Your calls.
Your data. Locked down.
Every call that hits UltisAI carries a customer's name, phone number, and sensitive intake information. Our security team treats it like it's our own. This page is the living reference for how we protect it.
TLS 1.2+ in transit. AES-256 at rest on Supabase and Vercel. Call audio encrypted end-to-end between Twilio and Retell.
Production access is role-based, logged, and time-limited. Secrets live in Vercel and Supabase Vault — never in code.
Every business has an opaque agent ID and row-level security in Supabase. One tenant cannot read another tenant's calls, contacts, or settings.
A daily health check validates every AI agent's configuration, URLs, and tools — and auto-repairs drift before a customer notices.
Every code change is reviewed, tested, and deployed via Vercel with preview and rollback. No direct production edits.
We only use subprocessors with published SOC 2 / ISO reports. Each one is bound by its own DPA.
Who touches your data
A complete, current list of third-party services we use to run UltisAI. We add or remove subprocessors transparently; see the DPA for the notification window.
Where we are, where we're going
- Signed DPA on request
- GDPR-ready data export and deletion
- EU Standard Contractual Clauses
- Role-based access + audit logs
- SOC 2 Type I (target: Q4 2026)
- SOC 2 Type II (target: 2027)
- HIPAA-compatible offering (enterprise)
- EU data residency option
Report a vulnerability
If you believe you've found a security issue, email our team at security@ultisai.com. We'll respond within one business day and coordinate a fix. We don't run a formal bounty program yet, but we will credit responsible disclosures in our changelog.