Security & Trust

1. GDPR & UK Data Protection

Voicecake is operated from the United Kingdom and complies with the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018. For customers in the EU/EEA we also honour the EU GDPR.

• We act as a data processor for customer calls, contacts and recordings.
• Customers remain the data controller and retain ownership of their data.
• We provide a Data Processing Agreement (DPA) on request — see contact below.
• We are registered with the UK Information Commissioner's Office (ICO).

2. Data Residency

Our primary application and database infrastructure runs on Microsoft Azure in UK regions (UK South / UK West). Customer account data, agent configurations, call logs and transcripts are stored in the UK by default.

A small number of sub-processors (listed below) operate from other regions — for example, some AI model providers are US-based. Where that applies we rely on the UK ICO's approved transfer mechanisms (UK IDTA / EU Standard Contractual Clauses).

3. Encryption

• In transit: all traffic between your browser, our API, the widget and our sub-processors is encrypted with TLS 1.2 or higher (TLS 1.3 where supported).
• At rest: databases, object storage and recordings are encrypted using AES-256. Azure manages the encryption keys by default.
• Secrets: API keys and credentials are stored in a managed secret store; they are never committed to source control and are rotated on personnel change.

4. Sub-processors

Voicecake uses a small number of specialist providers to deliver the service. Each has been chosen on the basis of their own security posture and is bound by a DPA with us.

We'll give reasonable advance notice of material changes to this list so customers can object where their DPA provides for that.

5. Call Recording & Consent

Call recording is off by default and is only enabled at the customer's discretion, per agent. When recording is enabled:

• The customer is responsible for ensuring their own callers are informed, where required by local law.
• Recordings are stored encrypted at rest and accessible only via an authenticated session.
• Recordings can be deleted on request or on account closure.
• We do not use customer recordings to train third-party AI models.

In the UK, call recording is lawful under UK-GDPR where a lawful basis exists and callers are informed. Customers should review the ICO's guidance for their sector before enabling recording.

6. Access Control & Operational Security

• Staff access to production systems is limited to the engineers who need it and is protected by MFA.
• API access uses short-lived JWTs with a refresh flow; tokens can be revoked.
• Backups are encrypted and retained on a rolling schedule.
• Dependencies are monitored for known vulnerabilities and patched on a rolling basis.
• We use Sentry for error monitoring — personally identifying fields are scrubbed before reporting.

7. DPA & Compliance Contact

We're happy to provide our Data Processing Agreement, sub-processor list, or answer security questionnaires on request. The fastest route is email:

hello@voicecake.io

For general privacy questions see our Privacy Policy. For service terms see our Terms & Conditions. For anything else, contact us.

8. Reporting a Vulnerability

If you believe you've found a security issue in Voicecake, please email hello@voicecake.io with reproduction steps. We aim to acknowledge reports within two UK working days and will keep you updated as we investigate. Please don't publicly disclose the issue before we've had a chance to respond.