Security & Trust
Your calls. Your customers. Kept in Canada.
Cedri answers calls for dental clinics, law firms, and clinics that handle sensitive information every day. Here is exactly how we store it, who can touch it, and the line we will never cross: we never train AI on your data.
Where your data lives
Every recording, transcript, and piece of customer information stays in a Canadian data centre (ca-central-1, Toronto). It does not cross the border — not for storage, not for processing, not for backups.
Canadian data residency
Recordings, transcripts, and customer details are stored and processed in Toronto. Your data stays in Canada.
No cross-border copies
Backups and processing happen inside the same Canadian region. Nothing is shipped to a U.S. or offshore server.
One owner: you
The data Cedri handles is your business's data. We hold it to run your receptionist — nothing more.
How it's encrypted
Calls and data are protected at every step — moving across the network and sitting at rest. Every webhook between our partners is signature-verified, so we can prove an event really came from where it claims.
TLS 1.3 in transit
Every call leg and API request is encrypted with TLS 1.3, the current standard for data on the move.
AES-256 at rest
Recordings, transcripts, and account data are encrypted with AES-256 while stored.
Signature-verified webhooks
Events between Cedri and its partners are signed and verified, so spoofed calls and data can't slip in.
Privacy law, handled
Cedri is PIPEDA compliant and aligned with Quebec's Law 25, with privacy built into how calls, recordings, and customer data are handled. Our internal controls are SOC 2-aligned — we follow the practices, and we'll say "aligned," not "certified," because that's the honest word.
PIPEDA compliant
We meet Canada's federal privacy standard for handling personal information.
Aligned with Law 25
Quebec's modern privacy rules are reflected in how we collect, store, and delete data.
SOC 2-aligned controls
Access, logging, and change controls follow SOC 2 practices. We say aligned, not certified.
We never train AI on your data
This is the one most people ask about, so we'll be blunt. Cedri never uses your calls, recordings, transcripts, or customer information to train any AI model — ours or anyone else's. Your data runs your receptionist. That's the only thing it's for.
You stay in control
You decide how long recordings and transcripts are kept, and you can delete any of them from the dashboard whenever you want. If you ever leave, account deletion is supported with a 30-day window.
Set your retention
Choose how long recordings and transcripts are kept. You hold the dial, not us.
Delete any record, anytime
Remove any individual recording or transcript directly from your dashboard.
Account deletion, 30-day window
Close your account and your data is deleted within 30 days, except where the law requires us to keep it.
Our sub-processors
Cedri runs on a small set of production-grade partners. Here's each one and exactly what data it touches. We don't sell, rent, or trade your data, and partners only see what they need to do their job.
Vapi — voice
Runs the live voice conversation: audio stream and real-time transcript during the call.
Twilio — telephony & SMS
Carries the phone call and sends confirmation texts: phone numbers, call routing, SMS content.
Anthropic Claude — website scan & FAQ
Reads your public website to build your agent's answers. Processes website content, not call recordings. Never trains on it.
Supabase — database & auth
Stores your account, bookings, transcripts, and login. This is the Canadian-resident data store.
Stripe — billing
Handles your subscription payments. Sees billing details only — never your call data.
Resend — email
Sends account and summary emails. Sees the email address and message content, nothing more.
Need a closer look before you sign?
We're happy to walk your team or your privacy officer through any of this. Email support@cedri.ca for a security review, or set up your receptionist and be live today.