Security & Compliance

How we handle your data and your calls.

BrandTalk AI is built for businesses whose phone is the front door of the operation — including regulated industries where the answer to "where does this data live?" matters. This page lays it out in plain English. Procurement teams can request our full security questionnaire and sub-processor list from security@brandtalkai.com.

Data ownership.

Your customer data is your property. We are a processor, not an owner.

You own the call dataRecordings, transcripts, and lead records belong to you

You own the knowledge baseYour prompts, FAQs, and scripts are your IP

Right to exportFull data export on request, any time

Right to delete30-day deletion from production and backups on request

Per-customer scoping.

There is no shared model that bleeds context across customers. Your knowledge base, prompts, call recordings, transcripts, and lead data live in your tenant only. Procurement teams ask about this in every enterprise eval. The answer is hard isolation, enforced at the application layer.

Encryption.

In transitTLS 1.2+ on every API call, every browser request, every voice stream

At restAES-256 encryption on stored recordings, transcripts, and lead records

CredentialsAPI keys and secrets stored in encrypted environment vaults, rotated on demand

DatabaseEncrypted PostgreSQL instances behind private network

Compliance posture.

We work with customers in regulated industries and design our deployments to meet their compliance obligations. On the Enterprise Concierge tier we provide compliance documentation and signed BAAs where applicable.

HIPAA-awareBAA available on Enterprise Concierge, executed during onboarding. We don’t request diagnoses or store medical records; PHI handling protocols documented.

Never sold, never sharedWe never sell your data or your callers’ data, and never share it across tenants or with third parties for marketing — ever.

PCI awarenessWe never store full card numbers. Payment flows pass to PCI-compliant processors (Stripe).

SOC 2 postureControls modeled on SOC 2 Type II. Full audit on Enterprise roadmap.

GDPR / CCPARight to access, port, and delete. Honored across all tenants.

TCPA disclosureEvery AI call discloses AI involvement per our public disclosure (here)

Sub-processor listAvailable on request — Twilio, OpenAI, Anthropic, ElevenLabs, AWS, others

Call recording & transcript retention.

Default retention90 days for recordings, 365 days for transcripts. Configurable per tenant on Enterprise.

Custom retentionSet per regulatory requirement — some customers require 7 years, some require 30 days. Both supported.

Caller opt-outRecording disclosure on every call. Caller-requested deletion honored within 30 days.

Internal access controlsLeast-privilege access. All production data access logged.

Incident response.

If we detect a security incident affecting your data, we notify affected customers within 72 hours and provide a full root-cause analysis within 14 days. Enterprise customers receive direct contact from our leadership team.

Need the full questionnaire?

Send us your security questionnaire and we'll have it back in 3 business days.

Email security@brandtalkai.com