Security & compliance - GDPR-compliant operation, controllable, auditable.
Crucial when AI not only speaks, but also triggers processes. heronOS is designed for professional operation - with clear separation, access controls and a traceable audit trail.
- Operation in the German cloud infrastructure (DE/EU), tenant-separated
- Staging/production (separate instances) for clean deployment
- Transcripts + logs (in accordance with legal retention obligations)
- Optional: Token-based access controls (who is allowed to interact at all?)
What IT wants to know in advance (and we clarify in the demo)...
- Data residency DE/EU and data flows (incl. optional third-party services)
- Which data types are generated (transcripts, metadata, knowledgebase, system actions)
- Access control (roles/rights, optional token access)
- Audit trail (transcripts, logs, change logs)
- Human-in-the-loop & escalation rules (when/how to hand over?)
- Staging/production procedure (controlled changes)
- Complete data protection documentation
Hosting & data residency (DE/EU)
Productive operation takes place in the German Cloud infrastructure (DE/EU). Data residency DE/EU is given - except for connected third-party services requested by the customer, which you consciously activate.
- Tenant-separated operation (logical separation)
- Each specialist in a clearly defined setup (own role/rules/logs)
- External access can be secured (access mechanisms for each setup)
Security Assurance: Tests & Response
- Pentests: customers/partners can carry out pentests at any time on request
- Incident response: defined process incl. security contact and response times
- Certifications: prepared, not yet completed (we will clarify the status in the demo)
Transparency in operations: What is recorded - and why?
Relevant information for quality, audit and operational safety is documented in a traceable manner. Customers have access via the platform.
- Transcripts (review, quality, traceability)
- No audio storage (telephony is transcribed, audio is not stored)
- Metadata (time, channel, volume) for reporting/control
- Knowledgebase content (customer-specific, approved/curated)
Safety controls: handovers instead of risk
If the specialist does not "know" for sure, there is no guesswork, but a clean handover. Escalation behavior and handover targets can be set by the customer.
- Human-in-the-loop for non-knowledge/special cases (ticket/forwarding/telephone handover)
- Adjustable escalation rules
- Standard testing before going live
Access & control: roles/rights + optional token protection
Access controls can be designed so that only defined user groups are allowed to interact with the specialist - particularly important for closed user groups.
- Roles & rights for administration/training/operation (team-capable)
- Optional: Token-based access for external/targeted approval
- Staging (heronOS)/Production for controlled changes
Audit trail & logging - traceable in accordance with legal requirements
Changes to knowledge content and RAG data used are logged to make behavior traceable. Transcripts and logs are retained in accordance with legal retention requirements.
Keep this in mind:
- Change logs: Knowledge changes traceable (heronOS)
- RAG logging: database used is traceable
- Retention: in accordance with legal requirements (not individually configurable)
Frequently asked questions
Is heronOS GDPR compliant?
heronOS can be operated in compliance with GDPR. Data residency DE/EU applies in the German Cloud infrastructure - unless you activate third-party services with their own data flows.
Do you store phone audio?
Yes, calls are transcribed and can be viewed by customers on the platform, audio is stored for federal authorities.
Can we restrict access?
. Token-based access controls can be set up as an option.
How long are transcripts/logs stored?
In accordance with statutory retention obligations. Retention is not freely configurable.
Ready to test your first digital specialist?
30-minute demo → Delivery usually within 48 hours. → 14-day free trial (can be canceled).