Security & compliance

European data. Encrypted at every hop. Traced turn by turn.

Siverti was built from day one for customers who cannot afford to guess. We operate entirely in EU datacenters, encrypt at rest and in transit, and keep an audit trail of every decision the agent makes.

99.97%

operational SLA last 12 months

redundant EU datacenters — Frankfurt · Dublin · Paris

AES-256

at rest, TLS 1.3 in transit

reportable security incidents to date

Data residency

Your calls never leave the European Union. .

Every step of the pipeline — STT, intent, synthesis, transcript storage — runs on physical infrastructure inside the EU. Our subprocessors sign GDPR-compliant agreements and we publish the full list with 30 days' notice before any change.

GERMANY
Frankfurt
Primary region · STT + LLM
IRELAND
Dublin
Transcript replica + search
FRANCE
Paris
Hot-synced failover

Defense layers

Five controls we don't negotiate. .

Encryption at every layer

AES-256 at rest, TLS 1.3 in transit, keys rotated every 90 days with a dedicated KMS per enterprise tenant.

Least-privilege access

Federated roles with SSO/SAML, mandatory MFA, expirable sessions, full audit log of every access to transcripts.

Tenant isolation

Each account has its own logical storage and its own keys. We never train models on your data.

Per-decision audit

Every agent turn is logged with intent, tool calls and outcome. Exportable as signed JSON or CSV.

Deletion on demand

Irrevocable deletion within 24 h with cryptographic confirmation. We honor every GDPR right.

Operational continuity

RTO 15 min · RPO 5 min. Automated failover across EU regions. Documented quarterly recovery drills.

Certifications

What we have and what's coming.

GDPR

Active

Verified by EU counsel 2025

ISO/IEC 27001

In progress

External audit Q3 2026

SOC 2 Type II

In progress

Observation period open

ENS Alto (ES)

Planned

Public sector Q4 2026

HIPAA BAA

Planned

On request for healthtech

PCI DSS SAQ-A

Active

Payments via Stripe Connect

Subprocessors

Who touches your data. Full list, no asterisks.

List last updated 22 May 2026

Vendor	Purpose	Region	DPA
AWS	Compute + storage	eu-central-1, eu-west-1	✓
Cloudflare	Edge + WAF	EU PoPs	✓
OpenAI (Enterprise EU)	Reasoning LLM	Ireland	✓
ElevenLabs	Voice synthesis	Ireland	✓
Deepgram	Speech-to-text	Frankfurt	✓
Twilio	SIP + telephony	Ireland	✓
Stripe	Payments	Ireland	✓
PostgreSQL (RDS)	Primary database	Frankfurt	—

AWS
DPA ✓
Compute + storage
eu-central-1, eu-west-1
Cloudflare
DPA ✓
Edge + WAF
EU PoPs
OpenAI (Enterprise EU)
DPA ✓
Reasoning LLM
Ireland
ElevenLabs
DPA ✓
Voice synthesis
Ireland
Deepgram
DPA ✓
Speech-to-text
Frankfurt
Twilio
DPA ✓
SIP + telephony
Ireland
Stripe
DPA ✓
Payments
Ireland
PostgreSQL (RDS)
DPA —
Primary database
Frankfurt

If your compliance team needs to review all of this in depth.

We deliver the CAIQ questionnaire, signed DPA, pentest reports and continuity plan in under 48 hours. No middlemen.

Talk to security Download summary

CARGANDO · LOADING

Vendor

Purpose

Region

DPA

AWS

Compute + storage

eu-central-1, eu-west-1

✓

Cloudflare

Edge + WAF

EU PoPs

✓

OpenAI (Enterprise EU)

Reasoning LLM

Ireland

✓

ElevenLabs

Voice synthesis

Ireland

✓

Deepgram

Speech-to-text

Frankfurt

✓

Twilio

SIP + telephony

Ireland

✓

Stripe

Payments

Ireland

✓

PostgreSQL (RDS)

Primary database

Frankfurt

—