Security & data protection
Rannly handles real conversations between your customers and your business — names, addresses, phone numbers, payment intent. Every layer of our stack is designed to keep that data encrypted, jurisdictionally controlled, and never used to train anyone's AI model.
Customer call recordings are stored in Cloudflare R2's EU regions. Postgres database runs in Railway's EU-Frankfurt zone. No data leaves European jurisdiction unless your business is in Saudi/UAE — in which case we route to UAE-North storage on request.
TLS 1.3 in transit (all browser → server, server → Vapi/Twilio/ElevenLabs). AES-256 at rest in R2 buckets. Database column-level encryption for phone numbers and call summaries. No sensitive data ever logs to plain text.
Vapi (our voice infrastructure), OpenAI (gpt-4o for the analysisPlan), ElevenLabs (TTS), and Speechmatics (ASR) all operate under no-train DPAs. Your customer calls are processed and discarded — they never enter any vendor's training pipeline.
You + your dashboard users see all your call data. Marwan (Rannly's founder) has limited admin access for support — actions are audit-logged. No third party can read your recordings without an explicit DPA addendum signed by both sides.
Default recording retention is 90 days, after which they auto-purge from R2. You can delete any call recording immediately from your dashboard. Cancel your account → all data is purged within 30 days. We send you confirmation.
Daily automated Postgres snapshots retained 30 days (Railway). R2 versioning enabled — accidental deletes are recoverable for 7 days. Disaster recovery documented and tested quarterly.
Our SLA target is 99.5% monthly uptime, measured from Railway region health + a synthetic call check every 5 minutes. Below target → service-credit on the next invoice. Status page live at status.rannly.com.
Compliance
We don't claim certifications we don't have. Here's exactly where we stand. Full sub-processor list and retention windows on the privacy page.
Federal Decree-Law No. 45 of 2021 on Personal Data Protection. Lawful basis, data subject rights, breach notification — all mapped. UAE customers can request data residency in the UAE-North zone.
Personal Data Protection Law (Royal Decree M/19, 2021). Cross-border transfer safeguards in place. Saudi customers can request countersigned DPA referencing PDPL specifically.
EU General Data Protection Regulation. EU Standard Contractual Clauses (SCCs) used for sub-processor transfers. DPA available on request.
Eleven named sub-processors (Railway, Cloudflare, Vapi, Twilio, OpenAI, ElevenLabs, Resend, Stripe, Clerk, Plausible, Sentry). We notify customers 30 days before adding a new one.
Internal controls mapped to ISO 27001:2022 Annex A. Formal certification audit planned 2027 once we cross 50 paying customers.
Auditor selection underway. SOC 2 readiness assessment scheduled Q3 2027.
Rannly never sees, stores, or transmits card numbers. All payment processing is Stripe Checkout, which is itself PCI DSS Level 1 certified.
Customers regulated by GDPR, UAE PDPL, or Saudi PDPL can request a countersigned DPA. We use a DPA template based on the EU Standard Contractual Clauses, modified for UAE residency. Email legal@rannly.com and we'll send you the template — usually countersigned within 48 hours.
Responsible disclosure: we'll respond within 24 hours and credit you in our security log if you find something.