// Trust & Security Report
Fixie.AI
Real-time speech-native voice AI agents and developer API platform (Ultravox)
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
No public evidence found on ultravox.ai or the Delve trust center.
No public evidence found on ultravox.ai or the Delve trust center.
No public evidence found on ultravox.ai or the Delve trust center.
No public evidence found on ultravox.ai or the Delve trust center.
No public evidence found on ultravox.ai or the Delve trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States (primary). Privacy policy states services are 'hosted in the United States and intended for visitors located within the United States.' Data may be transferred to other countries for storage and processing. No EU or other regional data residency option is publicly documented.
Privacy policy states: 'We do not use your voice data or audio files to train or fine-tune our underlying AI models.' Terms of Service reinforce this: 'Fixie does not use customer data to train or fine-tune the underlying AI models.' However, the ToS grants a broad worldwide, non-exclusive, irrevocable, royalty-free content license for user-submitted content, which warrants scrutiny from enterprise buyers even though model training is explicitly excluded.
// Security controls
Encryption and access controls
Privacy policy cites 'physical and electronic safeguards designed to improve the security of the personal information we maintain, such as encryption, access controls, and secure data storage practices.' Specific protocols not publicly detailed.
ultravox.aiWebhook authentication
HMAC-SHA256 signatures used to ensure webhook authenticity; per-webhook secret key generated automatically or customer-provided.
docs.ultravox.aiCustomer data isolation
Voice data is kept separate between different customers and accounts.
ultravox.aiSubprocessors
Disclosed: Cloudflare (Network and Edge Security), Shadeform (Cloud Infrastructure and Platform Services), Clerk (authentication), Slack (Business Apps and Productivity), plus 8 additional undisclosed processors. Full list available on request via trust center.
trust.delve.coSecurity awareness training
Employees undergo mandatory security awareness training at least annually; records of such training are maintained.
trust.delve.coVendor risk management
Critical third-party vendor inventory maintained; risk assessments performed before initiating third-party work and repeated annually. SOC 2 reports reviewed for service providers at onboarding and annually.
trust.delve.coPolicy documentation
Data Protection and Encryption Policy, GDPR Information Security and Access Control Policy, IT Leadership Committee Charter, and 20+ additional policy documents available upon request via trust center.
trust.delve.co// Products & data scope
data: Voice audio input and output; real-time speech-to-speech AI processing. $0/month base, $0.05 per minute including TTS; up to 5 concurrent calls.
Standard ToS applies. No DPA. Suitable for experimentation and non-regulated workloads only. Not appropriate for HIPAA or EU-regulated data.
data: Same scope as Free tier; no hard concurrency caps. $100/month billed yearly.
No additional security commitments stated publicly versus the Free tier. No DPA included.
data: Custom pricing and scale. Likely processes same voice AI data types; volume and concurrency negotiated.
Terms reference a Service Agreement Order Form for enterprise customers. DPA and enhanced security provisions may be negotiable but are not publicly documented. Buyers should request these before deployment.
// What to watch
- SOC 2 Type I is the only completed certification; SOC 2 Type II, GDPR, and HIPAA are all listed as 'In Progress' on the trust center as of June 2026.
- No publicly available DPA. Enterprise customers must negotiate a Service Agreement Order Form separately.
- GDPR compliance not yet achieved; privacy policy contains no GDPR-specific provisions and does not mention SCCs or BCRs for EU data transfers.
- HIPAA not yet certified; platform is not suitable for HIPAA-regulated workloads at this stage.
- Data hosted in the United States only; no EU or other regional data residency option is documented.
- ToS grants a broad 'worldwide, non-exclusive, irrevocable, royalty-free' content license for user-submitted content; enterprise buyers should review implications even though AI model training is explicitly excluded.
- No ISO 27001, PCI DSS, FedRAMP, CSA STAR, or ISO/IEC 42001 evidence found.
- Trust center is hosted on the third-party Delve platform (trust.delve.co) rather than a subdomain of ultravox.ai, which may limit independent verification.
- Open-weight model commitment (models published on Hugging Face) is a positive transparency signal but does not substitute for compliance certifications.
// At a glance
Pricing model
Pay-as-you-go at $0.05/min; Pro tier at $100/month; Enterprise at custom pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Fixie.AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.delve.co