Security and Privacy

GDPR Compliance

Learn how Vapi ensures GDPR compliance for its voice assistant platform.

At Vapi, safeguarding your personal data is our top priority. In full alignment with the General Data Protection Regulation (GDPR), we maintain robust standards for data protection and privacy. This document provides an overview of our data processing practices, legal bases, data subject rights, and the security measures we employ—all designed to ensure that your data is managed with the utmost care.

Data Processing & Legal Bases

Our operations involve the secure processing of various types of personal data to enhance and deliver the Vapi service. We process information such as email addresses, names, phone numbers, physical addresses, usage statistics, and location data. The legal grounds underpinning this processing are:

  • Consent: Users voluntarily provide consent for non-essential data processing (e.g., location-based services and marketing communications). This consent can be withdrawn at any time.
  • Contractual Necessity: We process the data essential for fulfilling the services offered through Vapi, as detailed in our terms of service.
  • Legitimate Interests: Data is processed to improve service functionality, enhance security, and analyze usage patterns, provided that our legitimate interests do not override your rights.

Data Subject Rights

Vapi ensures that every user benefits from the robust rights granted by the GDPR. These rights include:

  • Right to Access: You can request and obtain a copy of your personal data.
  • Right to Rectification: If your data is inaccurate or incomplete, you can request corrections.
  • Right to Erasure (Right to be Forgotten): Under certain conditions, you can ask for your personal data to be deleted.
  • Right to Restrict Processing: You have the option to limit how your data is processed.
  • Right to Data Portability: You can obtain and transfer your data in a structured, commonly used format.
  • Right to Withdraw Consent: If your data processing is based on consent, you can withdraw it at any time.

Data Security Measures

We deploy a range of technical and organizational safeguards to protect your personal data from unauthorized access, alteration, disclosure, and destruction, including:

  • Encryption: Data is encrypted in transit and at rest.
  • Secure Server Configurations: Our infrastructure is optimized for enhanced security.
  • Access Controls: Strict controls ensure that only authorized personnel access sensitive data.
  • Regular Assessments: Security audits and penetration tests are routinely performed to identify and address vulnerabilities.

Third-Party Data Processors

To provide a best-in-class experience, Vapi partners with several reputable third-party providers, all of which comply with our GDPR standards. These include:

  • Analytics Tools:

    • Google Analytics
    • Cloudflare Analytics
    • Segment.io
    • Mixpanel (with opt-out options)
    • PostHog

  • CI/CD and Development Platforms:

    • GitHub

  • Payment Processors:

    • Stripe

Each of these providers is carefully selected and operates under strict data protection agreements to ensure that your data remains secure.

Transborder Data Transfers

In cases where personal data is transferred outside the European Union (primarily to the United States), we ensure that all transfers are governed by legally approved safeguards such as standard contractual clauses. These measures guarantee that your data receives the same level of protection, regardless of where it is processed.

Compliance Testing & Continuous Improvement

To reinforce our GDPR compliance, we conduct routine testing and audits including:

  • Penetration Testing: Confirming there are no critical vulnerabilities.
  • Compliance Audits: Verifying that our data processing practices adhere to GDPR standards.
  • Role-Based Access Control Tests: Ensuring that access to personal data is strictly limited to authorized personnel.
  • Data Breach Simulations: Evaluating the efficiency of our incident response plans.
  • User Consent Management Tests: Checking the ease and accuracy of obtaining or withdrawing user consent.
  • Data Recovery and Deletion Tests: Ensuring our backup systems and deletion protocols function as required.

These measures ensure that our data protection systems remain robust, up-to-date, and fully compliant with the ever-evolving data protection landscape.

Conclusion

Vapi’s dedication to safeguarding your personal data is unwavering. Our comprehensive compliance framework not only meets but exceeds the minimum requirements of the GDPR, ensuring that your privacy and data security are always at the forefront of our operations.

For further details, please contact our Data Protection Officer or review our detailed GDPR Report.