Security & compliance

Built like your customers' data is yours.

Invox AI is GDPR-compliant by design, hosted in the EU, and encrypted end-to-end. Every recording, transcript, and contact your AI agent handles is protected the way you would protect it yourself.

  • GDPR-compliant by design

    • Data is collected and processed under UK GDPR.
    • Data subjects can request access, correction or erasure at any time.
    • Customers can delete any record (calls, transcripts, contacts) directly from the dashboard.
    • Full Limited Use disclosure for Google Workspace data on the privacy page.

  • EU data residency

    • Database hosted on Supabase, EU region (Postgres).
    • Edge runtime hosted on Vercel, UK / EU region.
    • Telephony via Vonage with UK numbers and UK media routing.
    • No customer data is moved out of the EU as part of normal operation.

  • Encryption everywhere

    • TLS 1.2+ for every request to Invox APIs and webhooks.
    • AES-256 at rest for the database and call recordings.
    • OAuth tokens encrypted with an application-only key.
    • Secrets stored in encrypted environment variables, never in source control.

  • Tight access controls

    • Row-level security on every customer-data table — agents and webhooks can only see data for their own user_id.
    • Service-role keys are never exposed to the browser.
    • Production access is restricted to authorised team members and is logged.
    • Single-tenant data isolation per user, enforced at the database layer.

  • Operational transparency

    • Live status published at /status.
    • Incidents are disclosed to affected customers within 72 hours of confirmation.
    • Sub-processors are listed publicly on the privacy page.
    • Customers can export everything to CSV at any time.

  • Compliance roadmap

    • SOC 2 Type II — preparation in progress.
    • ICO data-protection registration — pending.
    • Cyber Essentials — pending.
    • Customer-facing DPA available on request.

Sub-processors

Every third party we share data with.

Invox uses a small set of best-in-class infrastructure providers. Each is bound by contract to handle data only for the purpose of providing their service to Invox. Customer data is never sold and never used to train general-purpose AI models.

  • SupabaseDatabase & authenticationEU
  • VercelHosting (web + edge)UK / EU edge
  • VonageTelephony & SMSUK
  • Retell AIReal-time voice inferenceEU
  • OpenAILanguage model inferenceUS (DPA in place)
  • AnthropicLanguage model inferenceUS (DPA in place)
  • StripePaymentsUK / EU
  • GoogleWorkspace integrations (when connected)EU
  • SentryError monitoringEU

For the full data-handling and Limited Use disclosure, see the privacy policy. To request a DPA or to report a security concern, email support@invoxai.uk.