Introduction

This document forms part of the Data Localization & Security Assessment Report (SAR) for our voice agent platform.
It provides a clear overview of all third-party vendors engaged in processing, transmitting, or storing customer data, along with official statements on their data retention practices. Our objective is to:
  1. Identify all relevant third-party providers involved in Text-to-Speech (TTS), Speech-to-Text (STT), Large Language Models (LLM), Telephony, and Cloud Hosting.
  2. Demonstrate compliance with data localization, security, and privacy regulations through documented evidence of vendor commitments.
  3. Establish internal controls ensuring zero or minimal retention wherever feasible.
This appendix supports our claims with:
  • Vendor Inventory Table – mapping vendors, data types shared, purposes, transfer methods, and compliance measures.
  • Data Retention Evidence Appendix – direct quotes and source links from vendor documentation confirming their retention and usage policies.

1. Third-Party Vendor Inventory

The table below lists the categories of third-party service providers we use, along with details on the nature of the data shared and the safeguards in place. This inventory is reviewed annually and updated whenever a new vendor is onboarded or an existing vendor’s scope changes.
Vendor CategoryVendor Name(s)Data SharedPurpose of SharingData Transfer Method
Text-to-Speech (TTS)Multiple vendorsText content (no PII where avoidable)Convert text responses to natural speechEncrypted API calls (HTTPS/TLS 1.2+)
Speech-to-Text (STT)Multiple vendorsAudio recordings of user speech (may contain PII)Convert speech to text for LLM processingEncrypted API calls
Large Language Model (LLM)Multiple vendorsTranscribed text (minimized PII)Generate AI-based responsesEncrypted API calls
Telephony ProviderMultiple vendorsCaller phone number, call audioEnable inbound/outbound callsSecure SIP/TLS & SRTP
Cloud Infrastructure / HostingAWS CloudAudio files, transcripts, application logs, metadataSecure storage, compute hosting, backupEncrypted in transit (TLS 1.2+), encrypted at rest (AES-256)

2. Third-Party Data Retention Evidence Appendix

For each vendor category, we have gathered official statements from vendor documentation regarding their data retention and usage practices. These references allow auditors to independently verify compliance claims.
VendorOfficial ClaimExact QuoteSource LinkConfig/Usage Notes
Sarvam (TTS, STT)Retention is purpose-bound; no ‘no storage’ guarantee.”We take reasonable steps to ensure that User data is available only for so long as is necessary for the purpose for which it is processed…”LinkAvoid PII in text/audio; scrub logs post-processing.
Gemini (Google) – LLMZero Data Retention achievable by disabling caching in Vertex AI.”Data sent to Gemini models may be cached up to 24 hours unless caching is disabled.”LinkDisable caching; ensure no abuse-logging exceptions.
OpenAI – LLMZero Data Retention (ZDR) available; default retention up to 30 days for abuse monitoring.”May securely retain API inputs and outputs for up to 30 days… You can also request zero data retention (ZDR).”LinkEnable ZDR for eligible endpoints.
Deepgram – STTData from opted-out requests is retained only for request processing.”Set mip_opt_out=true to ensure data is retained only for the duration necessary to process the request.”LinkAlways set mip_opt_out=true for zero retention.
Azure – LLM, STT, TTSSTT and TTS (prebuilt voices) do not store customer data; LLM not used for training.”For real-time speech to text, audio input is processed only in server memory, and no data is stored at rest. Neither input text nor output audio content will be stored in Microsoft logs.”LinkUse real-time STT and prebuilt-voice TTS modes for no storage; choose region for storage compliance.
ElevenLabs – TTSZero Retention Mode deletes data immediately after request completion.”In this Zero Retention Mode, most data in requests and responses are immediately deleted once the request is completed.”LinkEnable Zero Retention Mode in API requests.

3. Implementation & Internal Controls

  • Data Minimization: We configure each integration to share only the minimum necessary data. Where possible, we strip or anonymize PII before sending it to vendors.
  • Encryption: All API calls are encrypted in transit (TLS 1.2+), and sensitive data is encrypted at rest.
  • Zero Retention Settings: Vendors that support zero retention (e.g., OpenAI ZDR, Gemini no-caching, ElevenLabs Zero Retention Mode, Deepgram mip_opt_out) are configured accordingly.
  • Periodic Review: Vendor policies are reviewed quarterly to ensure ongoing compliance with local regulations and customer contractual obligations.

4. Conclusion

This appendix demonstrates that:
  • All third-party vendors with access to customer data have been identified.
  • We have gathered and documented evidence of their retention policies.
  • Where possible, we actively configure services for zero or minimal data retention.
This approach provides transparency, satisfies regulatory requirements, and ensures our voice agent platform adheres to best practices for data localization and security.

Questions and Concerns

If you have questions about our data sharing practices or wish to exercise your data rights, please contact our Data Protection Officer at contact@revrag.ai.