Security & Compliance
We are committed to protecting your data and adhering to global compliance standards. This page outlines our security posture, trust frameworks, and how we handle data across our platform and subprocessors.
Trust Frameworks
Our platform's security and compliance are built upon the robust certifications of our infrastructure partners. We ensure that our services are delivered through providers who meet rigorous global standards.
SOC 2
Our key subprocessors, including Twilio, Telnyx, Google Cloud (Vertex AI), and Vapi, maintain SOC 2 Type II reports. This ensures that controls related to security, availability, processing integrity, confidentiality, and privacy are regularly audited for operational effectiveness. OpenRouter maintains SOC 2 Type I.
ISO/IEC 27001
Our infrastructure partners like Twilio, Telnyx, and Google Cloud are ISO/IEC 27001 certified, demonstrating a formal Information Security Management System (ISMS) that aligns with international best practices. We implement controls based on Annex A families (organizational, people, physical, technological).
PCI DSS for Phone Payments
When processing cardholder data by phone, we align with PCI DSS v4.0. Our telephony providers, Twilio and Telnyx, are PCI DSS Level 1 compliant. We utilize features like DTMF masking and tokenization to ensure that sensitive cardholder data is not stored or processed in our systems.
Global Data Protection
We adhere to core GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. Our practices include maintaining clear privacy notices, conducting DPIAs for high-risk processing, and ensuring strong controller-processor contracts.
Country-Specific Regulations
UK Marketing & Calling Rules (PECR)
We comply with PECR for live marketing calls, ensuring that consent is obtained where required and distinguishing between service messages and direct marketing.
Singapore PDPA and DNC
We adhere to the PDPA Do Not Call (DNC) provisions, including checking the registry within the 21-day validity window and honoring consent withdrawal requests promptly.
US Regulations
Caller ID and Robocall Defenses (STIR/SHAKEN)
We adhere to the STIR/SHAKEN framework to combat caller ID spoofing. Our telephony providers use digital signatures to validate the originating identity of calls, helping to ensure trusted caller ID presentation.
Messaging Compliance (A2P 10DLC)
For any Application-to-Person (A2P) messaging via 10-digit long codes (10DLC), we require brand and campaign registration with The Campaign Registry to comply with TCPA and CTIA guidelines.
Call Recording Consent
Our platform supports configurable spoken consent prompts to comply with both one-party and two-party consent states in the US. We advise customers to configure these settings according to their specific legal requirements.
Our Security Controls
- Identity and Access Management: We enforce least privilege, MFA, and regular role reviews.
- Data Protection: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Logging and Monitoring: We maintain centralized, tamper-resistant audit logs and use anomaly detection.
- Secure SDLC: Our development lifecycle includes secure coding practices and dependency scanning.
- Business Continuity: We have robust backup and disaster recovery plans.
Subprocessors & Data Residency
We partner with leading infrastructure providers to deliver our services. Our primary subprocessors include:
- Telephony: Twilio, Telnyx
- LLM: Google Vertex AI, OpenRouter
- Core Infrastructure: Vapi, Google Cloud
Our primary hosting region is in the United States (AWS us-east-1). We do not currently offer other data residency options.
Policy Documents
For more detailed information, please review our legal and privacy documents: