Built to protect your business and your customers.

Infrastructure Security

• Hosted on AWS with industry-standard security configurations
• All data encrypted at rest using AES-256
• All data in transit protected by TLS 1.2+
• PostgreSQL database with encrypted storage and automated backups
• Redis session cache with no persistent sensitive data
• Environment secrets managed via encrypted key management — never hardcoded

Voice & Call Data

• Voice audio is processed in real-time — not stored permanently unless recording is enabled
• Real-time audio transmitted to Deepgram via encrypted WebSocket (WSS)
• Deepgram is SOC 2 Type II certified and GDPR compliant
• Call recordings (when enabled) stored encrypted with 30-day auto-deletion
• Call transcripts retained for 90 days then permanently deleted
• Each call runs in an isolated session — no cross-tenant audio exposure

Multi-Tenant Isolation

• Every tenant's data is completely isolated in the database by tenantId
• Knowledge base collections are per-agent — no cross-tenant KB access
• API endpoints enforce tenant-scoped queries — impossible to access another business's data
• Deepgram WebSocket connections are per-call, not shared between tenants
• Phone numbers are exclusively assigned — one number to one tenant

Access Controls

• JWT-based authentication with short-lived tokens and refresh token rotation
• Role-based access control (RBAC) within the dashboard
• OAuth 2.0 for Google Calendar and Square integrations — tokens stored encrypted
• System users with minimal required permissions for internal services
• No shared credentials between tenants or internal systems

Third-Party Sub-Processors

• Deepgram — Voice AI processing (STT, LLM, TTS). SOC 2 Type II certified.
• Twilio — Phone infrastructure and SMS. SOC 2 Type II, ISO 27001 certified.
• OpenAI — Knowledge base embeddings. Enterprise data processing agreement.
• Google — Calendar integration. ISO 27001, SOC 2 certified.
• Square — Booking integration. PCI-DSS Level 1, SOC 1 & 2 certified.
• Stripe — Payment processing. PCI-DSS Level 1, SOC 1 & 2 certified.
• AWS — Cloud infrastructure. ISO 27001, SOC 1/2/3, PCI-DSS certified.

Compliance

• CCPA — California Consumer Privacy Act: user rights, no data selling
• PIPEDA — Canada's privacy law: access, correction, and consent rights
• TCPA — Telephone Consumer Protection Act: inbound-only call handling, no DNC violations
• Two-party consent: AI agent announces recording at call start in all US states
• TRAI compliance for India outbound: only transactional calls to existing customers
• SOC 2 Type II — planned for 2026 as we scale

Data Retention Schedule

Responsible Disclosure