Legal Information

Security overview

Last updated: October 20, 2025

We protect your data

Our infrastructure is hosted with Hetzner in their secure German data centers, which maintain ISO 27001 certification and comply with strict EU data protection standards.

Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.

Your data are sent using HTTPS

Whenever your data are in transit between you and us, everything is encrypted and sent using HTTPS. Within our private networks, data may be transferred unencrypted.

Infrastructure hosted in the EU

Our servers are hosted with Hetzner in Germany, ensuring:

  • Data sovereignty: Your data stays within the EU, complying with GDPR requirements
  • ISO 27001 certified facilities: Enterprise-grade physical and network security
  • Redundant systems: Multiple redundant power supplies, network connections, and cooling systems
  • 24/7 monitoring: Continuous infrastructure monitoring and incident response
  • DDoS mitigation: Network-level automated protection against common volumetric attacks

For more information about our hosting provider's security measures, see Hetzner's security overview.

Voice data security

Because we process voice communications, we take extra precautions:

  • Encrypted transmission: All voice data is encrypted in transit using TLS/HTTPS
  • Limited retention: Voice recordings are not recorded by Torru and transcripts are retained only as long as necessary for service delivery
  • AI processing: Third-party services (OpenAI, Anthropic, 11labs, Cartesia, Gemini, Retell, Telnyx) process voice data under strict data processing agreements with appropriate safeguards for international transfers

See our Subprocessors list for details on all third-party services that may process your data.

Constant monitoring

We have systems in place to monitor for security threats and nefarious activity against our services. Our infrastructure monitoring alerts us to any unusual patterns or potential security incidents.

All Torru team members with access to customer data are bound by strict confidentiality obligations. Any unauthorized access to customer data would result in immediate termination and potential prosecution.

In the event of a data breach, we will immediately notify all affected customers in accordance with UK GDPR requirements (within 72 hours of becoming aware of the breach).

Have a concern? Need to report an incident?

Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please visit our security response page for details on how to securely submit a report.