Your data
stays yours.

No SOC 2 marketing theater. Just what we actually do, what our vendors do, and what we don't touch. Honest answers to the security concerns most AI consultancies dodge.

5 vendors
All SOC 2 Type 2
certified
Zero
Of your data used
to train AI models
Encrypted
In transit + at rest
across the stack
Kill switch
On every voice
agent and workflow
01 / The promises

Four things we commit to.

Not aspirational. Not "we plan to." These are what we do today, backed by contracts with the underlying vendors and built into how we ship every project.

Your data is never used to train AI.

Our LLM vendors (Anthropic, OpenAI) contractually don't train on API data. Your call transcripts, customer info, and conversation history stay in your isolated account — never feeding someone else's model.

Every voice agent discloses it's AI.

If a customer asks "Is this a real person?" — Vidd says yes, it's AI. Always. Built into the agent prompt as a one-strike rule. Faking humanity isn't an option we offer.

Encrypted in transit and at rest.

Every byte of data — call recordings, transcripts, customer info, integration tokens — encrypted with TLS in flight and AES-256 at rest. Standard across all five vendors in our stack.

Kill switch on every workflow.

One click pauses your voice agent, your automations, anything we've built. You're never locked out of your own stack. Audit logs show exactly what AI did, when, and what data it touched.

02 / Who handles your data

The full vendor stack.

No hidden middlemen. Five enterprise vendors — all independently SOC 2 Type 2 certified — handle the actual infrastructure. You can audit their security pages directly.

Retell AI
Voice agent platform · powers Vidd's actual calling and conversation logic. Security page →
SOC 2 Type 2 No audio training
Twilio
Telephony backbone · phone numbers, call routing, SMS. Powers every voice agent worldwide. Security page →
SOC 2 Type 2 ISO 27001
Anthropic
Claude API · the LLM that powers conversation, qualification, and reasoning. Trust center →
SOC 2 Type 2 No training on API data
Make.com
Automation orchestration · connects your existing tools and runs the multi-step workflows. Trust center →
SOC 2 Type 2 EU + US regions
Supabase
Database · stores any custom application data (Operating Manual, dashboards, etc). Postgres with row-level security. Security page →
SOC 2 Type 2 Row-level security
03 / Honest answers

The questions everyone asks.

Real concerns from real conversations. No corporate dance — straight answers about what AI can and can't do with your data.

? Will my customer data train someone else's AI model?
No. Our LLM vendors — Anthropic (Claude) and OpenAI — contractually don't train on API data. That's enforced at the API tier we use, not a marketing promise. Your call transcripts, customer interactions, and any text processed through our voice agents or automations stay in your isolated account.

If you've ever pasted business info into the free version of ChatGPT, you know that's different — consumer products can use your data for training. API-tier access (what we use) is contractually exempt.
? Can the AI steal credit card numbers and go on a shopping spree?
No. Vidd never asks for, captures, or stores credit card numbers. When a customer wants to pay during a call, Vidd transfers them to your existing payment system — Stripe, Square, your booking platform's checkout, whatever you already use. The voice agent literally doesn't have payment capture built in. Credit cards stay in your PCI-compliant payment processor. We're out of PCI scope by design.
? What if the AI hallucinates and tells my customer something wrong?
Vidd has hard guardrails against making things up:

· It can only quote prices from your pricing structure (we connect it to your data)
· It can only book against live availability in your booking system
· If it doesn't know something, the agent prompt forces it to say "I don't have that information, let me have someone call you back" — not guess

We extensively test these guardrails before launch and review the first month of calls with you. If Vidd ever oversteps, the kill switch pauses the agent immediately while we tune.
? What if ViddAI gets hacked? Does my data go with you?
No. We don't store your data centrally — that's deliberate architecture. Each client's workflows run in isolated accounts on the enterprise vendors above (Retell, Twilio, Make, Supabase). Those vendors have their own SOC 2 audited security with millions of dollars of security investment.

A breach of "ViddAI the company" wouldn't expose your customer data, because we don't hold it — we orchestrate it. Your data lives in audited enterprise vendors, not on a server at David's house.
? Is recording calls legal? What about two-party consent states?
Yes. Massachusetts (where we're based) and 10+ other states require all-party consent to record. Vidd handles this automatically: every voice agent discloses at the start of the call that the conversation is being recorded.

Customers consent by continuing the conversation. If they object, Vidd offers to take a message or transfer them to a human. The disclosure is built into the agent prompt as a default — not optional. Compliant with two-party consent laws out of the box.
? What if ViddAI shuts down? Do I lose everything I paid you to build?
No. You own: the agent configuration, your call recordings, your transcripts, your customer data, and the documentation of every workflow we built. Standard contract includes a 30-day export window if either party walks away.

And here's the structural good news: the underlying vendors (Retell, Twilio, Make, Anthropic, Supabase) operate independently of us. If ViddAI disappears tomorrow, those accounts continue. You can transfer admin access to another consultant or your in-house team and keep running.
? Will someone clone my voice agent to scam my customers?
Voice cloning fraud is real — but it's a risk that exists whether or not you use a voice agent. ViddAI's defenses:

· The voice we ship is a stock TTS voice (ElevenLabs library), not a clone of you. Anyone could replicate that voice on their own — there's no special access fraud.
· Vidd identifies the business at the start of every call ("Hi, this is Vidd from [your business]"). Customers learn to expect that intro — anyone calling without it is a red flag.
· Vidd never asks for sensitive info (SSN, credit card, password). If a "Vidd-sounding voice" is asking for those things, your customer knows it's not actually you.
04 / Honest list

Things we won't do — ever.

Boundaries we don't cross, no matter what a client asks. The lines are the lines.

  • ×

    Sell your data. To anyone. Ever.

    Your customer list, call recordings, transcripts, business info — all of it stays with you. We don't have a "data partner" we share anonymized info with. No exceptions, no "but the AI training is for everyone" carveout.

  • ×

    Use your recordings for our marketing.

    No "here's a real client call!" testimonials without explicit written permission, and no extracted audio in case studies. What happens on your calls stays on your calls.

  • ×

    Pretend to be human when asked directly.

    If a customer asks Vidd "Is this a real person?" — the answer is yes, it's AI. Always. One-strike rule. Faking humanity is the fastest way to destroy customer trust, and we won't take that risk with your business.

  • ×

    Build something that doesn't have a kill switch.

    Every workflow we ship — voice agent, automation, dashboard — has a one-click pause. You're the operator. If anything ever feels off, you turn it off. We fix what's broken before turning it back on.

05 / Compliance posture

What we support today.

Specific compliance frameworks where we're already aligned. If you need something not listed, ask — we'll tell you honestly if we can support it.

Recording compliance

MA two-party consent.

Massachusetts (and 10+ other all-party states) requires both sides to consent to call recording. Vidd discloses recording at the start of every call — built into the agent prompt as a default. Compliant out of the box.

Payments

PCI out of scope.

We don't process, store, or transmit payment card data — ever. Voice agents don't capture credit cards. When customers want to pay, they're transferred to your existing PCI-compliant payment processor. You stay in scope, we stay out.

Data rights

Right to deletion.

You can request deletion of any customer data, call recording, or transcript at any time. 30-day fulfillment standard. Aligned with GDPR / CCPA data subject request workflows even when not strictly required.

Have a security concern we didn't cover?

Email David directly. Real answer back, no marketing fluff. If we can't do what you need, we'll tell you that too.