Security at abridai

Last updated: July 13, 2026

Businesses trust abridai with their customers' names, numbers, voices, and faces. That trust is the product — here is how we protect it.

Infrastructure & encryption

  • Encryption in transit: all traffic uses TLS 1.2+ (HTTPS everywhere, including media upload).
  • Encryption at rest: databases, files, and recordings are stored on Google Cloud / Firebase infrastructure with AES-256 encryption at rest.
  • Tenant isolation: every business gets its own workspace — agencies never see one client's customers from another's, enforced by per-workspace access rules.

Access control

  • Dashboard access requires authentication (email/password or Google SSO); consumer links are unguessable, single-purpose URLs.
  • Least-privilege access internally: production data access is restricted, logged, and used only for support and incident response.
  • Secrets and API keys are stored server-side only and never shipped to the browser.

AI-specific safeguards

  • Voice conversations are processed in real time to run the call and produce a transcript — voice audio is never used to train models or clone voices.
  • The agent always identifies itself as a virtual assistant, discloses recording at the start of the call, and calls only within permitted hours.
  • Video testimonials are recorded only after the consumer explicitly grants camera/microphone permission, with a visible recording indicator.

Data lifecycle

  • Consumer contact data is deleted when its campaign ends or on request; verified deletion requests are honored within 30 days.
  • Opt-outs (reply STOP, unsubscribe) are applied immediately and kept on a suppression list so the contact is never messaged again for that business.
  • Customers can export or delete their workspace data at any time.

Subprocessors

We use a short list of vetted providers, each bound by contract to process data only for us: Google Cloud / Firebase (hosting, database, storage), Vercel (web hosting), ElevenLabs (real-time voice AI), telephony/SMS and email delivery providers, and the social platforms a business explicitly connects for publishing (e.g. Meta). Customers are notified before we add a new subprocessor.

Incident response & disclosure

  • We monitor for anomalies and maintain an incident-response process; affected customers are notified without undue delay, consistent with US state breach-notification laws.
  • Found a vulnerability? We welcome responsible disclosure at security@abridai.com — we respond fast and won't pursue good-faith researchers.

Compliance posture

We operate as a service provider / processor under US state privacy laws (CCPA/CPRA and equivalents), offer a DPA to every customer, and design outreach for TCPA/CAN-SPAM compliance (consent-first, recorded-call disclosure, opt-out on every message, quiet hours). A SOC 2 Type II audit is on our roadmap as the platform exits pilot.

Questions about this document? Contact us at privacy@abridai.com.