Trust architecture

Built for the conversations
that can't leak.

Vought processes audio ephemerally by default. Nothing is stored unless you turn it on. Our security model is built for revenue teams, healthcare operators, and legal reviewers who treat every conversation as privileged.

0
seconds of audio retained by default
3
data residency regions
5
named sub-processors
412ms
median whisper latency
A note from the founder

Our position on your data.

Vought is a real-time system. It listens to your live audio for the length of a conversation and forgets it as soon as that conversation ends. This is not a feature flag. It is the default.

Audio leaves the operator's device, transits a TLS 1.3 tunnel to ElevenLabs for transcription, and arrives at our Echo Engine already as text. The Echo Engine holds the live session in memory for the duration of the call and discards it at session close. We never write raw audio to disk. We never train models on customer conversations. We never share, sell, or surface a recording outside the account that produced it.

If you opt in to call recordings or transcripts — for coaching, compliance, or analytics — we store only what you asked us to store, in the region you asked us to store it, and we delete it on the schedule you set. You can turn it off in one click. We will not warn you, persuade you, or ask why.

This is the only model that makes a whisper system honest.

Adithya Rao
Co-founder & CEO, Vought Inc.
Certifications & compliance

Honest status, not theatre.

Where Vought is certified, we say so. Where we are in progress, we say so. No badge appears on this page that we have not earned or are not actively earning.

Certification
SOC 2 Type II
In progress

Type I report under Drata. Type II observation window opened Q1 2026, independent audit by Prescient Assurance.

Target attestation · Q3 2026
Compliance
HIPAA
Aligned

BAA available on request for healthcare-grade conversations. Ephemeral processing mode required for PHI workloads.

BAA on Receptionist Enterprise
Privacy
GDPR
Live

EU data residency available. Article 28 DPA, sub-processor disclosure, and 30-day deletion SLA. Standard Contractual Clauses on file.

DPA · vought.com/legal/dpa
Certification
ISO 27001
In progress

Statement of Applicability drafted. Internal audit completed Q4 2025. Stage 1 certification body engagement scheduled Q2 2026.

Target certification · Q4 2026
Where your data lives

Five legs. One ephemeral loop.

Each hop is annotated with what is held, where it is held, and for how long. The default end-to-end retention is the duration of the call.

Operator device
ElevenLabs STT
Echo Engine
LLM provider
ElevenLabs TTS
Operator device
· In memory only
Audio buffer held in the browser tab. Nothing written to disk. Cleared on tab close.
ElevenLabs STT
· Transit only
TLS 1.3 tunnel. ElevenLabs processes audio, returns text. Zero-retention agreement in place.
Echo Engine
· Session memory
Live transcript held in Redis for the call. Cleared at session close — typically within 90 seconds.
LLM provider
· Inference only
OpenAI and Anthropic on zero-retention enterprise tier. No training, no logging beyond 30 days for abuse review.
ElevenLabs TTS
· Transit only
Cloned-voice audio synthesized and streamed back to the operator. Not stored at ElevenLabs or Vought.
Default

End-to-end retention for an unmodified Vought session is · 0s after the call ends. Recording is an explicit, per-workspace opt-in.

Sub-processors

Five vendors. Each named.

We do not use sub-processors we cannot name on a public page. This list is the contractual list. Updates are announced thirty days before they take effect.

Vendor
Purpose
Data type
Region
ElevenLabs
Speech-to-text and text-to-speech (cloned voice)
Live audio (transit only) · voice embeddings
US · EU
OpenAI
LLM inference (gpt-4o-mini, default)
Transcript text · system prompt
US
Anthropic
LLM inference (Claude Haiku, alternate)
Transcript text · system prompt
US
Amazon Web Services
Compute, storage, networking for Echo Engine
Account data · opt-in transcripts · logs
US · EU · IN
Cloudflare
Edge networking, DDoS, WAF, TLS termination
Request metadata · IP · headers
Global

Last updated 2026-05-26 · Subscribe to changes at trust@vought.com

Data residency

Three regions.
Pinned at the workspace.

Residency is chosen at workspace creation and is immutable for the life of the workspace. Migration between regions is a manual, audited process — we will not move your data on our own initiative.

USUnited States
Underlying infra
AWS us-east-1 · us-west-2

Default region for new accounts. All Echo Engine compute, Redis live state, and opt-in transcript storage stays within the continental United States. Backups replicate to us-west-2 for disaster recovery.

EUEuropean Union
Underlying infra
AWS eu-central-1 · Frankfurt

Full data residency within the EU for GDPR-aligned customers. ElevenLabs requests route to the European inference endpoint. Sub-processor disclosure and Standard Contractual Clauses cover any incidental transit through the US.

INIndia
Underlying infra
AWS ap-south-1 · Mumbai

In-country residency for Indian enterprise customers. Echo Engine and opt-in storage run entirely in Mumbai. LLM inference for the India region is contractually pinned to AWS Bedrock to keep transcripts in-region end-to-end.

Talk to the team

Public contacts.
Real humans on the other end.

Three channels, each scoped to a specific kind of question. No ticketing forms, no chatbot triage.

Security email
security@vought.com

For incident reports, responsible disclosure, and customer security review correspondence. PGP key on file. Response within one business day, faster for active incidents.

Email security
Bug bounty
Disclose with HackerOne

Public program. Payouts range from · $100 for accepted low-severity reports to · $5,000 for critical authentication or data-exposure findings. Safe-harbor language matches the HackerOne Vulnerability Disclosure Guidelines.

Email security disclosures
Trust center
Live documents portal

SOC 2 report (under NDA), penetration test summary, sub-processor change log, status page, and the data processing addendum. Self-serve, no sales gate.

Request access

Reviewing Vought
for your team?

Send the one-pager to your security and legal reviewers. Book time with our team when they have questions.

  • Pre-filled vendor security questionnaire (SIG Lite · CAIQ)
  • Latest penetration test executive summary
  • Sub-processor change subscription
Request one-pagerTalk to legal