3.9 KiB
3.9 KiB
Privacy & Compliance Guide
GDPR Compliance
Data Retention
Default: 2 years (730 days)
{
"privacy": {
"transcripts": {
"retention_days": 730
},
"audio": {
"retention_days": 730
}
}
}
Right to Be Forgotten
Enable data deletion requests:
await client.conversations.delete(conversation_id);
Data Residency
const { startConversation } = useConversation({
serverLocation: 'eu-residency' // GDPR-compliant EU data centers
});
User Consent
Inform users before recording:
{
"first_message": "This call will be recorded for quality and training purposes. Do you consent?"
}
HIPAA Compliance
Data Retention
Minimum: 6 years (2190 days)
{
"privacy": {
"transcripts": {
"retention_days": 2190
},
"audio": {
"retention_days": 2190
}
}
}
Encryption
- In Transit: TLS 1.3 (automatic)
- At Rest: AES-256 (automatic)
Business Associate Agreement (BAA)
Contact ElevenLabs for HIPAA BAA.
PHI Handling
Never:
- Store PHI in dynamic variables
- Log PHI in tool parameters
- Send PHI to third-party tools without BAA
Always:
- Use secure authentication
- Verify patient identity
- Document access logs
SOC 2 Compliance
Security Controls
✅ Encryption in transit and at rest (automatic) ✅ Access controls (API key management) ✅ Audit logs (conversation history) ✅ Incident response (automatic backups)
Best Practices
{
"authentication": {
"type": "signed_url", // Most secure
"session_duration": 3600 // 1 hour max
}
}
Regional Compliance
US Residency
serverLocation: 'us'
EU Residency (GDPR)
serverLocation: 'eu-residency'
India Residency
serverLocation: 'in-residency'
Zero Retention Mode
Maximum Privacy: Immediately delete all data after conversation ends.
{
"privacy": {
"zero_retention": true
}
}
Limitations:
- No conversation history
- No analytics
- No post-call webhooks
- No MCP tool integrations
PCI DSS (Payment Card Industry)
Never:
❌ Store credit card numbers in conversation logs ❌ Send credit card data to LLM ❌ Log CVV or PIN numbers
Always:
✅ Use PCI-compliant payment processors (Stripe, PayPal) ✅ Tokenize payment data ✅ Use DTMF keypad for card entry (telephony)
Example: Secure Payment Collection
{
"system_tools": [
{
"name": "dtmf_playpad",
"description": "Display keypad for secure card entry"
}
]
}
Compliance Checklist
GDPR
- Data retention ≤ 2 years (or justify longer)
- EU data residency enabled
- User consent obtained before recording
- Data deletion process implemented
- Privacy policy updated
HIPAA
- Data retention ≥ 6 years
- BAA signed with ElevenLabs
- Encryption enabled (automatic)
- Access logs maintained
- Staff trained on PHI handling
SOC 2
- API key security (never expose in client)
- Use signed URLs for authentication
- Monitor access logs
- Incident response plan documented
PCI DSS
- Never log card data
- Use tokenization for payments
- DTMF keypad for card entry
- PCI-compliant payment processor
Monitoring & Auditing
Access Logs
const logs = await client.conversations.list({
agent_id: 'agent_123',
from_date: '2025-01-01',
to_date: '2025-12-31'
});
Compliance Reports
- Monthly conversation volume
- Data retention adherence
- Security incidents
- User consent rates
Incident Response
Data Breach Protocol
- Identify affected conversations
- Notify ElevenLabs immediately
- Delete compromised data
- Notify affected users (GDPR requirement)
- Document incident
- Review security controls