S-01
Data encryption
AES-256 at rest. TLS 1.2+ (TLS 1.3 preferred) in transit. Database connections encrypted, backups encrypted, API over HTTPS with strong cipher suites.
- At rest
- AES-256
- In transit
- TLS 1.3
- API
- HTTPS only
- Backups
- Encrypted
Engineering reference · Security & compliance · v2026.05
A no-fluff reference to how HaloVoice secures your data, your customers' voices, and your compliance posture. Every control documented, every disclaimer surfaced.
Status
Last revised
2026-05-04
— Frameworks
SOC 2
Aligned · Trust Service Criteria
GDPR
EU data protection
TCPA
US telemarketing
TRAI / DPDP
India · NDNC + 2023 Act
HIPAA
Aware · BAA on Enterprise
ISO 27001
Aligned
S-01
AES-256 at rest. TLS 1.2+ (TLS 1.3 preferred) in transit. Database connections encrypted, backups encrypted, API over HTTPS with strong cipher suites.
S-02
Hosted on enterprise-grade cloud with redundancy, automatic failover, geographic distribution. Network segmentation, firewalls, IDS, DDoS protection. Production isolated from dev/staging.
S-03
Granular RBAC. JWT session auth with configurable expiry. API tokens with rate limiting. Custom roles, permission management, immutable access logs, instant revocation.
S-04
Third-party API keys encrypted with Fernet. Passwords hashed + salted (one-way). DB credentials rotated. Per-org isolation for recordings, transcripts, vector embeddings (Pinecone namespaces).
S-05
Pre-call DNC checks. TRAI NDNC, TCPA, country-specific rules enforced. Time-window enforcement, frequency caps, opt-out handling. Configurable per campaign.
S-06
Comprehensive audit logging. Logins, permission changes, data access, API calls, campaign executions, admin actions — all immutable, timestamped, retained 12+ months. Real-time anomaly alerting.
— Shared responsibility
HaloVoice handles
You handle
— Disclaimers & policies
7 sections
Aligned with SOC 2 Trust Service Criteria, GDPR, HIPAA awareness, the Indian IT Act 2000 and DPDP Act 2023, and cloud security best practices. Certifications are pursued on an ongoing basis. Users remain responsible for industry-specific compliance (e.g., HIPAA, PCI-DSS).
We integrate with Twilio, OpenAI, Cartesia, Sarvam AI, Pinecone, and Stripe. Vendors are vetted for security practices and require DPAs where applicable. Each provider's security posture is governed by their respective terms.
Documented plan covering detection, containment, eradication, recovery, and post-incident review. We notify affected customers without unreasonable delay and in accordance with applicable breach notification laws.
Automated encrypted backups, geographic redundancy, defined RTO/RPO, periodic disaster recovery testing. SLAs are provided to Enterprise customers under separate agreement.
Automated vulnerability scanning, dependency monitoring, severity-based patching, periodic penetration testing, secure SDLC practices. Critical vulnerabilities prioritized for immediate remediation.
HaloVoice is NOT an emergency calling service and does NOT support E911. Do not use the platform as a substitute for emergency communications. Maintain alternative means at all times.
AI models may produce inaccurate, biased, or incomplete outputs. Performance can vary across languages, accents, and demographics. Review and validate AI outputs before acting on them.
Available on Enterprise · Email security@halovoice.in