Documentation Index
Fetch the complete documentation index at: https://docs.squawkvoice.ai/llms.txt
Use this file to discover all available pages before exploring further.
Security & Compliance
SquawkVoice is built for enterprise deployment from the ground up. Our infrastructure, compliance posture, and data practices meet the requirements of regulated industries including healthcare, financial services, and retail.Request SOC 2 Report
Available under NDA. Contact us to request the full independently-audited report.
Security Questionnaire
We complete VSA, SIG, CAIQ, and custom questionnaires for enterprise reviews.
Architecture Review
Schedule a call with our engineering team to walk through infrastructure and data flows.
Certifications & Compliance
SOC 2 Type II
Independently audited. Our security controls have been verified to operate effectively over an extended audit period — not just at a point in time.
HIPAA Compliant
Business Associate Agreements are executed with all subprocessors that handle protected health information. Customer BAAs available upon request.
GDPR Compliant
SquawkVoice complies with GDPR requirements for data processing, privacy rights, and lawful basis of processing personal data.
Security Controls
The following controls are drawn from our SOC 2 Type II audit. Green status indicates the control was verified as operating effectively during the audit period. To request the full audit report, contact security@squawkvoice.ai.
Legal & Policies
Terms of Service — published at squawkvoice.ai/terms-conditions
Privacy Policy — published at squawkvoice.ai/privacy-policy
Subprocessor List — published and maintained at squawkvoice.ai/subprocessor-list
Incident Response Policy — documented and tested
Risk Management Policy — formally documented
Software Development Lifecycle Policy — documented
Vulnerability Disclosure Policy — active, contact security@squawkvoice.ai
Access Control
Role-Based Access Control (RBAC) — enforced across all platform layers
Multi-Factor Authentication — required for all internal staff on production systems
Least Privilege Principle — access scoped to job function, reviewed on role change
Password Security — enforced complexity and rotation policies
Access Logging — all access events logged and auditable
Vendor Access Controls — subprocessors bound by DPAs with scoped access
Access Review — periodic access reviews conducted
Data Security
Encryption in Transit — TLS 1.2+ enforced on all data in motion
Encryption at Rest — AES-256 on all stored data including recordings and transcripts
Data Erasure — automated deletion after 60-day retention window (configurable shorter)
Multi-Tenant Isolation — logical data separation; cross-tenant access is not possible
No Financial Data Retained — Stripe handles payments via tokenization; no card data stored
Data Classification — customer data classified and handled per sensitivity level
Infrastructure Security
Separate Production Environment — production isolated from development and staging
Google Cloud Platform — SOC 2, ISO 27001, and FedRAMP certified infrastructure
Anti-DDoS — GCP native DDoS protection enabled
Firewall — network-level firewall rules enforced across all environments
Virtual Private Cloud — all services deployed within a private VPC
Infrastructure Security — hardened OS images, automated patch management
Multi-Zone Redundancy — automatic failover across GCP availability zones
Network Security
Virtual Private Cloud — all services isolated within private network segments
Firewall Rules — least-privilege network access enforced
Wireless Security — all internal network access requires authentication
Traffic Monitoring — anomalous traffic patterns trigger automated alerts
Application Security
Web Application Firewall — WAF enabled on all public-facing endpoints
Vulnerability & Patch Management — automated scanning with remediation SLAs
Credential Management — secrets managed via GCP Secret Manager; no hardcoded credentials
Secure Development Lifecycle — security review embedded in engineering process
Dependency Scanning — third-party dependencies scanned for known vulnerabilities
Product Security
Single Sign-On (SSO) — available for enterprise accounts
Multi-Factor Authentication — configurable enforcement at account level
Audit Logs — full audit trail of all user actions available in dashboard
Role-Based Permissions — granular permission model across admin, operator, read-only roles
AI Transparency Controls — configurable AI disclosure statement on all agents
Data Retention Controls — customer-configurable retention window (up to 60 days default)
Availability & Reliability
99.9% Uptime SLA — committed availability backed by GCP infrastructure
Automated Failover — multi-zone architecture with no single point of failure
Incident Response — documented response plan with defined escalation paths
Monitoring — 24/7 infrastructure and application monitoring with alerting
Infrastructure
Google Cloud Platform
All SquawkVoice infrastructure runs on GCP in US-based data centers. GCP is SOC 2, ISO 27001, and FedRAMP certified — your data never leaves enterprise-grade infrastructure.
99.9% Uptime SLA
We commit to 99.9% platform availability. Multi-zone redundancy with automatic failover is enabled by default across all customer accounts.
Encryption in Transit
All data in motion is encrypted using TLS 1.2 or higher. No unencrypted transmission occurs at any point across the platform or between subprocessors.
Encryption at Rest
All stored data — call recordings, transcripts, and metadata — is encrypted at rest using AES-256.
Data Handling & Privacy
SquawkVoice never sells, licenses, or shares your data with third parties for any commercial purpose.
Data Retention
- Default retention for call recordings and transcripts is 60 days, after which data is permanently deleted
- Customers may request a shorter retention window at any time — contact support@squawkvoice.ai
- Retention policies applied uniformly across all data types
Financial Data
SquawkVoice does not retain any financial information. Payments are processed exclusively by Stripe using tokenized data. We never see, store, or transmit credit card numbers or bank account details.
Multi-Tenant Isolation
Each customer’s data is logically isolated from all other customers. Cross-tenant data access is architecturally impossible at every layer of the stack.Call Data & Audit Logs
Full Conversation Logs
All interactions — call recordings and full transcripts — are logged and accessible in real time via the SquawkVoice dashboard.
Audit Trails
Detailed audit trails of all data access events are maintained. Enterprise customers can request audit log export for compliance reviews.
Call Metadata
Caller ID, duration, outcomes, and routing metadata retained alongside transcripts for full operational visibility.
Real-Time Access
Call data is available in your dashboard immediately after each interaction — no lag, no batching.
AI Transparency & Disclosure
SquawkVoice supports configurable AI disclosure on all voice agents. You can require agents to identify themselves as AI at the start of every interaction — per your internal governance or regulatory requirements.Subprocessors
Our full subprocessor list is published and maintained at squawkvoice.ai/subprocessor-list. Customers are notified of subprocessor changes per our standard notification policy.| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Google Cloud Platform | Hosting, storage, infrastructure | Audio, transcripts, metadata, logs, account data |
| Twilio | Telephony and call routing | Caller ID, phone numbers, routing metadata, audio |
| Deepgram | Speech-to-text transcription | Audio for transcription, resulting transcripts |
| ElevenLabs | Text-to-speech voice synthesis | Text prompts used to generate synthesized audio |
| OpenAI | Language model inference | Text prompts, structured data, text from transcripts |
| Stripe | Payment processing | Tokenized payment and billing metadata only |
| Supabase | Database and authentication | Account data, authentication details, app metadata |
All subprocessors are bound by data processing agreements. SquawkVoice conducts periodic reviews of subprocessor security posture.
Business Associate Agreements (BAAs)
For customers in regulated industries subject to HIPAA, SquawkVoice executes Business Associate Agreements as required. BAAs are in place with all subprocessors that may handle protected health information — including Twilio, Deepgram, ElevenLabs, OpenAI, and GCP.To request a BAA for your organization, contact security@squawkvoice.ai.
Incident Response
Detection
Security events monitored continuously via GCP native tooling and internal alerting. Anomalous access patterns trigger immediate investigation.
Containment
Upon confirmed incident, affected systems are isolated and access revoked within minutes. Documented response policy with defined escalation paths and decision owners.
Notification
Affected customers notified promptly and within timeframes required by applicable law — including HIPAA’s 60-day breach notification and GDPR’s 72-hour supervisory authority notification.
Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities. Contact security@squawkvoice.ai with:- Description of the vulnerability and potential impact
- Steps to reproduce
- Supporting evidence (screenshots, logs, etc.)
Enterprise Security Reviews
SOC 2 Type II Report
Available under NDA. Contact us to request a copy for your vendor review process.
Security Questionnaires
We complete VSA, SIG, CAIQ, and custom questionnaires for enterprise customers and prospects.
Architecture Review
Schedule a call with our engineering team to walk through infrastructure, data flows, and integrations.
Custom DPA
Data Processing Addenda available for customers with specific contractual requirements.
Additional Resources
Privacy Policy
Full privacy policy including data subject rights and lawful basis for processing.
Subprocessor List
All authorized subprocessors, published and maintained in real time.
Terms of Service
Standard terms of service governing platform use.