Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Voximplant is a cloud communications platform providing voice, video, and messaging APIs used to embed real-time communication features into websites and applications. It processes call metadata, recordings, and participant identities on infrastructure spanning Russia and the US. Deploying Voximplant for European users raises significant GDPR concerns around data transfers to Russia and the US, the sensitivity of communication content, and the need for appropriate consent and contractual safeguards.
Voximplant is a cloud communications platform operated by Zingaya Inc. that provides programmable voice, video, and messaging APIs for embedding real-time communication into websites and mobile applications. It is used to build features such as click-to-call widgets, video consultation rooms, in-app messaging, and automated IVR systems. Voximplant is headquartered in the United States with significant infrastructure in Russia, which raises particular concerns for European data protection compliance given that Russia has no EU adequacy decision.
Voximplant processes call metadata including caller and recipient identifiers, call timestamps, duration, and connection quality metrics. If call recording is enabled, the full audio or video content of conversations is stored on Voximplant servers. For WebRTC-based browser calls, the platform accesses the user''s microphone and camera with explicit browser permission. IP addresses, browser information, and session identifiers are also collected. The sensitivity of this data is high, as communications content may include confidential personal, medical, financial, or legal information.
Voximplant''s GDPR compliance is complex. The ePrivacy Directive''s confidentiality of communications provisions apply to calls handled through Voximplant, requiring that participants are informed before any recording or monitoring. Under GDPR, communications metadata and content are highly sensitive personal data. The potential transfer of this data to Russia, which has no adequacy decision and whose surveillance laws are incompatible with EU privacy standards, creates a particularly high risk that organisations must address before deploying Voximplant for European users.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent is required before the Voximplant SDK loads on a website. For call recording, explicit consent from all participants is required under both GDPR and the ePrivacy Directive''s communications confidentiality rules. The consent mechanism for call recording must be active (not implied) and must clearly state that the call will be recorded, who will have access to the recording, how long it will be retained, and where it will be stored. Participants must be able to withdraw consent, which must result in the immediate cessation of recording.
Voximplant operates infrastructure in Russia and the United States, neither of which has an EU adequacy decision for the purposes of GDPR Chapter V transfers in this context. For US transfers, Standard Contractual Clauses apply. For Russia, no adequate transfer mechanism exists under GDPR, making any transfer of EU personal data to Russian infrastructure potentially unlawful. Organisations deploying Voximplant must specifically configure EU server routing and verify that no data is routed through Russian infrastructure. This should be confirmed with Voximplant in writing and documented in the DPA.
To deploy Voximplant compliantly in the EU: request and confirm EU-only server routing in writing from Voximplant; block the SDK until consent is obtained; obtain explicit consent before any call recording; update your privacy policy to describe call data processing, recording policies, and applicable transfer mechanisms; sign a DPA with Voximplant that explicitly restricts processing to EU infrastructure; conduct a DPIA given the sensitive nature of communications data; and document all processing and transfers in your RoPA. Consider EU-based communication platforms if the Russian infrastructure concern cannot be fully mitigated.
Websites using Voximplant must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for Voximplant deployments processing communication content (call recordings, transcripts) at scale. The combination of highly sensitive communication data, potential transfers to Russia (a country without EU adequacy), call recording of identifiable individuals, and automated processing of voice data creates a high-risk processing profile under GDPR Article 35.
Sample consent text
This website uses Voximplant to enable voice and video communication features. Voximplant processes call metadata, connection data, and potentially call recordings on servers that may be located outside the European Union. Please accept to enable voice and video calling features.
Third-party domains contacted
voximplant.comapi.voximplant.comrtc.voximplant.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| vox_session | session | Session | Session identifier used to maintain the active voice or video communication session |
| vox_uid | persistent | 1 year | User identifier used to associate communication sessions with a specific user account |
Voximplant uses cookies for user preferences — inform visitors with a consent banner.
Voximplant collects call metadata (caller IDs, timestamps, duration, quality metrics), IP addresses, browser and device information, and session identifiers. If call recording is enabled, full audio or video content is stored on Voximplant servers. For browser-based calls, the WebRTC API accesses the user's microphone and camera with explicit browser permission.
Yes. Consent is required before loading the Voximplant SDK on a website. For call recording specifically, explicit informed consent from all call participants is required under both GDPR and the ePrivacy Directive's communications confidentiality provisions. Implied or general terms-of-service consent is not sufficient for recording communications.
Contract performance (Art. 6(1)(b)) may apply for call metadata processing strictly necessary to deliver the communication service to the user. Consent (Art. 6(1)(a)) is required for non-essential cookies, call recording, and any processing beyond service delivery. Legitimate interest (Art. 6(1)(f)) may cover security logging with a documented balancing test.
Yes, and this is the most significant compliance concern. Voximplant operates infrastructure in Russia, which has no EU adequacy decision. Transfers to Russia under GDPR cannot be justified by SCCs alone given the systemic conflict between Russian surveillance law and EU privacy rights. EU server routing must be specifically requested and confirmed in writing. US infrastructure transfers use SCCs.
Yes, a DPIA is required. GDPR Article 35 mandates a DPIA for large-scale processing of communications data, systematic profiling, and transfers to non-adequate countries. Voximplant's combination of sensitive communications content, call recording, potential Russia transfer, and automated processing of voice data meets multiple DPIA trigger criteria. The DPIA must specifically assess the Russia transfer risk.
Request EU-only server routing from Voximplant in writing. Block the SDK until consent is obtained. Obtain explicit per-call consent before any recording starts. Update your privacy policy and DPA to restrict processing to EU infrastructure. Conduct a mandatory DPIA with specific attention to the Russia transfer risk. If EU-only routing cannot be guaranteed, consider an alternative EU-based communication platform.
Twilio offers EU data residency for Voice and Video. Daily.co and 100ms provide EU-hosted WebRTC infrastructure. Vonage (now Ericsson) offers EU data processing options. For fully EU-sovereign communication infrastructure, Jitsi (open-source) can be self-hosted on EU servers, and Matrix.org's Element platform provides encrypted, self-hostable communication across voice, video, and messaging.
Call recording consent must be explicit, informed, and prior. For inbound calls, play an automated message before connection stating the call will be recorded and giving the option to refuse. For web-based calls, display a consent overlay before the call connects. Store consent records including timestamp, what was consented to, and the call identifier. Provide a mechanism for participants to request deletion of their recording. Never use implied or blanket consent for call recording.