Security & Compliance

Zgrajeno v EU. GDPR od prvega dne. Vaš tenant je vaš.

Every answer your legal and IT team will ask, on one page. Last updated June 2026.

🇪🇺 EU-hosted (Hetzner, Germany) 🔒 GDPR Art. 28 DPA ready 🛡️ EU AI Act documented 🔐 AES-256 at rest · TLS 1.3 in transit

Data residency

All VoxNexus infrastructure runs in the European Union. Primary application and database hosting: Hetzner Online, Falkenstein (Germany). No data is processed or stored outside the EU by VoxNexus itself.

Third-party AI providers (see Subprocessors) process prompts transiently to return model outputs. You can bring your own API keys (BYOK) on the Enterprise plan to route AI calls through your own contracted provider.

Tenant isolation

VoxNexus uses a database-per-tenant architecture. Every customer gets their own isolated PostgreSQL database (voxnexus_tenant_{slug}). There is no shared tenant data table.

  • Row-level leakage is architecturally impossible, not just policy-controlled
  • Tenant deletion = full database drop (GDPR right to erasure)
  • Per-tenant encryption keys for recordings
  • Separate voice agent keys per tenant

Encryption

  • In transit: TLS 1.3 everywhere. HSTS enforced. No cleartext fallback.
  • At rest: AES-256 disk encryption on all application and database volumes (Hetzner-managed).
  • Application-level: API keys (Anthropic, Vapi, etc.) in global_ai_settings and ai_provider_settings are encrypted with Laravel's encrypter before database write.
  • Audio recordings: stored in your tenant's object storage with per-tenant keys. Download URLs are signed and time-limited.

GDPR rights — how we honour them

VoxNexus acts as a data processor; you are the data controller for your candidates' and employees' data.

  • Right of access (Art. 15): Export endpoint in every tenant returns all personal data as JSON.
  • Right to rectification (Art. 16): All profile and candidate fields are editable via UI and API.
  • Right to erasure (Art. 17): Per-record deletion UI. Bulk delete via API. Tenant-wide deletion via tenant:drop command. Recordings and transcripts are hard-deleted, not soft-deleted.
  • Right to portability (Art. 20): Candidate data exports in JSON and CSV.
  • Right to object & restriction: Processing can be paused per-tenant without data loss.
  • Automated decisions (Art. 22): VoxNexus is classified as "decision support, not autonomous decision" by design — every AI-scored interview requires human review before hiring decisions. We provide this documentation for your privacy impact assessment.

EU AI Act readiness

Hiring AI is classified as high-risk under Annex III of the EU AI Act. VoxNexus ships documentation to meet Art. 9–15 provider obligations:

  • Risk management system: documented process for bias testing, rubric review, and candidate feedback loops.
  • Data governance: training data statement (VoxNexus does not train models on your data — prompts are processed transiently).
  • Transparency: every candidate is informed before the interview that AI will conduct the conversation and scoring.
  • Human oversight: hiring decisions require explicit human action; AI produces only shortlist recommendations.
  • Accuracy & robustness: word error rate benchmarks published per language; continuous monitoring.
  • Logging: every interview, score, and decision is logged with timestamps and reviewer identity for 7 years.

A one-page "EU AI Act readiness statement" is available on request — send your legal team directly, no sales call required.

Subprocessors

We are transparent about every third party that touches your data. As of June 6, 2026:

SubprocessorPurposeData processedRegion
Hetzner Online GmbHApplication + database hostingAll customer data🇩🇪 DE
Anthropic (Claude)LLM — interview flow + scoringTranscripts (transient)🇺🇸 US (via EU endpoint where available)
Deepgram Nova-3Speech-to-textAudio (transient)🇺🇸 US
ElevenLabsText-to-speechText prompt (transient)🇺🇸 US
VapiVoice session orchestrationCall metadata, transient audio🇺🇸 US
StripePayment processingBilling data only🇮🇪 IE

On Enterprise plans you can BYOK (bring your own keys) to route AI calls through your own contracts, eliminating us from the data flow for those subprocessors.

Retention & deletion

  • Default: candidate data retained for the duration specified by your tenant policy (configurable 30 days to 7 years).
  • Candidate self-service deletion: candidates can delete their own records via link in their confirmation email.
  • Automated purge: voxnexus:purge-expired runs daily and hard-deletes records past retention.
  • Tenant termination: 30-day grace, then full database drop.

DPA (Data Processing Agreement)

A pre-signed, GDPR-compliant DPA is ready to send to your legal team before the sales call. It covers:

  • Standard Contractual Clauses for all non-EU subprocessors
  • Subprocessor change notification (30 days)
  • Audit rights
  • Data breach notification within 72 hours

Request DPA →

Incident response

  • Security incident email: security@progroup.hr
  • Customer notification within 72 hours of confirmed incident
  • Post-incident public report for Sev-1 events
  • Bug bounty: responsible disclosure welcomed, coordinated via security email

Send this page to your legal team.

Or book a call with our team to walk through your security questionnaire live.

Rezerviraj varnostni pregled