Skip to main content

Trust Center · Updated 31 May 2026

Trust Center.

Everything procurement, security, and legal need before signing. DPA, sub-processors, Article 50 disclosure templates, ROPA, security summary.

The one-minute proof

Download the exact receipt your client’s DPO inspects.

Anonymised sample of the per-call evidence receipt — the same artifact a DPO or auditor reviews. Open the PDF, inspect the JSON, walk the cryptographic chain yourself.

The receipt isdesigned to be inspected and verified by your client’s DPO or auditor— every field is open and will be independently verifiable atverify.audact.ai (launching). We don’t ask anyone to take our word for it.

At a glance

What legal & procurement can verify today.

Legal entity
Audact AI Ltd · UK Companies House 17059133 · LondonImplemented
Hosting region
AWS Frankfurt (eu-central-1) — physically EUImplemented
Data roles
Audact = processor; agency customer = controller (GDPR Art. 28)Contractual
Sub-processors
Full list below · 30-day change noticeImplemented
Retention
Call audio 90 days (configurable) · evidence chain 7 yearsImplemented
Encryption
TLS 1.3 in transit · AES-256 at rest · crypto-shreddingImplemented
DPA / AVV
Art. 28-aligned · final PDF in onboardingContractual
Sample signed receipt
Per-call evidence receipt — inspect the PDF + JSON DownloadImplemented
Security contact
security@audact.ai · responsible disclosure EmailImplemented
Launch scope
Voice live in DE/NL/AT/BE/FR · Article 50 covered across all 27 EUIn pilot
GDPR
Compliant
EU AI Act Art. 50
Supported · Article 50, 2 August 2026
ISO 27001
In progress
ISO 42001
Planned (target 2027)
SOC 2 Type II
Planned 2027

Pen-test schedule: annual external (next: Q3 2026). DPA + sub-processor list below.

Proof, not claims

See every artifact we sign — before you sign anything.

Beyond the per-call receipt above: the anonymised monthly compliance report and the full sample artifact library — the same artifacts your auditor or DPO will inspect.

What’s live today · 31 May 2026

Built, shipped, and verifiable now.

Everything below is in production today. Counsel-pending items are clearly marked further down.

Article 50 disclosure runtime

Live since 23 March 2026 · per-call disclosure attestation

Cryptographic evidence chain

Per-call Merkle proofs + RFC 3161 TSA · receipts issued per call (pilot to date)

EU-hosted infrastructure

AWS Frankfurt (eu-central-1)

Audact platform M1-M10

MVP complete · staging.audact.ai running

44 patent families

Filed UK IPO Q1-Q2 2026 (patent-pending status)

Per-jurisdiction policy engine

DE/NL/AT/BE/FR live · 27 EU Member States covered for Article 50

Sample receipt + monthly report

Public downloads at /receipt-explorer

External counsel review in progress· DPA + ROPA + DPIA template + Audact Guarantee · Target consolidated publication Q3 2026. Items below marked🟡 Previeware counsel-pending — content available now, final wording subject to counsel sign-off.

Status legend: Live · use today Preview · counsel-pending, content available Planned · target quarter shown

1. Data Processing Agreement (DPA/AVV)

Preview

Audact’s GDPR Article 28-aligned Data Processing Agreement covers compute providers, sub-processors, crypto-shredding protocol, audit rights, and 48-hour breach notification.

Version: 1.0-PREVIEW · Last updated: 2026-05-25

Final DPA PDF available in pilot-onboarding (1-on-1 with first paying customer). Public template will be linked here after counsel signoff (target Q3 2026 — see banner above).

2. Sub-processor list

Live
ProviderCountryFunctionData category
AWS (Frankfurt)EU (Frankfurt)Infrastructure hostingAll platform data
CloudflareEU + global edgeCDN, DNS, DDoS protectionRequest metadata
TelnyxEU PoPs — SCCsSIP telephonyCall audio in transit, telephony metadata
LiveKit CloudEU regionWebRTC transport, turn detectionAudio in transit (no retention)
Deepgram Nova-3US (EU endpoint) — SCCsSpeech-to-text (default)Audio in transit (no retention configured)
ElevenLabs FlashUS/EU — SCCsText-to-speech (default)LLM-generated text
OpenAI / AnthropicUS (EU endpoint where available) — SCCsLLM inference (GPT-4o-mini default, Claude Sonnet premium)Conversational text (no retention configured)
Google WorkspaceUS/EU — SCCsEmail, docsBusiness communications
SlackUS — SCCsInternal communicationsInternal messages
NotionUS — SCCsWiki / project managementInternal operational data
1PasswordCanada/EUCredential managementEncrypted credentials
Stripe (when live)US/IE — SCCsPayment processingBilling data

We notify customers30 days before adding new sub-processors. Last updated 2026-05-31.

Voxtral (Mistral) evaluation Q3 2026 for EU-native TTS option. Hetzner Germany migration targeted July 2026 — see EU-native stack roadmap below.

3. EU AI Act Article 50 + Marketing Claim Matrix

Preview

Audact is designed to support Article 50 disclosure attestation across all 27 EU member states — voice deployments live in 5 (DE/NL/FR/AT/BE), additional by pilot demand — in each Member State’s official language(s). Scripts are reviewed by counsel before publication and version-pinned per call.

Languages available: NL, DE, FR, IT, ES, PT, PL, DA, SV (more on request)

Marketing Claim Matrix

What agencies and Audact may and may not claim publicly.

ClaimAllowedWhy
Article 50 disclosure-ready architectureArchitecture designed to support per-call attestation and disclosure scripts per Member State
Cryptographic evidence chainSHA-256 + Merkle aggregation + RFC 3161 TSA — verifiable architecture
44 patent familiesAll filed UK IPO, filing receipts available, see /patents
Patent-pendingAccurate — none granted yet, all filed
Audact Inside badgeCustomer must enable; badge links to a public verifier with cryptographic hash verification.
Patent-protectedMisleading until UK IPO grants. Use 'patent-pending' instead.
EU-sovereignAWS Frankfurt is physically EU but legally US. Use 'EU-hosted'.
Court-grade evidenceArchitecture-claim, not legal opinion. Use 'audit-ready receipts' or 'tamper-evident evidence'.
Illegal alternative platformsDefamatory. Use specific factual claims (e.g., 'no self-service GDPR Art.17 deletion') with public source.
Guaranteed complianceAudact Guarantee covers governed-engine misses only. Don't promise unconditional compliance.

4. Records of Processing Activities (ROPA)

Preview

Public summary of GDPR Article 30 ROPA. Full ROPA per-customer is available in DPA-portal after pilot signup.

  • Processing categories:voice AI agent calls (inbound + outbound), evidence chain attestation, brand governance validation, billing
  • Data subjects:end-clients of Audact’s agency customers (callers reaching agency-deployed voice AI agents)
  • Retention:per-customer configurable, default 90 days for call audio, 7 years for cryptographic evidence chain (audit requirement)
  • Lawful basis:contract performance (Art 6.1.b) for the Audact-to-agency relationship; agency is responsible for end-caller lawful basis

4.5. Intellectual property

Live

Patent portfolio:

  • 44 patent-pending families filed at the UK Intellectual Property Office by Audact AI Ltd
  • All filings are applications under examination; none are granted yet

Entity structure:

  • Audact AI Ltd (UK Companies House no. 17059133): IP-holding entity
  • Audact (Ireland) Ltd: operating company

Detailed IP documentation is available to customers and counsel on request.

5. DPIA template

Preview

Pre-filled Data Protection Impact Assessment template for agencies to use with end-clients in higher-risk verticals (medical, financial, vulnerable persons).

Available for download in pilot-onboarding now; public version follows counsel sign-off (see banner above).

6. Status page

Live

Live status, uptime metrics, and recent incidents:status.audact.ai(BetterStack-powered)

Subscribe to status updates via RSS, email, or SMS at the link above.

7. Security summary

Live
  • Encryption:TLS 1.3 in transit, AES-256 at rest, crypto-shredding for retention-expired PII
  • ISO 27001:in-progress, ETA Q4 2026
  • SOC 2 Type II:planned 2027 (after first 10 paying customers)
  • Pen-test schedule:annual external pen-test (next: Q3 2026 with QA Consulting)
  • Access control:RBAC, MFA mandatory for all admin access, audit log retained 2 years
  • Incident response:72-hour regulatory notification, on-call rotation via PagerDuty

8. Contact

Live

Counsel:external counsel — EU AI Act, GDPR Article 28 DPA, patent strategy.

9. EU-native stack roadmap

Planned

We’re transparent about where we are vs where we’re going. Some current sub-processors are US-incorporated (CLOUD Act exposure) but physically EU-hosted. Our roadmap moves us to fully EU-native (legally + physically) where possible.

LayerCurrentTargetTimeline
ComputeAWS Frankfurt (legally US, physically EU)Hetzner Germany (legally + physically EU)Target migration July 2026
Telephony (SIP)Telnyx EU PoPsSame — Telnyx EU is acceptableStable
STTDeepgram (US, EU endpoint)Gladia (Paris, full EU)Evaluation Q2-Q3 2026
TTSElevenLabs Flash (US/EU)Voxtral (Mistral, Paris) — zero-shot voice cloningEvaluation Q2-Q3 2026
LLMOpenAI / Anthropic (US, EU endpoint)Mistral (Paris) for sensitive use casesAvailable now as opt-in
MCP (Model Context Protocol)Not yet implementedNative Anthropic MCP server (Audact-platform)Planned Q3 2026 (Phase 1 launch)

10. Audact Guarantee — scope

Preview

“If a regulator finds the base platform non-compliant, we cover the fine.”

This is a narrow guarantee on governed conversations only. It applies to misses by the Audact governance engine — meaning: cases where our engine should have blocked an utterance per the active rules, but didn’t.

What’s covered

  • Base-platform non-compliance with EU AI Act Article 50 (when policy engine is enabled per jurisdiction)
  • Brand-governance misses (when brand-governance rules are configured and active)
  • Per-call evidence-chain integrity failures (cryptographic-receipt validation)

What’s NOT covered

  • Customer prompt-engineering errors that bypass policy intent
  • End-client misuse of the platform (e.g., agencies turning off compliance rules)
  • Compliance areas outside the configured jurisdictions
  • FRIA-required deployments where customer didn’t complete FRIA
  • Regulatory changes occurring after deployment (we’ll update; obligation to migrate stays with customer)

Full guarantee terms in the reseller-agreement template (available in pilot-onboarding once counsel signs off — see banner above).

When incidents happen —Audact Defense (planned Q3 2026) →

Ready to send this to procurement?

Get the DPA + sub-processor list + Marketing Claim Matrix as a single PDF pack — or schedule a 30-min security review call.