This page provides an overview of the technical and organisational measures implemented by Beluga AI Ltd, operating TaxiVoice AI.
1. Infrastructure architecture
- Cloud-hosted application infrastructure for our website and services.
- Managed backend and database infrastructure for operational data.
- Managed voice and communications infrastructure for call handling.
We do not operate unmanaged physical servers. Development and production environments are logically separated to help prevent unauthorised cross-environment access.
Where we rely on specialised platform providers (for voice, application hosting, and backend services), we leverage their security programs and compliance posture, alongside our own operational controls.
2. Encryption and data transmission
- TLS 1.2+ encryption for API communications.
- Encryption at rest provided by our managed infrastructure (e.g., AES-256).
- Authenticated, validated communication with dispatch APIs (where integrated).
No plaintext passenger data is intentionally transmitted to unauthorised parties.
3. Access controls
- Role-based access controls and least-privilege access.
- Multi-factor authentication for administrative access where available.
- Audit logging of administrative actions.
4. API and secret management
- Secrets are stored using environment-based secret management.
- API keys are not exposed client-side.
- Integration endpoints are authenticated and validated.
5. Logging, monitoring, and audit trails
- Structured logging for operational events and errors.
- Monitoring and alerting to support reliability and incident response.
- Audit trail for booking creation, updates, and cancellations (where applicable).
6. Booking integrity and idempotency
- Dispatch API confirmation before passenger confirmation (where integrated).
- Unique booking identifiers and duplicate-prevention safeguards.
- Validation of cancellation requests against booking references.
7. Incident response
We maintain incident response procedures covering detection, containment, escalation, root cause analysis, and remediation. Controllers are notified promptly in the event of a personal data breach, without undue delay.
8. Data minimisation and retention
TaxiVoice AI processes only data necessary to deliver the service (create, modify, cancel bookings and retrieve ETAs). Audio recordings are not retained unless explicitly enabled by the controller.
9. Subprocessor oversight
We use authorised subprocessors to deliver components of the Service (for example, voice infrastructure, hosting, and backend/database services). Subprocessors are contractually obligated to maintain appropriate technical and organisational safeguards. Where applicable, we select providers with recognised assurance programs and certifications (such as SOC 2 Type II and ISO 27001).