Skip to main content

Trust & security

Clear boundaries before the first real call.

Architecture, providers, access controls, and retention boundaries for the controlled Vite Clinic pilot.

Last reviewed: 13 July 2026

Current

Data boundaries

Persistent application data and encrypted off-server backups are hosted with Infomaniak in Switzerland.

Current

Data use policy

Vite Clinic does not sell call data, use it for advertising, or train its own models on it. Provider-specific API terms and account controls are listed below.

Before launch

Launch gate

The assistant is tested with clinic-approved information and limited routing before any wider deployment.

Current

Providers

Call content can reveal sensitive health data. Swiss persistent storage is separate from live telephony and AI processing. The account-dependent entries below remain launch checks, not claims of active regional controls.

Infomaniak Network SA Switzerland
Role
Application hosting, persistent database storage, and encrypted off-server backups.
Provider retention
Service-specific. Its DPA provides for deletion after an applicable instruction or service end; the exact production backup window must be recorded before launch.
Subprocessors and dependencies
Service-specific sub-processors may be added with advance notice and an objection period.
Swiss transfer safeguards
Swiss processing agreement, confidentiality, least-privilege access, and a production service register.
Launch evidence
Swiss application hosting is implemented; the selected production services, backup window, and access list still require launch evidence.
Twilio Ireland Limited Ireland, United States, and carrier countries
Role
Swiss phone number, call routing, and live audio transport. Call metadata and audio pass through Twilio for the service to work.
Provider retention
Twilio keeps call records for 13 months and listed phone-number fields for up to 120 days. Vite Clinic does not currently enable Twilio call recording, but Twilio still carries live audio to operate the call.
Subprocessors and dependencies
Twilio Inc., AWS, ClickHouse, and account- or number-specific telecommunications carriers; optional speech providers only if enabled.
Swiss transfer safeguards
Twilio DPA, Binding Corporate Rules, adequacy decisions, the Data Privacy Framework, and Swiss-adapted SCCs as applicable.
Launch evidence
European routing is available in Dublin, but the regional account, credentials, phone routing, carrier path, and a test call still require verification. Until then, calls use the disclosed United States route.
OpenAI Ireland Ltd. Europe when verified; otherwise global processing
Role
Realtime speech and assistant processing. Audio and conversation content are processed to answer the call.
Provider retention
API data is not used for model training unless the customer opts in. Default abuse-monitoring logs may retain content for up to 30 days; approved reduced-retention controls change that posture.
Subprocessors and dependencies
The current API list includes Microsoft, CoreWeave, Oracle Cloud, Google Cloud, AWS, Cloudflare, Snowflake, Confluent, Cerebras, and listed support providers; participation depends on features and controls.
Swiss transfer safeguards
OpenAI DPA, adequacy decisions and SCCs. These contractual safeguards do not by themselves resolve Swiss professional secrecy.
Launch evidence
European processing is supported, but it is not treated as active until the provider account, contract amendment, eligible models, endpoint settings, disabled tracing, and reduced-retention controls are verified.
Stripe Payments Europe, Limited Ireland, United States, and global payment networks
Role
Subscriptions, invoices, and payment references. Stripe does not receive call audio or transcripts from Vite Clinic.
Provider retention
Stripe generally keeps business-user and transaction data for five years or longer where payment, fraud, tax, or legal duties require it.
Subprocessors and dependencies
Stripe affiliates, AWS, Salesforce, Twilio, Verifi, and payment-method-specific providers.
Swiss transfer safeguards
Stripe DPA, Data Privacy Framework and Swiss-adapted SCCs for relevant transfers.
Launch evidence
Only billing and account references may be sent. Patient call content is outside the Stripe data flow.

Current

Retention

Vite Clinic applies the following default retention periods. The clinic agreement may require shorter periods.

  • Vite Clinic does not intentionally store raw call audio. Transcripts, caller identifiers, health-related free text, and handoff payloads are scrubbed after 30 days.
  • The reduced operational call record is deleted after 365 days. Audit records use 365 days; application logs default to 14 days.
  • Billing/accounting records follow their separate legal purpose. Backup expiry remains a production-account launch check.

Before launch

Before launch

No real patient routing starts until the DPA, caller consent and human alternative, retention schedule, provider register, and professional-secrecy review are approved and tested.

Controls in the product

The current product uses practical controls suited to a limited clinic pilot.

  • HTTPS for the public site, application, and service APIs.
  • Explicit organization roles and clinic-scoped support access.
  • Audit records for sensitive support and clinic actions.
  • Encrypted backups, signed deployments, and a documented rollback path.
  • Operational logs designed to avoid call content and patient details.

Next step

Next step

Request the pilot security pack for the supporting documents and the launch checks that still need approval.