Security & privacy
Translation that protects what you say
Client-side encryption by default. BAA-backed healthcare onboarding. GDPR data export and deletion. 6-year audit retention. Google Cloud and fully on-premises deployment paths. Zero PHI in application logs by design.
E2E
Signal Protocol messaging
BAA
HIPAA-aligned healthcare
6yr
Audit retention
On-prem
Deployment option
Eight pillars
Vavus AI was built for healthcare and enterprise from day one. Consumer features inherit the same controls.
Client-side encryption by default
New stored history, documents, and audio are encrypted on your device with TweetNaCl secretbox. Messaging uses Signal Protocol end-to-end. Live speech is processed briefly in memory for STT, translation, and TTS before storage rules apply.
HIPAA-aligned with BAA
Healthcare customers onboard under a Business Associate Agreement. 8-hour token expiry, 15-minute idle timeout, secure deletion of PHI assets, zero PHI in application logs by design, 6-year audit retention.
GDPR-ready by default
Authenticated data export. Account deletion endpoint. Granular cookie consent on the web. Consent state tracked per user. First-touch attribution only captured after marketing consent.
Google Cloud and on-premises deployments
In addition to the Vavus cloud on Google Cloud, regulated buyers can review a dedicated Google Cloud deployment or a fully on-premises install with no outbound network calls.
Audit trail retained 6 years
Audit logs record metadata-only events (who did what, when, from which device) and are retained for 6 years to support HIPAA and enterprise compliance reviews. Logs never contain PHI or translation content.
Strong account security
JWT auth with rotating tokens, separate stream tokens for WebSocket sessions, SAML 2.0 SSO for Enterprise, brute-force protection with exponential backoff, token revocation on logout and password change.
Breach detection
Unusual activity, location changes, and IP anomalies are flagged. Suspicious sessions are challenged or revoked. Account lockout protects against credential stuffing.
Self-hosted support chat
Support runs in-house at support.vavusai.com on self-hosted Chatwoot — support transcripts are not handed to a third-party vendor.
Account types and controls
Personal, Healthcare, and Enterprise accounts share the same encryption baseline. Healthcare and Enterprise add stricter controls on top.
| Account type | Session controls | Additional controls |
|---|---|---|
| Personal | 30-day token expiry | Standard features. End-to-end encrypted messaging. Client-side encrypted history and documents. |
| Healthcare | 8-hour token expiry, 15-minute idle timeout | BAA-backed onboarding, medical speech recognition, on-premises deployment option, audit logging, no PHI in logs, secure deletion of PHI assets, 6-year audit retention. |
| Enterprise | 30-day token expiry (or org policy) | Full audit logging and export, SAML 2.0 SSO, organization management, regional data residency, Google Cloud deployment path, and on-premises deployments. |
High-intent trust pages
Shorter pages for buyers searching specific privacy, healthcare, and encryption questions.
End-to-end encrypted translation
A precise breakdown of Signal messaging, client-side encrypted storage, live processing, and on-prem options.
HIPAA compliant translation app
Evaluator answers for BAA, PHI logging, healthcare account controls, audit retention, and deletion.
Medical interpreter app
Clinical translation workflows with medical STT, BAA-backed onboarding, and human-review guardrails.
Concrete technical controls
The protocols, controls, and primitives Vavus AI uses today. This list is the citable detail behind the high-level claims above.
- TweetNaCl secretbox client-side encryption (history, documents, audio)
- Signal Protocol end-to-end encryption (messaging)
- AES-256-GCM (legacy server-side, read-only for older content)
- TLS 1.2+ at the load balancer
- Cloud Armor WAF (500 req/min, 60s ban, XSS and SQL injection blocking)
- Per-user Account Master Key in device Keychain wrapping per-artifact keys
- JWT auth + separate stream tokens for WebSocket sessions
- SAML 2.0 SSO (Enterprise)
- Brute-force protection with exponential backoff and account lockout
- Token revocation on logout and password change
- Breach detection (unusual activity, location, IP anomalies)
- Secure deletion (overwrite before unlink) for PHI assets
- Audit logs retained 6 years (Cloud Logging + GCS lifecycle)
Request security documentation
Healthcare and enterprise teams can request the full security documentation pack — encryption architecture diagrams, key management, audit log schema, deployment topologies, BAA template, and DPA template.
Frequently asked questions
Is Vavus AI encrypted end-to-end?+
Messaging is encrypted end-to-end with the Signal Protocol — Vavus never sees plaintext message content. Translation history, documents, and audio uploads are encrypted client-side before leaving your device, so the server stores only ciphertext for new content. Real-time speech translation is briefly plaintext in memory during the STT and TTS processing steps, then encrypted before storage.
Does Vavus AI sign a Business Associate Agreement?+
Yes, for approved healthcare customers after review. Contact constantine@vavusai.com or request review from the Healthcare page. Once a BAA is in place, your account uses 8-hour token expiry, 15-minute idle timeout, secure deletion of PHI assets, medical speech recognition, 6-year audit retention, and zero PHI in application logs.
Where does Vavus AI host my data?+
The standard Vavus cloud runs on Google Cloud Platform across US (primary), EU (edge), and Asia (edge) regions behind a global load balancer. Enterprise customers can review a dedicated Google Cloud deployment or a fully on-premises install in their own data center.
Can I export my Vavus AI data?+
Yes. Authenticated users can request a full data export through the data export endpoint. The export includes your profile, history, messaging metadata, billing records, and consent state — encrypted at rest with your own encryption keys for items that were stored encrypted.
How long does Vavus AI keep my data?+
Account deletion removes your user record and triggers secure deletion on associated artifacts. Audit log entries are retained for 6 years to support HIPAA and enterprise compliance reviews; these contain metadata only (user actions and timestamps), not PHI or translation content.