Our Security Framework
We implement security practices aligned with industry-recognized frameworks and maintain compliance with applicable regulations.
HIPAA Compliant
Healthcare data handling with Business Associate Agreement support. Documented PHI handling procedures with encryption and access controls.
GDPR Compliant
Full EU data protection compliance including data subject rights, lawful basis documentation, and deletion procedures.
ISO 27001 Aligned
We follow ISO 27001 information security framework practices for risk management and security controls.
SOC 2 Aligned
We implement SOC 2 principles for security, availability, and confidentiality in our operations.
A note on certifications: We follow recognized security frameworks and maintain regulatory compliance where required. "Aligned" indicates we implement framework practices; "Compliant" indicates we meet regulatory requirements.
Technical Security
Multiple layers of protection for your data in transit and at rest.
1
Data in Transit
- HTTPS/TLS encryption for all web connections
- SRTP (Secure Real-time Transport Protocol) for voice calls
- Encrypted API connections to client systems
2
Endpoint Security
- BitDefender Endpoint Security on all workstations
- Real-time threat detection and prevention
- Regular security updates and patch management
3
Access Control
- Multi-factor authentication (MFA) required for all access
- Role-based access control (RBAC)
- Complete audit trails for all data access
"We implement technical controls based on data sensitivity and client requirements. Security measures can be customized per engagement."
Data Handling
What we collect
- Call recordings — Encrypted at rest, configurable retention periods
- Chat transcripts — Stored encrypted, searchable for QA purposes
- Customer metadata — Names, emails, ticket IDs from your CRM integration
- Agent activity logs — For quality assurance and compliance auditing
Where it's stored
US United States Default location
Custom Locations Available per client request
Default data processing is in the United States. Custom data center locations can be arranged based on your regulatory requirements.
Retention & deletion
| Data Type | Default Retention | Configurable |
|---|---|---|
| Call recordings | 90 days | 30 days - 7 years |
| Chat transcripts | 1 year | 30 days - 7 years |
| Audit logs | 2 years | Fixed (compliance) |
| Agent performance data | 1 year | 30 days - 3 years |
Proof of destruction provided on request. GDPR deletion requests processed within 30 days.
Physical Security
For clients with elevated security requirements, we offer secure facility options with enhanced physical controls.
No Personal Electronics
Cell phones and personal devices prohibited in secure workspace areas
24/7 CCTV Monitoring
Continuous video surveillance of all operational areas
Controlled Environment
Closed windows with no outside visibility into workspace
Access Control
Restricted entry with badge access and visitor logging
"On-site visits welcome. Contact us to schedule a facility tour or security assessment of our operations."
Frequently Asked Questions
Can you sign a BAA?
Yes. We provide Business Associate Agreements for all healthcare clients handling PHI. Typical turnaround is 2-3 business days.
What security assessments do you perform?
We conduct regular internal security reviews and implement controls aligned with ISO 27001 and SOC 2 frameworks. We can provide documentation of our security practices upon request.
What happens if there's a breach?
We maintain documented incident response procedures. Affected clients are notified promptly with full transparency on scope, impact, and remediation steps taken.
How do you handle GDPR deletion requests?
Data subject requests processed within 30 days. We provide confirmation of deletion and can supply proof of destruction documentation on request.
Can your agents access our systems?
Optional and configurable. We support VPN, VDI, and various access approaches. All access is logged and can be revoked instantly. Most clients prefer API integrations.
Can we audit your facilities?
Yes. We welcome on-site visits and security assessments of our operational centers. Contact us to schedule a tour or audit.
Do you offer high-security workspace options?
Yes. For clients with elevated security requirements, we offer secure facilities with no personal electronics policies, 24/7 CCTV, and controlled workspace environments.
Questions about our security practices?
Talk to our team →