Security

Built so your CISO will sign off.

SOC 2 Type II. HIPAA-ready. GDPR-compliant. EU and US data residency. Encryption everywhere. The full set of artifacts your security team will ask for, available in our Trust Center.

Request the security pack Visit the Trust Center

Compliance

The certifications you need.

SOC 2 Type II

Audited annually by a Big Four firm. Latest report available under NDA in the Trust Center.

HIPAA-ready

BAAs available on Production. PHI handled with field-level encryption and PII redaction in voice transcripts.

GDPR & UK GDPR

Full DPA, sub-processor disclosure, right-to-deletion APIs, and EU-resident option. ICO-registered.

PCI-DSS

We never store card data — but for voice flows that touch it, we route through PCI-DSS Level 1 vaulted partners.

ISO 27001

Audit in progress; certification expected Q3. Available under NDA.

Annual pen tests

Third-party penetration tests every year. Public summary available; full reports under NDA.

Architecture

What we do, by default.

Encrypted everywhere

TLS 1.3 in transit. AES-256 at rest. KMS-backed key rotation. Customer-managed keys on Production plans.

Data residency

US-East, US-West, EU-West, EU-Central, AP-South. All processing — embeddings, tools, voice, backups — stays in-region.

SSO, SCIM, RBAC

SAML 2.0 / OIDC SSO with Okta, Azure AD, Google Workspace. SCIM auto-provisioning. Roles down to per-bot scope.

Tamper-evident audit log

Every action — config change, key rotation, tool call, knowledge update — logged with cryptographic chaining. 1-year retention.

Outbound HMAC signing

Every tool call we make to your APIs is signed with HMAC-SHA256 so you can verify it really came from us.

Auto-PII redaction

Credit cards, SSNs, phone numbers, addresses redacted in real time before they hit logs or storage.

No training on your data

Your conversations and knowledge never train foundation models — yours or anyone else's. Contractually guaranteed.

Customer-managed retention

Set retention from 7 days to forever per workspace. Right-to-deletion API for end-user removal.

Network isolation

Private subnets per region. No shared compute between workspaces. PrivateLink to AWS available on Enterprise.

Trust Center

Need a document? It's already in there.

Trust Center · Drata
Live security posture, certifications, audits
SOC 2 Type II Report
Under NDA · 2026
Penetration Test Summary
2026 · public
Data Processing Addendum
Standard contract
Subprocessor list
Live · updated weekly
CAIQ Lite
Cloud security questionnaire
Bug bounty program
HackerOne · scope & rewards

Vendor review made easy.

Our security team will pre-fill your questionnaire and answer any follow-ups within 24 hours.

Talk to security [email protected]