Security & compliance

Honest about where we are — and where we're going.

We're not yet SOC 2 audited. This page documents what we have today, what's on the way, and how we handle compliance across every region we sell into.

Today's posture.

TLS 1.3 in transitAES-256 at restEU-region data hostingPII redaction in transcriptsConsent recorded on every callNo caller data soldNo third-party model training on your dataOn-request purge, 72h SLA

Regional compliance.

GDPR — EU & UK

Legitimate-interest basis, DPIA available on request, SCCs for transfers outside EEA, 30-day DPO SLA.

CCPA — California

Do-Not-Sell honoured at ingestion. Export and deletion requests handled within 45 days.

PDPL — UAE & KSA

DPO contact via our form. 72-hour breach notification. Right to access and rectification honoured.

LGPD — Brazil

Same posture as GDPR for cross-border transfers. ANPD correspondence on request.

POPIA — South Africa

Lawful-basis registration. Operator relationship documented per Section 20.

PIPEDA — Canada

Accountability principle followed. Express consent for recordings. OPC correspondence on request.

Contact our DPO

Where data lives.

caller phone line → telephony partner → EU data centre → transcript store (30 days default) → purge on schedule or request.

Recordings are retained only for the window your tier defines (30 / 90 / 365 days). Full sub-processor list with scopes is available on request for enterprise due diligence.

Certification roadmap.

SOC 2 Type IH2 2026

HIPAA BAAs on requestQ4 2026

ISO 270012027