Trust
Security & Compliance
Last updated: 25 June 2026
Overview
By Your Side is operated by A. O. Signtech. We take security seriously and build it into how the Service runs. We are an early-stage company in our first year, so we describe our posture honestly here rather than claiming certifications we do not hold. This page sets out how we handle data, who our sub-processors are, and how we respond to incidents.
Data handling and encryption
We protect data in transit with TLS and encrypt data at rest. Access is limited to authorised people and systems through role-based controls and least-privilege practices. Call audio is processed in real time and is transient at our speech and language providers. Payment card data is handled exclusively by our Merchant of Record (Paddle), never by us.
Sub-processors
We use the following vendors to deliver the Service. Each processes data only to perform services for us, under contractual safeguards.
| Sub-processor | Purpose | Region |
|---|---|---|
| Google (Gemini) | Large language model and text-to-speech. Call audio is transient. | United States / Global |
| Deepgram | Speech-to-text. Call audio is transient. | United States |
| DIDWW | SIP trunks and DID phone numbers (PSTN telephony). | European Union (Ireland) |
| Supabase | Authentication and control-plane database. | European Union (Frankfurt) |
| Resend | Transactional email. | United States |
| Paddle | Merchant-of-Record billing, invoices, and tax. | United Kingdom / United States |
| Vercel | Marketing site and dashboard hosting. | United States / Global |
| Cloudflare | CDN, WAF, and DNS. | Global |
| DigitalOcean | Cloud servers hosting the voice engine and the primary database. | European Union (Frankfurt) |
Material changes to this list are communicated at least 30 days in advance to customers on annual contracts.
Data Processing Agreement
We offer a Data Processing Agreement (DPA) for customers who need one. It is based on the European Commission's standard contractual clauses (SCCs) and is available on request from info@byourside.ai.
Data residency
The voice engine and our primary database run on DigitalOcean in Frankfurt, Germany (European Union). Authentication and the control-plane database run on Supabase in Frankfurt, Germany (European Union). Call audio is processed transiently by our speech and language providers and is not stored by them. We will confirm specific regions on request and as part of a DPA.
Call-data retention
Call recordings and transcripts are kept according to your account configuration, then deleted. You can request deletion of your data at any time. See our Privacy Policy for full details.
Incident response
If we confirm a personal-data breach, we communicate it to affected customers within 72 hours of confirmation, in line with GDPR Article 33. We will describe what happened, the likely impact, and the steps we are taking.
Certifications
We want to be straight with you: as an early-stage company, By Your Side does not currently hold SOC 2, ISO 27001, or other formal security certifications, and we make no such claims. We follow recognised security practices (encryption, access controls, vetted sub-processors, GDPR-aligned handling) and will pursue formal certification as the company matures.
Security contact
To report a vulnerability or a security concern, email support@byourside.ai.