture is **identical** * No browser audio or frontend PII is stored #### Storage Summary * Same persistence rules as inbound calls * No additional data captured beyond operational needs *** ### Process 3 — Web VOIP (Widget-Based Calls) #### Data Flow Diagram ``` Website Visitor | v VoiceB Web VOIP Widget (Vercel – EU) | v Twilio (EU) (WebRTC / SIP bridge) | v Voice Engine - ElevenLabs (EU – default) - Bland (US – backup) | v LLM Reasoning Layer - Gemini 2.5 / Gemini 3 (EU) | v Voice Response | v VoiceB Control Plane - Vercel (EU) - PostgreSQL (EU) | v Client CRM / BI Systems ``` #### Additional Notes * Web widget configuration is stored in **Vercel (EU)** * Call recordings (if enabled) are stored **only in Twilio (EU)** * Fully compatible with WebRTC security standards *** ### Where Data Is Stored (Clear & Simple) #### Stored in the EU * Call metadata (timestamps, duration, outcomes) * Transcripts (optional, configurable) * Structured fields collected during calls * Prompts, configurations, and audit logs #### Not Stored Anywhere * LLM prompts beyond runtime execution * Any data inside Gemini * Any data reused for training * Any cross-customer data *** ### Data Processing Agreement (DPA) VoiceB provides a **standard GDPR-compliant DPA**, aligned with **Articles 28–32**. #### Roles * **Client** → Data Controller * **VoiceB** → [Data Processor](https://docs.voiceb.ai/legal-and-compliance/data-sub-processors) #### Covered Topics * Scope and purpose of processing * Categories of data subjects and data types * Sub-processors and hosting regions * Technical and organizational measures * Incident notification SLAs * Data subject rights and deletion workflows #### [Sub-Processors](https://docs.voiceb.ai/legal-and-compliance/data-sub-processors) (Default) * **Twilio** — EU * **ElevenLabs** — EU * **Google (Gemini)** — EU * **Vercel** — EU US-based providers (e.g. **Bland**) are **failover-only**, GDPR-compliant, and covered by SCCs. *** ### Security Architecture #### Infrastructure Security * EU-based cloud infrastructure * Logical tenant isolation * Hardened environments * Continuous monitoring #### Data in Transit * TLS encryption end-to-end * Secure SIP and WebRTC channels * Signed and authenticated APIs #### Data at Rest * Encrypted PostgreSQL databases (EU) * Encrypted call recordings (Twilio EU) * Encrypted backups with restricted access #### Access Control * Role-based access (RBAC) * Least-privilege principle * Full audit logs * No internal access to content without authorization *** ### Retention & Deletion * Retention policies are **client-configurable** * Automatic deletion supported * Manual purge on request * Full GDPR Right-to-Erasure compliance * Call recordings can be disabled entirely *** ### What VoiceB Explicitly Does NOT Do * ❌ No training on customer data * ❌ No data resale or reuse * ❌ No hidden storage in AI models * ❌ No uncontrolled sub-processors *** ### Enterprise Readiness VoiceB is built to pass: * Enterprise security reviews * GDPR and privacy assessments * Telecom, energy, and banking compliance checks * Procurement and legal due diligence Available on request: * Signed DPA * Sub-processor list * Visual data flow diagrams (PDF / slides) * Security annex *** ### Bottom Line VoiceB’s data journey is: * **Transparent** * **EU-first** * **Contractually protected** * **Technically locked down** Data flows in, intelligence happens in real time, outcomes flow to your systems—**and nothing unnecessary persists**. That’s the architecture. No shortcuts. No ambiguity --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.voiceb.ai/legal-and-compliance/data-journey-storage-and-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.