Security Documentation

Data Security Architecture

How DULTRA protects sensitive data across every layer of the platform — from real-time voice interactions to enterprise document uploads and analysis.

EU
Data Residency
ZDR
Zero Retention
Real-Time
De-identification
GDPR
Compliant

Overview

DULTRA processes real-time voice conversations and enterprise document uploads. These interactions may contain personally identifiable or commercially sensitive information (PII), including national identification numbers, contact details, and financial identifiers.

Our security architecture ensures that sensitive data is identified and neutralized before reaching databases or external AI models. Corporate data, document uploads, and analysis are strictly isolated, ensuring the highest level of security.

Multi-Layer Redaction Architecture

Every piece of text or document that flows through DULTRA passes through a two-stage de-identification pipeline before persistence or forwarding to AI models.

Stage 1
Pattern Detection
Deterministic regex engine identifies structured PII with known formats
Stage 2
SDP Classification
Google Cloud Sensitive Data Protection inspects for unstructured PII: names, addresses, dates of birth
Output
Safe Data
De-identified content safely used for AI analysis and vectorization

Detected Identifier Types

#
National ID Numbers
Lithuanian asmens kodas, EU national identifiers
@
Contact Information
Phone numbers, email addresses
Financial Identifiers
IBAN numbers, credit card numbers
A
Personal Details
Person names, street addresses, dates of birth

Configurable Per Organization

Organization administrators can configure which identifier types are redacted. For example, sales teams that need to capture emails or phone numbers for CRM notes can selectively disable redaction for those categories. National identification numbers and financial data remain always protected and cannot be overridden.

Data Flow & Retention

Real-Time Voice Sessions

Audio streams are processed ephemerally. Voice data exists only for the duration of the active session and is never written to disk. Upon session termination, all audio buffers are destroyed with no recoverable trace.

Enterprise Document Upload & Vectorization

Corporate document uploads are processed securely and vectorized (embeddings) exclusively for your organization. This data is used only as context for your queries, ensuring your company's intellectual property is fully protected.

Transcripts & Evaluations

Text transcriptions pass through both redaction stages before database persistence. Stored transcripts contain only de-identified text with typed placeholders. Evaluations and coaching insights are generated exclusively from safe, de-identified data.

Infrastructure & Data Sovereignty

European Data Residency

  • All AI inference runs on European Google Enterprise Agent Platform servers
  • Database hosted within strict EU jurisdiction
  • Data transfer outside the EU is architecturally prohibited

Network Security

  • Advanced encryption on all communication channels
  • Strict Content Security Policy (CSP)
  • Automatic abuse protection and API rate limiting

AI Model Security

No Training on Customer Data

DULTRA uses Google Enterprise Agent Platform under enterprise (Enterprise) contract terms. Customer interactions and uploaded corporate documents are never used to train, fine-tune, or improve foundation models.

Ephemeral Session Context

Real-time voice sessions use stateless connections. Upon session termination, the entire conversational context is destroyed on the server side. No session resumption, no cached context, no recoverable trace.

Access Control & Authentication

Organization Isolation

Every database query is scoped to the authenticated user's and organization's identifier. Organization-level data is strictly isolated, ensuring no other company can access your information or uploaded documents.

Role-Based Access

Employees can only access their own session history and evaluations. Administrators manage team scenarios and knowledge bases exclusively within their organization boundary.

Regulatory Compliance

GDPR Articles 5 & 25

Data minimization and privacy by design. Only de-identified data is persisted; raw PII is never stored.

GDPR Articles 44–49

Cross-border transfer restrictions satisfied through mandatory EU regional endpoints and data residency enforcement.

GDPR Articles 15 & 17

Right of access and right to erasure. User data is scoped, exportable, and deletable on request.

Research

For a detailed technical analysis of the architectural principles underlying this security framework, see our published research:

Multimodal Enterprise AI in Regulated Industries: Architecting Secure, GDPR-Compliant Architectures

Questions about our security?

We're happy to discuss our architecture with your security team.

Contact Security Team