Your recordings, your leads, your compliance story
Running outbound at scale means the regulator, your DPO, and your insurance carrier all want answers before you sign anything. Here are the ones we get asked most often. If we missed one, email [email protected] and we'll add it.
Compliance
Where we are, where we're going
We don't overclaim. Here's the honest status of every framework people ask us about.
Abandon-rate autopilot, DNC scrubbing, DNO, time-window enforcement, full audit log.
Attestation via VICICarrier. A-level attestation on verified CIDs.
Target report date Q3 2026. Type I controls already in place. Signed letter available on request.
Data residency in EU region on request. DPA template available. Right to erasure supported in app.
Sub-processor list published. Access and deletion requests handled via support within 30 days.
Signed BAA available on Enterprise. Some healthcare-specific features gated behind BAA activation.
We do not store cardholder data. Payment collection routes to Stripe-hosted UIs.
Evaluating for 2027. Happy to share our current controls posture on request.
How it's built
The security posture, without the marketing gloss
Tenant isolation
Every customer gets a dedicated instance with its own compute, storage, and network. No shared application processes, no shared database, no noisy-neighbor risk at the app layer.
Encryption
TLS 1.2+ in transit with modern cipher suites. AES-256 at rest on every tenant volume and every recording in cloud storage. Signed tokens for recording URLs.
Audit log
Every admin action captured with user, action, old and new values, IP, and timestamp. Retained for the life of the tenant. Exportable on request.
Data residency
North America by default. EU region available on request for GDPR-sensitive customers. Your recordings never leave your chosen region.
Backups & recovery
Automated daily backups with 14-day retention on paid plans, 30-day on Enterprise. Point-in-time recovery for database state. Documented recovery runbook.
Incident response
Under 1 hour notification for incidents affecting your tenant. Public status page. Post-incident report within 5 business days for any sev-1 event.
Who can do what, enforced at the API
The role model is 4-tier: Agent, Supervisor, Manager, Admin. Infrastructure pages (carriers, servers, AI settings) are gated to the System level and never exposed to tenants in hosted reseller setups. We enforce at the API layer, not just the UI, so hiding a button doesn't hide the action.
- Two-factor authentication via TOTP or email with recovery codes
- JWT session tokens, 8-hour expiry, httpOnly cookies
- Account lockout after repeated failed logins
- Admin session history visible in the audit log
- SSO (SAML, OIDC) available on Enterprise
We assume breach and design for it
Security isn't a pass/fail, it's an ongoing practice. We patch continuously, run automated dependency scans, and welcome responsible disclosure. Report a vulnerability to [email protected] and we'll reply within one business day.
- Daily automated dependency vulnerability scans
- Regular third-party penetration testing (annual minimum)
- Coordinated disclosure policy with 90-day window
- Zero-downtime security patching for critical CVEs
- Customers notified within 72 hours of any incident that affects their data
Paperwork your procurement team will want
Email [email protected] with a short description of your use case and we'll send the relevant packet.
Procurement questions welcome
Send us your vendor security questionnaire, DPA template, or BAA. We answer fast and we don't dodge.