Security
How Houji Handles Your Data
Houji is built for professional services firms that handle sensitive client communications. This page describes our security practices plainly, without marketing language.
Infrastructure
Houji runs on Railway, a cloud hosting platform operating in the United States. All data — including call transcripts, firm configurations, and account information — is stored in a PostgreSQL database hosted by Railway. Connections to the platform use TLS encryption in transit. Data is stored on Railway's infrastructure, which provides encryption at rest.
Call Handling
When a caller reaches your Elise number, the call audio is streamed in real time to Deepgram for transcription. Audio is never recorded or stored by Houji or Deepgram — only the text transcript is retained. Transcripts are stored in your dashboard and are accessible only to your firm.
AI responses are generated by Anthropic's Claude. Conversation content is sent to Anthropic for processing during the call. Anthropic does not use Houji call data for model training under our API agreement.
Voice responses are generated by ElevenLabs. Response text is sent to ElevenLabs in real time. ElevenLabs does not retain call audio.
Access Controls
• Firm accounts are password-protected with bcrypt hashing. Passwords are never stored in plaintext.
• Sessions are stored server-side using PostgreSQL session storage. Session cookies are HTTP-only and secure.
• Admin access to the Houji platform requires a separate admin account with mandatory two-factor authentication (TOTP).
• Houji staff do not have access to call transcripts, firm configurations, or attorney-client communications through normal operations. Infrastructure access is restricted to authorized personnel only.
What Is and Is Not Stored
| Data | Stored? | Notes |
|---|---|---|
| Call transcripts | Yes | Stored in your dashboard; firm-controlled retention |
| Call audio | No | Never recorded; transcribed in real time only |
| Caller phone numbers | Yes | Captured via Twilio for message notifications |
| Firm configuration | Yes | Attorney name, office hours, practice areas, etc. |
| Payment card details | No | Handled by Stripe; Houji never sees card numbers |
| Translation call transcripts | Optional | Off by default; firm enables from dashboard settings |
Retention and Deletion
You control how long call transcripts are retained. Options are 30 days, 90 days, 1 year, or indefinitely (the default). You can also permanently delete all call data at any time from your dashboard Account tab. Deletion is immediate and irreversible.
SOC 2 and Certifications
Houji is not currently SOC 2 certified. We follow security best practices appropriate for our size and stage. If your firm has specific compliance requirements (HIPAA, SOC 2, ISO 27001), please contact us at hello@houji.ai to discuss whether Houji is the right fit.
Reporting a Security Issue
If you discover a security vulnerability, please report it to hello@houji.ai. Do not disclose vulnerabilities publicly before giving us an opportunity to address them.