Security at abridai
Last updated: July 13, 2026
Businesses trust abridai with their customers' names, numbers, voices, and faces. That trust is the product — here is how we protect it.
Infrastructure & encryption
- Encryption in transit: all traffic uses TLS 1.2+ (HTTPS everywhere, including media upload).
- Encryption at rest: databases, files, and recordings are stored on Google Cloud / Firebase infrastructure with AES-256 encryption at rest.
- Tenant isolation: every business gets its own workspace — agencies never see one client's customers from another's, enforced by per-workspace access rules.
Access control
- Dashboard access requires authentication (email/password or Google SSO); consumer links are unguessable, single-purpose URLs.
- Least-privilege access internally: production data access is restricted, logged, and used only for support and incident response.
- Secrets and API keys are stored server-side only and never shipped to the browser.
AI-specific safeguards
- Voice conversations are processed in real time to run the call and produce a transcript — voice audio is never used to train models or clone voices.
- The agent always identifies itself as a virtual assistant, discloses recording at the start of the call, and calls only within permitted hours.
- Video testimonials are recorded only after the consumer explicitly grants camera/microphone permission, with a visible recording indicator.
Data lifecycle
- Consumer contact data is deleted when its campaign ends or on request; verified deletion requests are honored within 30 days.
- Opt-outs (reply STOP, unsubscribe) are applied immediately and kept on a suppression list so the contact is never messaged again for that business.
- Customers can export or delete their workspace data at any time.
Subprocessors
We use a short list of vetted providers, each bound by contract to process data only for us: Google Cloud / Firebase (hosting, database, storage), Vercel (web hosting), ElevenLabs (real-time voice AI), telephony/SMS and email delivery providers, and the social platforms a business explicitly connects for publishing (e.g. Meta). Customers are notified before we add a new subprocessor.
Incident response & disclosure
- We monitor for anomalies and maintain an incident-response process; affected customers are notified without undue delay, consistent with US state breach-notification laws.
- Found a vulnerability? We welcome responsible disclosure at security@abridai.com — we respond fast and won't pursue good-faith researchers.
Compliance posture
We operate as a service provider / processor under US state privacy laws (CCPA/CPRA and equivalents), offer a DPA to every customer, and design outreach for TCPA/CAN-SPAM compliance (consent-first, recorded-call disclosure, opt-out on every message, quiet hours). A SOC 2 Type II audit is on our roadmap as the platform exits pilot.
Questions about this document? Contact us at privacy@abridai.com.