Skip to content
Back to SonderVoiceSonderVoice

Security & Compliance

Last updated: February 18, 2026

1. Infrastructure Security

SonderVoice is built on enterprise-grade cloud infrastructure designed for reliability and security.

  • Hosting: Our application is deployed on Railway, using isolated containers with automatic scaling and zero-downtime deployments.
  • Database: PostgreSQL with encrypted connections (TLS), automated daily backups, and point-in-time recovery.
  • Caching: Redis with TLS-encrypted connections for session management and real-time data.
  • Storage: Call recordings are stored in AWS S3 with server-side encryption (AES-256) in the EU (eu-north-1) region.
  • Monitoring: 24/7 uptime monitoring with automated alerting. Application errors are tracked via Sentry with real-time notifications.

2. Data Protection

2.1 Encryption

  • In Transit: All data is encrypted in transit using TLS 1.2+. API endpoints enforce HTTPS.
  • At Rest: Database fields containing sensitive data are encrypted. Call recordings use AES-256 encryption in S3.
  • Passwords: User passwords are hashed using bcrypt with a work factor of 12. Plain-text passwords are never stored.

2.2 Access Control

  • Role-based access control (RBAC) separating business owners, agency administrators, and system administrators.
  • JWT-based authentication with configurable token expiry.
  • OAuth 2.0 support for Google and Microsoft single sign-on.
  • API rate limiting to prevent abuse.

2.3 Data Retention

  • Call recordings are retained per business configuration and can be deleted on request.
  • Soft-delete is used for business data, allowing recovery within a retention window before permanent removal.
  • Account deletion requests are honoured within 30 days in accordance with data protection regulations.

3. HIPAA Compliance Mode

SonderVoice offers a HIPAA compliance mode for healthcare businesses. When enabled:

  • The AI agent will never discuss, confirm, or deny patient medical information over the phone.
  • Caller identity verification is required before any patient-specific scheduling.
  • Medical advice, diagnoses, and lab results are never provided by the AI — callers are directed to clinical staff.
  • Call recordings for HIPAA-enabled accounts follow enhanced retention and access controls.

Businesses using HIPAA mode are responsible for executing a Business Associate Agreement (BAA) with SonderVoice. Contact us at compliance@sondervoice.com to initiate a BAA.

4. AI Transparency

SonderVoice is committed to transparent AI practices:

  • All AI-generated greetings identify the system as an AI assistant by default.
  • If a caller asks whether they are speaking with a human or AI, the system will truthfully disclose its nature.
  • Callers uncomfortable speaking with AI are offered the option to leave a message for a human callback.
  • Call recording notices are automatically included for all jurisdictions requiring consent (UK, EU, US two-party consent states).

5. Third-Party Services

SonderVoice integrates with carefully vetted third-party providers:

  • Retell AI: Voice synthesis and conversation engine. SOC 2 Type II compliant.
  • Stripe: Payment processing. PCI DSS Level 1 certified. SonderVoice never stores card numbers.
  • Twilio: Telephony and SMS services. SOC 2 and ISO 27001 certified.
  • Google Calendar / Microsoft 365: Calendar integrations use OAuth 2.0 with minimal-scope permissions.
  • AWS S3: Object storage for call recordings. SOC 1/2/3 and ISO 27001 certified.

6. UK Data Protection

SonderVoice is designed with UK data protection principles in mind:

  • Data Minimisation: We collect only the data necessary to provide our service.
  • Purpose Limitation: Personal data is used solely for delivering and improving the AI receptionist service.
  • Subject Access: Users and callers can request access to their data by contacting us.
  • Data Portability: Business data can be exported on request.
  • Right to Erasure: Account and caller data can be deleted on request.

For data protection inquiries, contact our Data Protection Officer at dpo@sondervoice.com.

7. Incident Response

In the event of a security incident:

  • Our monitoring systems are configured to alert the engineering team immediately.
  • Affected customers will be notified within 72 hours of confirmed data breaches, in accordance with regulatory requirements.
  • Post-incident reviews are conducted and findings are used to improve our security posture.

8. Contact Information

For security concerns, compliance questions, or to report a vulnerability:

SonderVoice Ltd.
Email: security@sondervoice.com
Compliance: compliance@sondervoice.com
Data Protection: dpo@sondervoice.com