Trust Center · Updated 31 May 2026
Trust Center.
Everything procurement, security, and legal need before signing. DPA, sub-processors, Article 50 disclosure templates, ROPA, security summary.
The one-minute proof
Download the exact receipt your client’s DPO inspects.
Anonymised sample of the per-call evidence receipt — the same artifact a DPO or auditor reviews. Open the PDF, inspect the JSON, walk the cryptographic chain yourself.
The receipt isdesigned to be inspected and verified by your client’s DPO or auditor— every field is open and will be independently verifiable atverify.audact.ai (launching). We don’t ask anyone to take our word for it.
At a glance
What legal & procurement can verify today.
- Legal entity
- Audact AI Ltd · UK Companies House 17059133 · LondonImplemented
- Hosting region
- AWS Frankfurt (eu-central-1) — physically EUImplemented
- Data roles
- Audact = processor; agency customer = controller (GDPR Art. 28)Contractual
- Sub-processors
- Full list below · 30-day change noticeImplemented
- Retention
- Call audio 90 days (configurable) · evidence chain 7 yearsImplemented
- Encryption
- TLS 1.3 in transit · AES-256 at rest · crypto-shreddingImplemented
- DPA / AVV
- Art. 28-aligned · final PDF in onboardingContractual
- Sample signed receipt
- Per-call evidence receipt — inspect the PDF + JSON DownloadImplemented
- Security contact
- security@audact.ai · responsible disclosure EmailImplemented
- Launch scope
- Voice live in DE/NL/AT/BE/FR · Article 50 covered across all 27 EUIn pilot
Pen-test schedule: annual external (next: Q3 2026). DPA + sub-processor list below.
Proof, not claims
See every artifact we sign — before you sign anything.
Beyond the per-call receipt above: the anonymised monthly compliance report and the full sample artifact library — the same artifacts your auditor or DPO will inspect.
What’s live today · 31 May 2026
Built, shipped, and verifiable now.
Everything below is in production today. Counsel-pending items are clearly marked further down.
Article 50 disclosure runtime
Live since 23 March 2026 · per-call disclosure attestation
Cryptographic evidence chain
Per-call Merkle proofs + RFC 3161 TSA · receipts issued per call (pilot to date)
EU-hosted infrastructure
AWS Frankfurt (eu-central-1)
Audact platform M1-M10
MVP complete · staging.audact.ai running
44 patent families
Filed UK IPO Q1-Q2 2026 (patent-pending status)
Per-jurisdiction policy engine
DE/NL/AT/BE/FR live · 27 EU Member States covered for Article 50
Sample receipt + monthly report
Public downloads at /receipt-explorer
External counsel review in progress· DPA + ROPA + DPIA template + Audact Guarantee · Target consolidated publication Q3 2026. Items below marked🟡 Previeware counsel-pending — content available now, final wording subject to counsel sign-off.
1. Data Processing Agreement (DPA/AVV)
PreviewAudact’s GDPR Article 28-aligned Data Processing Agreement covers compute providers, sub-processors, crypto-shredding protocol, audit rights, and 48-hour breach notification.
Version: 1.0-PREVIEW · Last updated: 2026-05-25
Final DPA PDF available in pilot-onboarding (1-on-1 with first paying customer). Public template will be linked here after counsel signoff (target Q3 2026 — see banner above).
2. Sub-processor list
Live| Provider | Country | Function | Data category |
|---|---|---|---|
| AWS (Frankfurt) | EU (Frankfurt) | Infrastructure hosting | All platform data |
| Cloudflare | EU + global edge | CDN, DNS, DDoS protection | Request metadata |
| Telnyx | EU PoPs — SCCs | SIP telephony | Call audio in transit, telephony metadata |
| LiveKit Cloud | EU region | WebRTC transport, turn detection | Audio in transit (no retention) |
| Deepgram Nova-3 | US (EU endpoint) — SCCs | Speech-to-text (default) | Audio in transit (no retention configured) |
| ElevenLabs Flash | US/EU — SCCs | Text-to-speech (default) | LLM-generated text |
| OpenAI / Anthropic | US (EU endpoint where available) — SCCs | LLM inference (GPT-4o-mini default, Claude Sonnet premium) | Conversational text (no retention configured) |
| Google Workspace | US/EU — SCCs | Email, docs | Business communications |
| Slack | US — SCCs | Internal communications | Internal messages |
| Notion | US — SCCs | Wiki / project management | Internal operational data |
| 1Password | Canada/EU | Credential management | Encrypted credentials |
| Stripe (when live) | US/IE — SCCs | Payment processing | Billing data |
We notify customers30 days before adding new sub-processors. Last updated 2026-05-31.
Voxtral (Mistral) evaluation Q3 2026 for EU-native TTS option. Hetzner Germany migration targeted July 2026 — see EU-native stack roadmap below.
3. EU AI Act Article 50 + Marketing Claim Matrix
PreviewAudact is designed to support Article 50 disclosure attestation across all 27 EU member states — voice deployments live in 5 (DE/NL/FR/AT/BE), additional by pilot demand — in each Member State’s official language(s). Scripts are reviewed by counsel before publication and version-pinned per call.
Languages available: NL, DE, FR, IT, ES, PT, PL, DA, SV (more on request)
Marketing Claim Matrix
What agencies and Audact may and may not claim publicly.
| Claim | Allowed | Why |
|---|---|---|
| Article 50 disclosure-ready architecture | Architecture designed to support per-call attestation and disclosure scripts per Member State | |
| Cryptographic evidence chain | SHA-256 + Merkle aggregation + RFC 3161 TSA — verifiable architecture | |
| 44 patent families | All filed UK IPO, filing receipts available, see /patents | |
| Patent-pending | Accurate — none granted yet, all filed | |
| Audact Inside badge | Customer must enable; badge links to a public verifier with cryptographic hash verification. | |
| Patent-protected | Misleading until UK IPO grants. Use 'patent-pending' instead. | |
| EU-sovereign | AWS Frankfurt is physically EU but legally US. Use 'EU-hosted'. | |
| Court-grade evidence | Architecture-claim, not legal opinion. Use 'audit-ready receipts' or 'tamper-evident evidence'. | |
| Illegal alternative platforms | Defamatory. Use specific factual claims (e.g., 'no self-service GDPR Art.17 deletion') with public source. | |
| Guaranteed compliance | Audact Guarantee covers governed-engine misses only. Don't promise unconditional compliance. |
4. Records of Processing Activities (ROPA)
PreviewPublic summary of GDPR Article 30 ROPA. Full ROPA per-customer is available in DPA-portal after pilot signup.
- Processing categories:voice AI agent calls (inbound + outbound), evidence chain attestation, brand governance validation, billing
- Data subjects:end-clients of Audact’s agency customers (callers reaching agency-deployed voice AI agents)
- Retention:per-customer configurable, default 90 days for call audio, 7 years for cryptographic evidence chain (audit requirement)
- Lawful basis:contract performance (Art 6.1.b) for the Audact-to-agency relationship; agency is responsible for end-caller lawful basis
4.5. Intellectual property
LivePatent portfolio:
- 44 patent-pending families filed at the UK Intellectual Property Office by Audact AI Ltd
- All filings are applications under examination; none are granted yet
Entity structure:
- Audact AI Ltd (UK Companies House no. 17059133): IP-holding entity
- Audact (Ireland) Ltd: operating company
Detailed IP documentation is available to customers and counsel on request.
5. DPIA template
PreviewPre-filled Data Protection Impact Assessment template for agencies to use with end-clients in higher-risk verticals (medical, financial, vulnerable persons).
Available for download in pilot-onboarding now; public version follows counsel sign-off (see banner above).
6. Status page
LiveLive status, uptime metrics, and recent incidents:status.audact.ai(BetterStack-powered)
Subscribe to status updates via RSS, email, or SMS at the link above.
7. Security summary
Live- Encryption:TLS 1.3 in transit, AES-256 at rest, crypto-shredding for retention-expired PII
- ISO 27001:in-progress, ETA Q4 2026
- SOC 2 Type II:planned 2027 (after first 10 paying customers)
- Pen-test schedule:annual external pen-test (next: Q3 2026 with QA Consulting)
- Access control:RBAC, MFA mandatory for all admin access, audit log retained 2 years
- Incident response:72-hour regulatory notification, on-call rotation via PagerDuty
8. Contact
Live- security@audact.ai— security disclosures + responsible disclosure policy
- privacy@audact.ai— data subject requests + GDPR matters
- legal@audact.ai— contract-related questions
Counsel:external counsel — EU AI Act, GDPR Article 28 DPA, patent strategy.
9. EU-native stack roadmap
PlannedWe’re transparent about where we are vs where we’re going. Some current sub-processors are US-incorporated (CLOUD Act exposure) but physically EU-hosted. Our roadmap moves us to fully EU-native (legally + physically) where possible.
| Layer | Current | Target | Timeline |
|---|---|---|---|
| Compute | AWS Frankfurt (legally US, physically EU) | Hetzner Germany (legally + physically EU) | Target migration July 2026 |
| Telephony (SIP) | Telnyx EU PoPs | Same — Telnyx EU is acceptable | Stable |
| STT | Deepgram (US, EU endpoint) | Gladia (Paris, full EU) | Evaluation Q2-Q3 2026 |
| TTS | ElevenLabs Flash (US/EU) | Voxtral (Mistral, Paris) — zero-shot voice cloning | Evaluation Q2-Q3 2026 |
| LLM | OpenAI / Anthropic (US, EU endpoint) | Mistral (Paris) for sensitive use cases | Available now as opt-in |
| MCP (Model Context Protocol) | Not yet implemented | Native Anthropic MCP server (Audact-platform) | Planned Q3 2026 (Phase 1 launch) |
10. Audact Guarantee — scope
Preview“If a regulator finds the base platform non-compliant, we cover the fine.”
This is a narrow guarantee on governed conversations only. It applies to misses by the Audact governance engine — meaning: cases where our engine should have blocked an utterance per the active rules, but didn’t.
What’s covered
- Base-platform non-compliance with EU AI Act Article 50 (when policy engine is enabled per jurisdiction)
- Brand-governance misses (when brand-governance rules are configured and active)
- Per-call evidence-chain integrity failures (cryptographic-receipt validation)
What’s NOT covered
- Customer prompt-engineering errors that bypass policy intent
- End-client misuse of the platform (e.g., agencies turning off compliance rules)
- Compliance areas outside the configured jurisdictions
- FRIA-required deployments where customer didn’t complete FRIA
- Regulatory changes occurring after deployment (we’ll update; obligation to migrate stays with customer)
Full guarantee terms in the reseller-agreement template (available in pilot-onboarding once counsel signs off — see banner above).
When incidents happen —Audact Defense (planned Q3 2026) →
Ready to send this to procurement?
Get the DPA + sub-processor list + Marketing Claim Matrix as a single PDF pack — or schedule a 30-min security review call.