Trust Center
Every voice agent SynthVoice runs is wired through the same security primitives: tenant-isolated storage, encrypted transcripts, redacted PII, audited mutations, and accountable sub-processors. This page is the source of truth for your security review.
01 — Certifications & Attestations
Reports and attestations are reviewed under NDA via our trust portal. Status reflects the most recently completed audit cycle.
Annual report covering Security, Availability, and Confidentiality criteria. Audited by a Big-4 affiliated CPA firm.
Available · Q1 2026 cycleInformation Security Management System certified. Applies to platform engineering, operations, and customer data handling.
CertifiedBusiness Associate Agreement (BAA) signed for healthcare deployments. Configurable retention and PHI redaction.
BAA availableData Processing Addendum and Standard Contractual Clauses available. EU data residency option included.
DPA · SCCs · TIASAQ-D Level 2. Cardholder data is never written to platform storage — payment flows route through a tokenized integration.
CompliantCalifornia consumer rights honored across the platform: access, deletion, portability, opt-out of sale and sharing.
CompliantState-level authorization frameworks for public sector deployments. In-process toward Level 1 attestation.
In progress · 2026Roadmap engagement for U.S. federal customers. Speak to your account team for the current authorization plan.
Roadmap · 202702 — Architecture & Tenant Isolation
Multi-tenant on the surface, isolated underneath. A request enters the platform, is authenticated, scoped to a tenant, and stays inside that tenant's row-level data plane until it returns to the caller. There is no path through the application that can cross-reference data between tenants.
All persisted data carries a tenant_id claim. Database row-level security enforces tenant scoping at the engine level — even a SQL bug in application code can't return another tenant's row.
Each tenant's worker pool runs in a dedicated Kubernetes namespace with NetworkPolicy egress restrictions. Cross-tenant traffic is dropped at the CNI layer.
Recordings and transcripts are written to per-tenant object storage prefixes with object-level KMS keys. A leaked URL still requires a valid signed grant.
Optional dedicated-tenant deployments run agents on tenant-pinned node pools. Available on Enterprise plans for healthcare and financial services customers.
03 — Data Protection
AES-256-GCM via cloud KMS. Database, object storage, search index, message broker, and backup snapshots are all key-managed.
TLS 1.3 enforced on the public edge with HSTS. Internal service traffic is mTLS. SIP/RTP for telephony is encrypted via SRTP where the carrier supports it.
On Enterprise plans you can plug in your own KMS key. Revoking the key cryptoshreds your tenant's encrypted data — including ours.
OAuth tokens and API keys you connect for CRM, telephony, and ticketing are stored in a hardware-backed vault, decrypted only in-memory at the moment of use.
04 — Identity & Access
SAML 2.0 and OIDC supported across major identity providers. Enforce SSO-only for every user in your workspace.
Automated user lifecycle from your IdP. Users provisioned, groups mapped to roles, deprovisioning revokes session tokens within 60 seconds.
Four built-in roles plus custom roles on Enterprise. Permissions scope to the tenant, sub-tenant, and resource level.
TOTP and WebAuthn for human users. API keys are scoped, rotatable, expirable, and IP-allowlistable.
05 — Audit Logging
We log who did what, when, from where — across the console, the API, and internal operations. Streamed in real time to your SIEM or pulled on demand.
Authentication events, role changes, agent edits, campaign starts/pauses, tool registration, knowledge updates, recording exports, key rotations, and console viewing of recordings.
Audit logs retained for 13 months by default. Extendable to 7 years on Enterprise plans for regulated industries.
Push audit events to Splunk, Datadog, Sumo, or any HTTPS endpoint via webhook. JSON-structured, schema-versioned, deduped.
Append-only, hash-chained log segments. Daily Merkle root signed with our signing key — verifiable that no past entries were rewritten.
06 — Sub-processors
SynthVoice runs on a vetted set of cloud, telephony, AI, and observability providers — every one SOC 2 Type II audited, every one under a Data Processing Agreement that prohibits training on Customer Data and mandates breach-notification timelines. We don't publish the full vendor list publicly to limit attack surface. It's available to qualified prospects under NDA during procurement.
Every sub-processor handling Customer Data carries an active SOC 2 Type II report. ISO 27001 and HIPAA where applicable to the data category.
All inference and speech vendors operate under zero-retention enterprise agreements. Your conversation data is never used to train any third-party model.
Customers receive 30 days written notice before any new sub-processor is engaged for Customer Data, with the right to object.
Procurement teams: request the full sub-processor list, DPAs, and a redacted SOC 2 report at security@synthvoice.ai.
07 — Data Retention
Every data type has a default retention window and a configurable bound. Healthcare, financial, and government tenants typically tighten these defaults during onboarding.
| Data Type | Default Retention | Min — Max | Storage | Deletion on Termination |
|---|---|---|---|---|
| Call recordings (audio) | 90 days | 0d — 7y | Object storage · KMS | 30 days post-termination |
| Call transcripts (text) | 365 days | 7d — 7y | Encrypted DB | 30 days post-termination |
| Call summaries & tags | 365 days | 30d — 7y | Encrypted DB | 30 days post-termination |
| Caller PII (phone, name, etc.) | Tied to call lifecycle | Configurable redaction | Encrypted DB · per-field KMS | 30 days post-termination |
| Knowledge sources | Until deleted by customer | N/A | Encrypted DB · vector index | 30 days post-termination |
| Audit logs | 13 months | 90d — 7y | Append-only, hash-chained | Retained per regulatory minimum |
| Backups (operational) | 35 days rolling | Fixed window | Encrypted snapshots | Cycled out within 35 days |
| Operational telemetry | 30 days | PII-redacted | Observability platform · audited | Cycled out within 30 days |
| Suppression / opt-out lists | Indefinite | Customer-controlled | Encrypted DB | Retained — required for compliance |
Customer Data is purged within 30 days of contract termination unless a longer retention is contractually required (legal hold, regulatory archive, suppression registry).
08 — Data Residency
Tenant data is processed and stored in the region you select at workspace creation. Regional pinning includes the database, object storage, search index, and the inference endpoints we route to.
For EU and UK customers, GDPR and UK GDPR transfers rely on Standard Contractual Clauses and a Transfer Impact Assessment. Inference endpoints are region-pinned to match — EU tenants are not routed to US LLM inference unless explicitly opted in.
09 — Telephony & TCPA Compliance
Outbound campaigns honor recipient-timezone calling windows by default (8am–9pm local). State-level overrides (e.g., Florida 8am–8pm) automatically apply.
Internal Do-Not-Call lists are checked on every dial. Federal DNC and state DNC scrubbing available for Enterprise. Opt-out responses are honored within 30 seconds across all campaigns.
STIR/SHAKEN attestation A on all outbound calls. Caller ID names registered in the FCC RND. Branded caller ID for supported carriers.
Two-party-consent disclosure plays automatically when the caller's state requires it. Disclosure templates per locale; fully customizable.
10DLC, toll-free, and short-code messaging supported with carrier-required brand and campaign registration. Throughput rate-limits enforced by sender class.
Per-contact consent records — what was agreed, when, and through what channel — are stored and retrievable for evidentiary purposes.
10 — Incident Response
If we confirm a security incident affecting your data, you'll hear from us — fast, in writing, with what we know and what we're doing about it.
Internal monitoring, customer report, or external researcher disclosure triggers an incident channel. Severity assigned within 15 minutes.
Incident commander assigned. Affected systems isolated. Forensic timeline started. Customer impact scope estimated.
Root cause identified. Mitigation deployed. Vulnerability patched in dev, staged, and production paths.
Affected customers notified in writing — via email to the security contact on file and a posted incident on status.synthvoice.ai. Includes scope, data categories, mitigation, and customer guidance.
Written PIR delivered to affected customers. Includes root cause, timeline, impact, remediation, and durable controls added to prevent recurrence.
11 — Business Continuity
Continuous WAL streaming to a secondary region. Encrypted snapshots on a 35-day rolling window. Restore-from-backup drills quarterly.
Production runs across at least two cloud availability zones per region. Regional failover automated for eligible workloads; manual cutover documented for the rest.
Telephony has a primary and secondary carrier. Automatic failover within 30 seconds of carrier-side detection — no DNS changes required by customer.
12 — Responsible Disclosure
Researchers acting in good faith, within the scope of our policy, will not be subject to legal action or service termination. We commit to acknowledging receipt within 2 business days and providing remediation status within 14 days.
Send reports to security@synthvoice.ai — encrypted to our PGP key (fingerprint published in /.well-known/security.txt).
13 — Procurement Documents
Documents marked "NDA" are released through our trust portal once a mutual NDA is in place.
34-page narrative summary of our security program, controls, and audit posture.
Download →Most recent independent attestation report from our CPA firm.
Released under NDAEU GDPR + UK GDPR compliant DPA with Standard Contractual Clauses (Modules 2 & 3).
Download →Pre-filled Standardized Information Gathering Lite questionnaire for vendor risk teams.
Released under NDAConsensus Assessments Initiative Questionnaire — public version.
Download →Standard BAA template for healthcare deployments. Counter-signed copies on request.
Request →Most recent third-party penetration test — scoping, methodology, and remediation summary.
Released under NDAConfirmation that an annual independent pentest was completed — for vendor questionnaires.
Download →Current certificate of registration including scope statement.
Download →14 — Procurement FAQ
No. Every LLM, TTS, and STT vendor in our stack operates under a zero-retention enterprise agreement that contractually prohibits training on Customer Data. We do not fine-tune any model on Customer Data without an opt-in agreement specific to your tenant. Specific vendor names and the executed DPAs are available to qualified prospects under NDA during procurement.
In the region you select at workspace creation. Available regions: us-east, us-west, eu-central, eu-west, uk-south, ca-central, ap-southeast. Database, object storage, search index, and inference endpoints are all pinned to that region. EU and UK tenants can require EU-only inference at workspace creation.
Our Government Request Policy applies: we challenge overbroad requests, require legal process, and notify the affected customer unless legally prohibited. We publish an annual Transparency Report. The Customer remains the data controller — most requests should be served on the Customer directly.
Yes, on Enterprise. Bring your own AWS, GCP, or Azure KMS key. Revoking your key cryptographically erases your tenant's encrypted data — including our copy. Limitation: BYOK applies to data at rest; transient in-memory processing requires plaintext access during the call.
Customer Data is purged from production systems within 30 days of contract termination. Operational backups roll out within 35 days. We retain only what is required by law: suppression registries, transaction records, and audit logs needed for regulatory minimums. A Certificate of Destruction is available on request.
No. Call recordings, transcripts, and any derived embeddings are tenant-scoped and used only to power features for that tenant (e.g., search, summary, retrieval). They are not pooled across tenants and not used to train any model.
Limited tenant-level routing is available on Enterprise — for example, US-only inference, or excluding a specific carrier. Fully bespoke sub-processor exclusion lists are negotiated case-by-case during procurement.
Configurable per agent. Built-in patterns for credit cards, SSNs, account numbers, and DOBs. Custom regex patterns are supported. Redaction happens before transcripts are written to durable storage and before any logging or analytics ingest.
72 hours from confirmed incident, written notification to the security contact on file, with scope, data categories, and remediation status. A post-incident report follows within 10 business days.
For qualifying Enterprise customers — typically large healthcare networks, financial institutions, and government — we offer single-tenant deployments and private VPC peering. Speak to your account team for the deployment matrix.
Edge sits behind a multi-vendor DDoS shield. Rate limits per API key and per tenant prevent abuse-driven cascades. Regional failover auto-routes eligible workloads within RTO; status.synthvoice.ai is the live source of truth.
SSO + WebAuthn enforced for all production access. Device posture (MDM-managed, encrypted, current OS) required for all engineering laptops. Just-in-time, audited access to production — no standing prod credentials. Background checks at hiring and annual security training.
Talk to security
Our security and compliance team takes calls directly. Bring your SIG-Lite, your VRA questionnaire, or your worst-case scenario — we'll answer in writing.