Certification under the EU-U.S. DPF Certification for Vapi / Superpowered Labs Inc. | Voters

Certification under the EU-U.S. DPF Certification for Vapi / Superpowered Labs Inc.

Alexander Woehler

Subject: Urgent Roadmap Request – EU-U.S. DPF Certification for Vapi / Superpowered Labs Inc.
Hi Vapi-Team
I want to raise an urgent request regarding certification under the EU-U.S. Data Privacy Framework (DPF). Given the legal environment in the EU, the absence of DPF certification imposes significant challenges for compliant operation of services like Vapi. While GDPR-compliant use without this certification is theoretically possible, in practice it forces EU companies to implement a complex and fragmented patchwork of technical and organizational safeguards. This not only creates serious operational overhead but also leaves room for legal uncertainty and exposure to risk, especially for data-intensive applications like real-time voice assistants.
From the EU perspective, the current situation is increasingly untenable. The legal pressure on data processors and controllers has intensified and many EU-based companies are either holding back or introducing local workarounds that reduce functionality or increase costs. DPF certification would directly address this and massively lower the threshold for adoption. It would eliminate the need for additional safeguards, offer legal clarity and open the door much wider to the European market.
I strongly urge you to prioritize DPF certification and clarify whether it is already on the roadmap. If not, it should be added as a critical compliance and market enablement step.
Looking forward to your reply.

May 12, 2025

Bob Bobby

Definetly bumping this  post.
We are currently facing several compliance issues and actively migrating Ops for European Market to other providers (11Labs, still US companies so it is possible) due to two fundamental compliance blockers that make its use legally untenable for our EU operations:
 As OP mentioned  Vapi currently lacks certification under the EU-U.S. Data Privacy Framework (DPF). Clearly, the most straightforward legal basis for data transfers under Chapter V of the GDPR. 
 In addition to the main post I think it is worth adding that currently it is not possible / or at least not straightforward to get a signed Data Processing Addendum (DPA) with VAPI. Under Article 28(3) of the GDPR, a legally binding DPA between a data controller (any company in the EU using VAPI) and a data processor (Vapi) is a mandatory, non-negotiable requirement.We unfortunately were not able to retrieve a compliant DPA which from a legal standpoint, making it too risky for commerical use within the EU.
For comparison, competitors like ElevenLabs (offering EU data residency) and AWS provide automated, Article 28 compliant DPAs as a standard part of their terms.
https://gdpr-info.eu/art-28-gdpr/
https://aws.amazon.com/blogs/security/new-global-aws-data-processing-addendum/

Jose Luis Benitez

We're too ready to launch products but this is a key issue for us.

Marco Weh

This feature is absolutely critical for the European market and its users. We’re ready to roll out VAPI for our clients, but the biggest blocker is GDPR compliance. This needs to be prioritized urgently.

Clemens Dieffendahl

Super critical for any commercial use case in european markets. Please prioritize.

Andreas Schulz

I can confirm that this is also currently a highly critical topic for us. Please prioritize this.