Trust
Security posture.
CommunicaAI handles caller voice and transcripts on behalf of customers. Here's how we protect that data, what compliance regimes we operate under, and what's still in progress.
Certifications + status
SOC 2 Type II
In progress — audit scheduled Q2 2026
HIPAA-eligible deployment
Enterprise tier — BAA available
PCI-DSS scope reduction
Enterprise tier — never persist PAN
GDPR + CCPA
DPA available — Standard Contractual Clauses
Data protection
Encryption
- TLS 1.2+ in transit for all customer-facing endpoints
- AES-256 encryption at rest for call recordings, transcripts, and customer data
- Per-tenant encryption keys on Enterprise tier; managed in AWS KMS or equivalent
- Quarterly key rotation
Access control
- Role-based access — least-privilege by default
- MFA required for all internal staff with production access
- SAML SSO available on Enterprise (integrates with Okta, Azure AD, Google Workspace)
- SCIM provisioning on Enterprise
- Audit log retained 1 year (Growth), 6 years (Enterprise per HIPAA)
Network
- VPC isolation per tenant (Enterprise)
- DDoS protection via Cloudflare
- WAF rules for the dashboard
- No public ingress to data plane — all customer connections through API gateway
Voice-specific safeguards
- Caller phone numbers hashed before persistence (configurable retention)
- Voice clones require explicit consent on file from the voice owner — no clandestine cloning
- Customer call data is not used to train shared models without explicit opt-in
- Caller AI disclosure on connection (configurable per jurisdiction — defaults set for CA SB 1001 and UT SB 149)
Operational
| Item | Standard |
|---|---|
| Vulnerability scanning | Weekly automated, monthly manual review |
| Penetration testing | Annual third-party (Growth + Enterprise) |
| Background checks | All staff with production access |
| Security training | Annual mandatory, plus role-specific |
| Incident response | 24-hour acknowledgment, 72-hour customer notification (HIPAA: 5 business days) |
| Backups | Hourly snapshot, 90-day retention, off-region replication |
Subprocessors
See our DPA for the current subprocessor list. We notify customers 30 days in advance of any new subprocessor.
Reporting a vulnerability
Email [email protected]. PGP key available on request. We acknowledge within 24 hours and confirm resolution within 30 days for most findings.
Customer security FAQ
Procurement questionnaires (SIG, CAIQ, custom): [email protected] — typical turnaround 5 business days.
A Sagentica product built on the QAICX platform.