Trust Center
Last updated: May 13, 2026
We know an AI receptionist hears a lot — names, phone numbers, addresses, and the kind of personal context customers share when they need help. This page is the short-form answer to “what does 1stRing AI do with all of that?” For the long-form, contractual answer, see our Privacy Policy and Terms of Service.
Our data-handling commitments
- We do not sell or rent personal data. Not to advertisers, not to data brokers, not to any third party for their own marketing.
- We do not train general-purpose AI models on your conversations. Conversations are sent to our model vendors (Anthropic, OpenAI) only to generate the response on that specific turn. We have enterprise-style agreements that prohibit using your data for vendor model training.
- You own your data. Transcripts, recordings, prospect lists, and knowledge-base entries that you upload or that we collect on your behalf remain yours. You can export or delete at any time.
- Encryption is on by default. TLS 1.2+ in transit, AES-256 at rest (via Supabase). Application secrets stored in a managed secret store with rotation.
- Access is least-privilege. Production database access is gated by role, audit-logged, and limited to a small named operator group. Customer-support staff cannot read transcripts without a documented support reason.
- Breach notification within 72 hours. If we discover a personal-data breach, affected business clients hear from us promptly with what we know and what we're doing about it.
Encryption
- In transit: TLS 1.2+ enforced on every public endpoint. HSTS preload, no insecure downgrades.
- At rest: AES-256 via Supabase managed Postgres + storage.
- Secrets: stored in Vercel environment variables (encrypted) and rotated on a defined cadence. Stripe restricted keys for finance scripts. No long-lived service-account keys in source control.
- Webhooks: outbound webhooks are signed with HMAC-SHA256. Customers verify the
X-Signature-256header against a per-tenant shared secret before trusting the payload.
Retention defaults
- Chat transcripts: 730 days
- Voice call transcripts: 730 days
- Voice call audio: 365 days
- Lead / prospect contact data: 5 years
- Billing & invoicing records: 7 years (tax / IRS obligation)
- Auth / access logs: 365 days
Customers may request earlier deletion via privacy@1string.ai. See the Privacy Policy retention table for the full schedule and exceptions.
Customer rights
Depending on jurisdiction, you have rights to access, correct, delete, port, restrict, and object to processing of personal data we hold about you. We honor CCPA / CPRA opt-out requests (including Global Privacy Control signals) and GDPR data-subject requests within the timelines required by law.
To submit a request: privacy@1string.ai. Authorized agents may submit on your behalf with signed written authorization.
Sub-processor compliance posture
We rely on these sub-processors to deliver the service. Each link below points to the vendor's public security / trust documentation, where you can review certifications (SOC 2, ISO 27001, PCI DSS, HIPAA-eligibility) directly.
| Vendor | Purpose | Compliance posture |
|---|---|---|
| Anthropic | Claude AI model inference for chat and voice conversations. | Anthropic Trust Center |
| OpenAI | Secondary model inference and embeddings for KB retrieval. | OpenAI Trust Portal |
| Vapi | Voice telephony orchestration (STT + TTS + LLM glue). | Vapi security overview |
| Twilio | Phone-number provisioning, SMS delivery, carrier lookup. | Twilio compliance |
| Supabase | PostgreSQL database, storage, and auth. | Supabase security & compliance |
| Vercel | Application hosting, edge compute, analytics. | Vercel SOC 2 + compliance |
| Stripe | Payment processing (SOC 2, PCI DSS Level 1). | Stripe security |
| Resend | Transactional email delivery. | Resend security |
| Inngest | Background workflow orchestration. | Inngest security |
| Smartlead | Outbound email warm-up and deliverability. | Smartlead security |
| DocuSign | Electronic signature for service agreements. | DocuSign Trust Center |
| Clerk | Identity, authentication, team membership. | Clerk security |
Sub-processor links are provided for informational convenience. 1stRing AI does not control these third-party pages; vendor security documentation is owned and maintained by the respective vendors.
Enterprise + regulated-industry add-ons
For customers in regulated industries (healthcare, legal, financial services), we offer additional contractual protections on request:
- Data Processing Addendum (DPA). GDPR-aligned DPA with EU Standard Contractual Clauses for any data transfers.
- Business Associate Agreement (BAA). HIPAA-style BAA available for healthcare clients once we have BAAs in hand with our voice + database sub-processors. Contact us before signing patients up.
- Custom retention windows. Shorter retention available for clients with regulatory requirements; longer retention requires a documented business need.
- Extended audit log access. Per-tenant audit log export on request.
To request any of the above, email security@1string.ai.
Security contact & vulnerability disclosure
If you discover a security vulnerability or have a question about how we handle data, please reach out to:
We acknowledge reports within 2 business days, investigate, and respond with a remediation plan. Good-faith researchers acting under standard responsible-disclosure norms (no destructive testing, no privacy violations, no extortion) will not be pursued under CFAA / DMCA. We do not currently offer a paid bounty, but we credit reporters who request it.