This page summarizes how CallingScout protects customer data, the frameworks we work to, the sub-processors we depend on, and how to reach our security team. If a commitment is not on this page, it is not a commitment.
Commitments
The promises that hold across the whole product, not just one section.
| Commitment | Detail |
|---|---|
| No model training on calls | Customer call audio and transcripts are not used to train any model. |
| No selling, no ads sharing | We do not sell Customer Personal Data and do not "share" it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws. |
| Breach notification | Without undue delay, target 72 hours from confirmation. |
| Sub-processor notice | At least 30 days before changes, with the right to object on data-protection grounds. |
| Access scope | CallingScout personnel access Customer Personal Data only to provide and support the Service, on Customer's request, or where law requires it. |
Certifications and frameworks
Status as of the date at the top of this page. Audit reports and security questionnaires are available under NDA on request to security@CallingScout.ai.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Audit window underway. Type I report available under NDA. |
| HIPAA | In progress | BAA available on the Enterprise plan. Controls implemented. Independent attestation in progress. |
| GDPR / UK GDPR / Swiss FADP | Active | DPA available. SCCs and UK Addendum incorporated. |
| CCPA / CPRA + U.S. state laws | Active | Service-provider and processor terms in the DPA. |
| ISO 27001 | Scoping | Targeting certification within twelve months. |
| PCI DSS | Out of scope | Payments are tokenized through Stripe. We never see card data. |
Data protection
In transit. TLS 1.2+ on all external endpoints, with HSTS, modern cipher suites, and certificate transparency monitoring. Internal service-to-service traffic is encrypted within the VPC.
At rest. AES-256 for stored audio, transcripts, databases, object storage, and backups. Keys are managed through a hardware-backed key-management service with automatic rotation and separation of duties between key custodians and data accessors.
Tenant isolation.Each customer's data is logically segregated by tenant ID enforced in every read and write path. Enterprise customers may request dedicated instances and customer-managed keys.
Retention. Customer-configurable per workspace. Defaults: 30 days for call audio, 90 days for transcripts and metadata. Account data is retained for the life of the account plus a 30-day grace period after termination. Backups roll off within 90 days.
Voice and call data
Voice agents combine several sub-processors (telephony, speech-to-text, large language model, text-to-speech). We send each sub-processor only what it needs to do its job and pass our security and data-protection obligations through by contract.
- No model training on customer calls. Sub-processors are contracted to not train on inputs you send through us.
- Redaction. The Service can redact configured PII (credit-card numbers, SSNs, payment-card patterns) from transcripts before storage where enabled.
- Recording disclosure. The Service can play jurisdiction-aware disclosure prompts at the start of calls and detect opt-out language. Customer is responsible for choosing the right configuration for the laws that apply to them.
- Caller-aware AI disclosure. Agents disclose that they are AI when callers sincerely ask. We do not let customers configure agents to deny being AI.
Access and identity
Mandatory SSO with hardware-key MFA for all CallingScout personnel. Role-based access on a least-privilege basis. Production access is granted just-in-time, time-boxed, peer-approved, and fully audit-logged. We perform quarterly access reviews. Customer admins can enable SSO (SAML, OIDC) and SCIM provisioning for their workspace on Business and Enterprise plans.
Infrastructure
The Service runs on tier-1 cloud infrastructure (Amazon Web Services, primary regions us-east-1 and eu-west-1, secondary as required). Workloads run inside segmented Virtual Private Clouds with no public database exposure. Infrastructure is managed as code with peer-reviewed changes. Customer data residency commitments (US-only or EU-only) are available on the Enterprise plan.
Application security
- Secure SDLC with mandatory peer review on changes touching authentication, authorization, billing, or data handling.
- Static analysis and dependency vulnerability scanning in CI. Failed scans block merge.
- Secret scanning at the repository and pre-commit levels.
- Third-party penetration testing annually and on material architecture changes. Letters of attestation available under NDA.
- Vulnerability remediation targets: Critical within 24 hours, High within 7 days, Medium within 30 days, Low within 90 days.
Logging and monitoring
Centralized audit logging for production access, configuration changes, and security-relevant events, retained for at least 12 months. 24/7 alerting routed to on-call engineers. Anomaly detection on authentication, data export, and inter-tenant access patterns.
People
Background checks where lawful. Security and privacy training at hire and annually. Acceptable-use, confidentiality, and data-handling agreements signed by every person with access. Documented separation procedure that revokes access on departure.
Resilience
Encrypted, geographically replicated backups. Documented incident-response and business-continuity plans, tested at least annually. Targets: RPO 1 hour, RTO 4 hours for the core call-orchestration path.
Sub-processors
We publish the current sub-processor list on request, dated, with the categories of data each one processes and the regions involved. Email security@CallingScout.ai.
We give customers at least 30 days' notice before adding or replacing a sub-processor, with the right to object on reasonable data-protection grounds, as described in the DPA.
Vulnerability disclosure
If you believe you have found a security vulnerability in the Service, please tell us. We commit to:
- acknowledge your report within 2 business days;
- investigate and provide a status update within 7 business days;
- not pursue legal action against good-faith researchers who follow this policy and avoid privacy violations, service disruption, or destruction of data.
Send reports to security@CallingScout.ai. Out of scope: denial-of-service testing, social-engineering CallingScout personnel, physical attacks, and automated scanners that produce noise without proof of impact.
Customer requests
For SOC 2 reports, pen-test letters, security questionnaires, BAAs, custom DPAs, or data-residency commitments, contact security@CallingScout.ai. Most requests are turned around within 5 business days for active customers and prospective customers under NDA.
Contact
- Security
- security@CallingScout.ai
- Privacy
- privacy@CallingScout.ai
- Legal
- legal@CallingScout.ai