> ## Documentation Index
> Fetch the complete documentation index at: https://docs.squawkvoice.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> Enterprise-grade security architecture, certifications, compliance controls, and data practices for SquawkVoice.

# Security & Compliance

SquawkVoice is built for enterprise deployment from the ground up. Our infrastructure, compliance posture, and data practices meet the requirements of regulated industries including healthcare, financial services, and retail.

<CardGroup cols={3}>
  <Card title="Request SOC 2 Report" icon="file-shield" href="mailto:security@squawkvoice.ai">
    Available under NDA. Contact us to request the full independently-audited report.
  </Card>

  <Card title="Security Questionnaire" icon="clipboard-list" href="mailto:security@squawkvoice.ai">
    We complete VSA, SIG, CAIQ, and custom questionnaires for enterprise reviews.
  </Card>

  <Card title="Architecture Review" icon="sitemap" href="mailto:security@squawkvoice.ai">
    Schedule a call with our engineering team to walk through infrastructure and data flows.
  </Card>
</CardGroup>

***

## Certifications & Compliance

<CardGroup cols={3}>
  <Card title="SOC 2 Type II" icon="shield-check">
    Independently audited. Our security controls have been verified to operate effectively over an extended audit period — not just at a point in time.
  </Card>

  <Card title="HIPAA Compliant" icon="hospital">
    Business Associate Agreements are executed with all subprocessors that handle protected health information. Customer BAAs available upon request.
  </Card>

  <Card title="GDPR Compliant" icon="scale-balanced">
    SquawkVoice complies with GDPR requirements for data processing, privacy rights, and lawful basis of processing personal data.
  </Card>
</CardGroup>

***

## Security Controls

<Info>
  The following controls are drawn from our SOC 2 Type II audit. Green status indicates the control was verified as operating effectively during the audit period. To request the full audit report, contact [security@squawkvoice.ai](mailto:security@squawkvoice.ai).
</Info>

### Legal & Policies

<Check>Terms of Service — published at squawkvoice.ai/terms-conditions</Check>
<Check>Privacy Policy — published at squawkvoice.ai/privacy-policy</Check>
<Check>Subprocessor List — published and maintained at squawkvoice.ai/subprocessor-list</Check>
<Check>Incident Response Policy — documented and tested</Check>
<Check>Risk Management Policy — formally documented</Check>
<Check>Software Development Lifecycle Policy — documented</Check>
<Check>Vulnerability Disclosure Policy — active, contact [security@squawkvoice.ai](mailto:security@squawkvoice.ai)</Check>

### Access Control

<Check>Role-Based Access Control (RBAC) — enforced across all platform layers</Check>
<Check>Multi-Factor Authentication — required for all internal staff on production systems</Check>
<Check>Least Privilege Principle — access scoped to job function, reviewed on role change</Check>
<Check>Password Security — enforced complexity and rotation policies</Check>
<Check>Access Logging — all access events logged and auditable</Check>
<Check>Vendor Access Controls — subprocessors bound by DPAs with scoped access</Check>
<Check>Access Review — periodic access reviews conducted</Check>

### Data Security

<Check>Encryption in Transit — TLS 1.2+ enforced on all data in motion</Check>
<Check>Encryption at Rest — AES-256 on all stored data including recordings and transcripts</Check>
<Check>Data Erasure — automated deletion after 60-day retention window (configurable shorter)</Check>
<Check>Multi-Tenant Isolation — logical data separation; cross-tenant access is not possible</Check>
<Check>No Financial Data Retained — Stripe handles payments via tokenization; no card data stored</Check>
<Check>Data Classification — customer data classified and handled per sensitivity level</Check>

### Infrastructure Security

<Check>Separate Production Environment — production isolated from development and staging</Check>
<Check>Google Cloud Platform — SOC 2, ISO 27001, and FedRAMP certified infrastructure</Check>
<Check>Anti-DDoS — GCP native DDoS protection enabled</Check>
<Check>Firewall — network-level firewall rules enforced across all environments</Check>
<Check>Virtual Private Cloud — all services deployed within a private VPC</Check>
<Check>Infrastructure Security — hardened OS images, automated patch management</Check>
<Check>Multi-Zone Redundancy — automatic failover across GCP availability zones</Check>

### Network Security

<Check>Virtual Private Cloud — all services isolated within private network segments</Check>
<Check>Firewall Rules — least-privilege network access enforced</Check>
<Check>Wireless Security — all internal network access requires authentication</Check>
<Check>Traffic Monitoring — anomalous traffic patterns trigger automated alerts</Check>

### Application Security

<Check>Web Application Firewall — WAF enabled on all public-facing endpoints</Check>
<Check>Vulnerability & Patch Management — automated scanning with remediation SLAs</Check>
<Check>Credential Management — secrets managed via GCP Secret Manager; no hardcoded credentials</Check>
<Check>Secure Development Lifecycle — security review embedded in engineering process</Check>
<Check>Dependency Scanning — third-party dependencies scanned for known vulnerabilities</Check>

### Product Security

<Check>Single Sign-On (SSO) — available for enterprise accounts</Check>
<Check>Multi-Factor Authentication — configurable enforcement at account level</Check>
<Check>Audit Logs — full audit trail of all user actions available in dashboard</Check>
<Check>Role-Based Permissions — granular permission model across admin, operator, read-only roles</Check>
<Check>AI Transparency Controls — configurable AI disclosure statement on all agents</Check>
<Check>Data Retention Controls — customer-configurable retention window (up to 60 days default)</Check>

### Availability & Reliability

<Check>99.9% Uptime SLA — committed availability backed by GCP infrastructure</Check>
<Check>Automated Failover — multi-zone architecture with no single point of failure</Check>
<Check>Incident Response — documented response plan with defined escalation paths</Check>
<Check>Monitoring — 24/7 infrastructure and application monitoring with alerting</Check>

***

## Infrastructure

<CardGroup cols={2}>
  <Card title="Google Cloud Platform" icon="cloud">
    All SquawkVoice infrastructure runs on GCP in US-based data centers. GCP is SOC 2, ISO 27001, and FedRAMP certified — your data never leaves enterprise-grade infrastructure.
  </Card>

  <Card title="99.9% Uptime SLA" icon="signal">
    We commit to 99.9% platform availability. Multi-zone redundancy with automatic failover is enabled by default across all customer accounts.
  </Card>

  <Card title="Encryption in Transit" icon="lock">
    All data in motion is encrypted using TLS 1.2 or higher. No unencrypted transmission occurs at any point across the platform or between subprocessors.
  </Card>

  <Card title="Encryption at Rest" icon="database">
    All stored data — call recordings, transcripts, and metadata — is encrypted at rest using AES-256.
  </Card>
</CardGroup>

***

## Data Handling & Privacy

<Check>
  **SquawkVoice never sells, licenses, or shares your data with third parties for any commercial purpose.**
</Check>

### Data Retention

* Default retention for call recordings and transcripts is **60 days**, after which data is permanently deleted
* Customers may request a **shorter retention window** at any time — contact [support@squawkvoice.ai](mailto:support@squawkvoice.ai)
* Retention policies applied uniformly across all data types

### Financial Data

<Note>
  SquawkVoice does not retain any financial information. Payments are processed exclusively by Stripe using tokenized data. We never see, store, or transmit credit card numbers or bank account details.
</Note>

### Multi-Tenant Isolation

Each customer's data is **logically isolated** from all other customers. Cross-tenant data access is architecturally impossible at every layer of the stack.

***

## Call Data & Audit Logs

<CardGroup cols={2}>
  <Card title="Full Conversation Logs" icon="message-lines">
    All interactions — call recordings and full transcripts — are logged and accessible in real time via the SquawkVoice dashboard.
  </Card>

  <Card title="Audit Trails" icon="clock-rotate-left">
    Detailed audit trails of all data access events are maintained. Enterprise customers can request audit log export for compliance reviews.
  </Card>

  <Card title="Call Metadata" icon="list">
    Caller ID, duration, outcomes, and routing metadata retained alongside transcripts for full operational visibility.
  </Card>

  <Card title="Real-Time Access" icon="bolt">
    Call data is available in your dashboard immediately after each interaction — no lag, no batching.
  </Card>
</CardGroup>

***

## AI Transparency & Disclosure

SquawkVoice supports configurable AI disclosure on all voice agents. You can require agents to identify themselves as AI at the start of every interaction — per your internal governance or regulatory requirements.

<Tip>
  **Example disclosure:** *"Hi, I'm an AI assistant from \[Your Company]. How can I help you today?"*

  This is configurable per agent and can be enforced as a default across your entire account.
</Tip>

***

## Subprocessors

Our full subprocessor list is published and maintained at [squawkvoice.ai/subprocessor-list](https://www.squawkvoice.ai/subprocessor-list). Customers are notified of subprocessor changes per our standard notification policy.

| Subprocessor          | Purpose                          | Data Processed                                       |
| --------------------- | -------------------------------- | ---------------------------------------------------- |
| Google Cloud Platform | Hosting, storage, infrastructure | Audio, transcripts, metadata, logs, account data     |
| Twilio                | Telephony and call routing       | Caller ID, phone numbers, routing metadata, audio    |
| Deepgram              | Speech-to-text transcription     | Audio for transcription, resulting transcripts       |
| ElevenLabs            | Text-to-speech voice synthesis   | Text prompts used to generate synthesized audio      |
| OpenAI                | Language model inference         | Text prompts, structured data, text from transcripts |
| Stripe                | Payment processing               | Tokenized payment and billing metadata only          |
| Supabase              | Database and authentication      | Account data, authentication details, app metadata   |

<Info>
  All subprocessors are bound by data processing agreements. SquawkVoice conducts periodic reviews of subprocessor security posture.
</Info>

***

## Business Associate Agreements (BAAs)

For customers in regulated industries subject to HIPAA, SquawkVoice executes Business Associate Agreements as required. BAAs are in place with all subprocessors that may handle protected health information — including Twilio, Deepgram, ElevenLabs, OpenAI, and GCP.

<Check>
  To request a BAA for your organization, contact [security@squawkvoice.ai](mailto:security@squawkvoice.ai).
</Check>

***

## Incident Response

<Steps>
  <Step title="Detection">
    Security events monitored continuously via GCP native tooling and internal alerting. Anomalous access patterns trigger immediate investigation.
  </Step>

  <Step title="Containment">
    Upon confirmed incident, affected systems are isolated and access revoked within minutes. Documented response policy with defined escalation paths and decision owners.
  </Step>

  <Step title="Notification">
    Affected customers notified promptly and within timeframes required by applicable law — including HIPAA's 60-day breach notification and GDPR's 72-hour supervisory authority notification.
  </Step>

  <Step title="Remediation & Review">
    Root cause analysis conducted after every incident. Findings used to update controls. Summary available to affected customers upon request.
  </Step>
</Steps>

***

## Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. Contact [security@squawkvoice.ai](mailto:security@squawkvoice.ai) with:

* Description of the vulnerability and potential impact
* Steps to reproduce
* Supporting evidence (screenshots, logs, etc.)

We commit to acknowledging all reports within **2 business days** and providing a remediation timeline within **10 business days**.

***

## Enterprise Security Reviews

<CardGroup cols={2}>
  <Card title="SOC 2 Type II Report" icon="file-shield" href="mailto:security@squawkvoice.ai">
    Available under NDA. Contact us to request a copy for your vendor review process.
  </Card>

  <Card title="Security Questionnaires" icon="clipboard-list" href="mailto:security@squawkvoice.ai">
    We complete VSA, SIG, CAIQ, and custom questionnaires for enterprise customers and prospects.
  </Card>

  <Card title="Architecture Review" icon="sitemap" href="mailto:security@squawkvoice.ai">
    Schedule a call with our engineering team to walk through infrastructure, data flows, and integrations.
  </Card>

  <Card title="Custom DPA" icon="file-contract" href="mailto:security@squawkvoice.ai">
    Data Processing Addenda available for customers with specific contractual requirements.
  </Card>
</CardGroup>

***

## Additional Resources

<CardGroup cols={3}>
  <Card title="Privacy Policy" icon="eye" href="https://www.squawkvoice.ai/privacy-policy">
    Full privacy policy including data subject rights and lawful basis for processing.
  </Card>

  <Card title="Subprocessor List" icon="list-check" href="https://www.squawkvoice.ai/subprocessor-list">
    All authorized subprocessors, published and maintained in real time.
  </Card>

  <Card title="Terms of Service" icon="file-lines" href="https://www.squawkvoice.ai/terms-conditions">
    Standard terms of service governing platform use.
  </Card>
</CardGroup>