Security & Trust Overview
Building a communication platform is a responsibility we take seriously. Voice is personal. Workplace conversations are sensitive. We believe the organizations that put their trust in Carbon Voice deserve to know exactly how we protect that trust — so we've written this document to be direct, honest, and infromative.
For questions not addressed here, contact us at security@phononx.com
Operated by Phonon X, Inc. — San Francisco, C
About Carbon Voice
Carbon Voice is an AI-powered asynchronous voice messaging platform built to help teams communicate more effectively without the overhead of scheduled meetings. The platform is available on iOS, Android, and web, and supports individual personal workspaces as well as organizational workspaces for enterprise customers.
Carbon Voice is operated by Phonon X, Inc., and all engineering and data security responsibilities fall under formal internal policies, including an Employee Data Security Agreement binding all engineering personnel.
Data Ownership & Classification
Carbon Voice maintains a clear distinction between two types of data, each with dedicated ownership and controls:
User Data
Data created and stored in an individual's personal space outside of any organizational workspace. The individual user is the sole owner and controller of this data.
Workspace Data
All content submitted within an organiational workspace — including voice recordings, transcriptions, AI summaries, text inputs, file attachments, and message metadata — is owned by the Workspace Owner (typically the employing organization). Workspace Owners have full administrative control over their data, including the ability to:
-
Access, restrict, modify, or delete workspace content and conversations.
-
Provision and deprovision user accounts within the workspace.
-
Configure data retention, export, and permission settings.
Data Use & Governance
Carbon Voice processes data only to provide, protect, update the service, as required by law, or as instructed by the User Data owner or Workspace Owner. This is governed by our User Terms of Service, Workspace Terms of Service, and Privacy Policy.
Data Security
Security Program & Personnel
Carbon Voice maintains an industry-standard information security program consisting of technical and organizational safeguards. All engineering personnel are bound by a formal Employee Data Security Agreement. Data access within Carbon Voice follows a strict need-to-know principle.
Infrastructure
Carbon Voice's services are hosted on Amazon Web Services (AWS), providing enterprise-grade infrastructure with strong security, availability, and compliance capabilities. AWS infrastructure includes built-in protections such as physical security, network isolation, and DDoS mitigation.
Message & Conversation Data
Message data is stored and protected in MongoDB Atlas with the following controls:
-
Database restricted to whitelisted IP addresses only.
-
Database encrypted at rest.
-
Per-user access controls enforced at the data layer.
-
Audit logs maintained for data access.
-
Transcription field-level encoding at rest.
-
Audio & Voice Data
Audio recordings are stored in AWS S3 with the following controls:
-
Access audit logs maintained for all audio file access.
-
Clients access audio exclusively via signed URLs — no direct or unauthenticated access to storage.
Encryption in Transit
All API communication between clients and Carbon Voice servers is conducted over SSL/TLS. There is no unencrypted access path to production data.
API Access Controls
The Carbon Voice API is account- and permission-based, controlling precisely what each authenticated client can access. API access is scoped to the permissions of the authenticated user account.
Internal Admin Access
An internal Admin Dashboard is used for support operations, accessible only to authorized engineers and support individuals. The Admin Dashboard provides:
-
Access to message structure metadata for support purposes.
-
Message content access governed by user-permission rules — not open access.
-
All admin actions are logged, providing a full audit trail of who accessed what and when.
Artificial Intelligence & Data Processing
Carbon Voice uses AI to power core platform features including transcription, summaries, and voice capabilities. We are committed to transparent, responsible, and privacy-preserving use of AI.
AI Features & Providers
The following AI services are used to power Carbon Voice features:
-
Eleven Labs — voice transcription (primary) and text-to-speech / voice synthesis (primary).
-
OpenAI Whisper — voice transcription fallback.
-
AWS Text-to-Speech – TTS fallback.
-
OpenAI (ChatGPT) — message and meeting summaries, AI-generated responses.
-
OpenAI + Qdrant — AI-powered semantic search over conversation content.
Customer Data and AI Model Training
Carbon Voice does not use customer voice recordings, transcriptions, or workspace content to train AI models. Data is transmitted to third-party AI providers is used solely to generate the requested output (transcription, summary, etc.) and is not retained for model training purposes by Carbon Voice.
Additionally, Carbon Voice's use of OpenAI APIs explicitly excludes any use of developing, improving, or training generalized AI or ML models.
Where possible, Carbon Voice takes measures to minimize or anonymize personally identifiable information before transmitting data to AI providers.
Voice Cloning
Voice cloning and dubbing are optional features powered by Eleven Labs. Users must explicitly opt into these features and consent to voice data processing. Carbon Voice does not retain cloned voices indefinitely; users may request deletion of their cloned voice data. Voice cloning may not be used for deceptive, fraudulent, or unlawful purposes, including unauthorized impersonation.
Privacy & Compliance
Privacy Policy
Carbon Voice's full Privacy Policy is available at getcarbon.app/privacy and describes in detail how personal data is collected, used, retainer, and disclosed.
GDPR
Carbon Voice's data practices are mapped to the requirements of the General Data Protection Regulation (GDPR). Users in the European Economic Area (EEA) have the right to access, correct, delete, restrict, or export their personal data, as well as the right to object to processing or withdraw consent. Requests can be submitted through account settings or by contacting us directly.
CCPA
Carbon Voice's data practices are also designed with California Consumer Privacy Act (CCPA) requirements in mind. California residents have rights with respect to their personal data, including the right to know, delete, and opt out of certain data uses.
Data Retention & Deletion
Customer data is retained only as long as necessary to provide the service or as required by applicable law. Upon account or workspace termination, Carbon Voice will delete or anonymize data within a commercially reasonable period of time, subject to any previously agreed-upon retention policies. Users can initiate account deletion directly through account settings.
Minimum Age
Carbon Voice enforces minimum age requirements for all users. Workspace Owners are responsible for ensuring authorized users within their workspace meet these requirements. See our Privacy Policy for details.
Data Transfers
Carbon Voice is headquartered in the United States. Data, including personal data from users outisde the US, may be processed in the United States. Carbon Voice takes appropriate measures to ensure such transfers are conducted securely and in compliance with applicable data protection regulations.
Workspace Administration & Access Controls
Robust Controls
Enterprise and organizational Workspace Owners have robust controls over their workspace environment:
-
Invite, add, and remove user accounts from the workspace.
-
Assign and manage user roles and permissions.
-
Enable or disable third-party integrations.
-
Configure data retention and export settings.
-
Access, modify, or delete workspace content and conversations.
-
Request data exports for discovery needs.
Single Sign-On (SSO & SCIM)
Carbon Voice supports Google Workspace, SSO with Okta and SCIM for workspace authentication, allowing organizations to require users to log in via their organization's identity provider, providing deeper administrative control and an additional security layer over workspace data.
Carbon Voice is a password-less system requiring OTP code and can require login and OTP validation against a specified email domain.
Legal Process & Law Enforcement Requests
Valid Legal Processes
Carbon Voice will only respond to valid legal processes (court orders, subpoeans, or government requests) to the extent required by applicable law. For requests related to Workspace Data, Carbon Voice commits to:
-
Providing the Workspace Owner with prompt written notice of the legal order where permitted.
-
Assisting the Workspace Owner in opposing disclosure or seeking protective orders, at Workspace Owner's expense.
-
Disclosing no more than the portion of data specifically required by the legal order.
Individual users will similarly be notified of legal requests for their personal data unless notification is legally prohibited or would create a safety risk.
Key Vendors & Sub
Carbon Voice works with the following trusted third-party vendors who may process customer data as part of service delivery:
Infrastructure
-
Amazon Web Services (AWS) — cloud hosting and audio file storage (S3); TTS fallback.
-
Google cloud (GCP) — cloud hosting and processing of messaging features.
-
MongoDB Atlas — database storage for message and conversation data.
AI & Transcription
-
Eleven Labs — primary transcription and text-to-speech / voice synthesis; also powers optional voice cloning and dubbing features.
-
OpenAI (Whisper + ChatGPT) — transcription fallback, message and meeting summaries, AI-generated responses.
-
Qdrant — vector database for AI-powered semantic search over conversation content.
Analytics & Operations
Firebase (Google) — application analytics and crash reporting.
Amplitude — product usage analytics.
Sentry — crash and stability monitoring.
Segment.io — data routing and integration.
All vendors are evaluated for their security and privacy practices. Carbon Voice requires that subprocessors handling customer data maintain standards consistent with our own data protection obligations.
Security Contact & Document Requests
For security questions, vulnerability reports, data subject requests, or to request additional documentation such as a Data Processing Agreement (DPA), please contact:
Mailing Address: Phonon X, Inc., 3739 Balboa St #1047, San Francisco, CA 94121
Related Documents: Privacy Policy — User Terms of Service — Workspace Terms of Service
© 2026 Phonon X, Inc. | Carbon Voice Security & Trust — Confidential