Introduction
This document forms part of the Data Localization & Security Assessment Report (SAR) for our voice agent platform.It provides a clear overview of all third-party vendors engaged in processing, transmitting, or storing customer data, along with official statements on their data retention practices. Our objective is to:
- Identify all relevant third-party providers involved in Text-to-Speech (TTS), Speech-to-Text (STT), Large Language Models (LLM), Telephony, and Cloud Hosting.
- Demonstrate compliance with data localization, security, and privacy regulations through documented evidence of vendor commitments.
- Establish internal controls ensuring zero or minimal retention wherever feasible.
- Vendor Inventory Table – mapping vendors, data types shared, purposes, transfer methods, and compliance measures.
- Data Retention Evidence Appendix – direct quotes and source links from vendor documentation confirming their retention and usage policies.
1. Third-Party Vendor Inventory
The table below lists the categories of third-party service providers we use, along with details on the nature of the data shared and the safeguards in place. This inventory is reviewed annually and updated whenever a new vendor is onboarded or an existing vendor’s scope changes.| Vendor Category | Vendor Name(s) | Data Shared | Purpose of Sharing | Data Transfer Method |
|---|---|---|---|---|
| Text-to-Speech (TTS) | Multiple vendors | Text content (no PII where avoidable) | Convert text responses to natural speech | Encrypted API calls (HTTPS/TLS 1.2+) |
| Speech-to-Text (STT) | Multiple vendors | Audio recordings of user speech (may contain PII) | Convert speech to text for LLM processing | Encrypted API calls |
| Large Language Model (LLM) | Multiple vendors | Transcribed text (minimized PII) | Generate AI-based responses | Encrypted API calls |
| Telephony Provider | Multiple vendors | Caller phone number, call audio | Enable inbound/outbound calls | Secure SIP/TLS & SRTP |
| Cloud Infrastructure / Hosting | AWS Cloud | Audio files, transcripts, application logs, metadata | Secure storage, compute hosting, backup | Encrypted in transit (TLS 1.2+), encrypted at rest (AES-256) |
2. Third-Party Data Retention Evidence Appendix
For each vendor category, we have gathered official statements from vendor documentation regarding their data retention and usage practices. These references allow auditors to independently verify compliance claims.| Vendor | Official Claim | Exact Quote | Source Link | Config/Usage Notes |
|---|---|---|---|---|
| Sarvam (TTS, STT) | Retention is purpose-bound; no ‘no storage’ guarantee. | ”We take reasonable steps to ensure that User data is available only for so long as is necessary for the purpose for which it is processed…” | Link | Avoid PII in text/audio; scrub logs post-processing. |
| Gemini (Google) – LLM | Zero Data Retention achievable by disabling caching in Vertex AI. | ”Data sent to Gemini models may be cached up to 24 hours unless caching is disabled.” | Link | Disable caching; ensure no abuse-logging exceptions. |
| OpenAI – LLM | Zero Data Retention (ZDR) available; default retention up to 30 days for abuse monitoring. | ”May securely retain API inputs and outputs for up to 30 days… You can also request zero data retention (ZDR).” | Link | Enable ZDR for eligible endpoints. |
| Deepgram – STT | Data from opted-out requests is retained only for request processing. | ”Set mip_opt_out=true to ensure data is retained only for the duration necessary to process the request.” | Link | Always set mip_opt_out=true for zero retention. |
| Azure – LLM, STT, TTS | STT and TTS (prebuilt voices) do not store customer data; LLM not used for training. | ”For real-time speech to text, audio input is processed only in server memory, and no data is stored at rest. Neither input text nor output audio content will be stored in Microsoft logs.” | Link | Use real-time STT and prebuilt-voice TTS modes for no storage; choose region for storage compliance. |
| ElevenLabs – TTS | Zero Retention Mode deletes data immediately after request completion. | ”In this Zero Retention Mode, most data in requests and responses are immediately deleted once the request is completed.” | Link | Enable Zero Retention Mode in API requests. |
3. Implementation & Internal Controls
- Data Minimization: We configure each integration to share only the minimum necessary data. Where possible, we strip or anonymize PII before sending it to vendors.
- Encryption: All API calls are encrypted in transit (TLS 1.2+), and sensitive data is encrypted at rest.
- Zero Retention Settings: Vendors that support zero retention (e.g., OpenAI ZDR, Gemini no-caching, ElevenLabs Zero Retention Mode, Deepgram mip_opt_out) are configured accordingly.
- Periodic Review: Vendor policies are reviewed quarterly to ensure ongoing compliance with local regulations and customer contractual obligations.
4. Conclusion
This appendix demonstrates that:- All third-party vendors with access to customer data have been identified.
- We have gathered and documented evidence of their retention policies.
- Where possible, we actively configure services for zero or minimal data retention.