PricingWhy usSupportDownloads (888) 477-7795
Compliance

Compliance, on by default

HIPAA, FINRA, PCI-DSS, SOC 2, GDPR — every framework your security team asks about, mapped to controls we actually ship.

HIPAA

United States · Healthcare

5business days

FINRA

United States · Broker-Dealers

3business days

PCI-DSS

Global · Payment Cards

4business days

SOC 2

Global · SaaS Trust

2business days

GDPR

European Union · Personal Data

3business days
HIPAAUnited States · Healthcare

Health Insurance Portability and Accountability Act

Most VoIP vendors treat HIPAA as a pricing lever. Voxago treats it as a default. Every plan ships with end-to-end encryption, audit logging, and access controls — and we countersign a Business Associate Agreement inside one business day, no enterprise upgrade required. Healthcare teams move at the speed of the practice, not the speed of the procurement form.

Audit prep time
5business days

Controls we map to

  • PHI Encryption — Transit & Rest

    AES-256 at rest, TLS 1.3 in transit, SRTP for media. Voicemail, recordings, transcripts, and SMS — all encrypted with keys we rotate quarterly. PHI never lives in cleartext on disk.

  • Signed Business Associate Agreement

    BAA countersigned by Voxago within one business day of plan purchase. Covers every Voxago service that may touch PHI: calling, voicemail, SMS, meetings, transcription, and AI agents.

  • Audit Logging & Tamper Evidence

    Immutable audit trail for every PHI access — who viewed which recording, when, from where. Logs retained 6 years minimum (45 CFR §164.316(b)(2)), exportable as PDF or JSON for OCR audits.

  • Role-Based Access Control

    Granular permissions on extensions, voicemail boxes, recordings, and transcripts. MFA enforced for admin roles. SSO via SAML available on all plans. Terminated staff lose access in under 5 minutes.

  • Breach Notification Workflow

    60-day breach notification process pre-built into our incident playbook. We notify customers within 24 hours of confirmed PHI exposure — well inside the HIPAA Breach Notification Rule window.

  • Minimum Necessary by Design

    Recording on/off per-call or per-extension. PHI redaction in AI transcripts before storage. Auto-deletion of voicemail after configurable retention windows (default 90 days, audit-overridable).

What we can hand your auditor

  • Business Associate Agreement

    Countersigned in ≤1 business day. Standard or custom redlines welcome.

  • Security Whitepaper

    12-page document mapping our controls to 45 CFR §164.308-312.

  • Penetration Test Summary

    Annual third-party pen-test report (sanitized) available under NDA.

  • Audit Log Sample

    30-day audit log extract from your tenant — request anytime.

FINRAUnited States · Broker-Dealers

Financial Industry Regulatory Authority — Rules 4511 & 17a-4

FINRA 4511 and SEC 17a-4 demand more than 'we record calls.' They demand WORM-style retention, supervisor review, and exam-ready export — for at least six years. Voxago ships those controls on the platform, not as a $500/seat compliance add-on. Your CCO gets a complete recording archive, your reps don't get slower, and your next FINRA exam doesn't become a six-month fire drill.

Audit prep time
3business days

Controls we map to

  • Tamper-Evident Recording (WORM)

    Every call, voicemail, and SMS write-once, read-many. Cryptographic hashes on every recording — if a single byte changes, the audit log flags it. SEC 17a-4(f)(2)(ii)(A) compliant.

  • 6-Year Retention Minimum

    Default 6-year retention on every recording, configurable up to 10. Retention clock starts on call end, not on deletion request. Holds applied on demand for litigation or arbitration.

  • Supervisor Review Workflow

    Sampling rules — random %, by rep, by client tier, by trigger keywords. Reviewers tag, escalate, and sign off with timestamps. Review-of-the-review for principal sign-off (FINRA 3110).

  • Searchable Transcript Archive

    AI transcription on every call with keyword search, speaker diarization, and sentiment flagging. Find every mention of a specific security, client name, or red-flag phrase in seconds.

  • Exam-Ready Export

    One-click bulk export to PDF, CSV, or WAV — with audit trail showing which examiner accessed which records. Ships with the manifest format FINRA examiners actually accept.

  • Pre-Trade Compliance Hooks

    Webhook triggers on keyword-detected calls (e.g. 'guaranteed return', specific tickers) push alerts to your compliance dashboard before the trade settles.

What we can hand your auditor

  • Retention Configuration Doc

    Per-tenant retention policy export, signed by Voxago security.

  • Recording Hash Methodology

    SHA-256 manifest format documented for exam submission.

  • Sample Examiner Export

    Synthetic 30-call export demonstrating the format examiners receive.

  • Surveillance Rules Catalog

    Pre-built rule library mapping FINRA red flags to platform triggers.

PCI-DSSGlobal · Payment Cards

Payment Card Industry Data Security Standard v4.0

PCI-DSS doesn't care that you're 'just a phone system.' If a card number is spoken into a call you record, you're in scope. Voxago gives you two clean exits: pause-resume to skip the recording window, or DTMF tone-masking to strip the keystrokes from the audio entirely. Either way, the PAN never lands in your archive — and your QSA's scoping diagram gets a lot smaller.

Audit prep time
4business days

Controls we map to

  • Pause-Resume Recording

    Agent triggers a pause before card capture, resumes after. The recorder stops; the metadata still logs the pause window with timestamps for QSA review. Configurable per-extension or auto-detected by phrase trigger.

  • DTMF Tone-Masking

    When the customer enters a card via the keypad, Voxago strips the DTMF tones from the recording in real time. The audio shows the duration of entry, not the digits. PAN never touches our disk.

  • Card-Capture IVR

    Customer enters their card into a PCI-validated IVR that posts directly to your payment processor. The agent never sees or hears the PAN. Token returned to the agent screen for receipt.

  • Network Segmentation Posture

    Voxago infrastructure is segmented from any cardholder data environment. We don't store, process, or transmit PANs as part of standard service — and we'll attest to that in writing.

  • Access Logging on Recordings

    Every recording playback logged with user, timestamp, and IP. Required by PCI-DSS 10.2 for any system that might capture cardholder data in error.

  • Annual Compliance Attestation

    Annual Attestation of Compliance summary mapping our controls to PCI-DSS Requirements 3, 4, 8, and 10. Drop it into your own AoC packet.

What we can hand your auditor

  • Attestation of Compliance Summary

    Annual document mapping Voxago controls to PCI-DSS requirements.

  • Pause-Resume Demo

    Live 5-minute demo showing the agent UX and the audit log entries.

  • DTMF Masking Test Recording

    Sample WAV showing DTMF tones absent from the audio stream.

  • Network Architecture Diagram

    Voxago segmentation diagram for your QSA's scoping exercise.

SOC 2Global · SaaS Trust

Service Organization Control 2 — Type II

SOC 2 isn't a regulation, it's a question every B2B buyer's security team asks before signing: 'Can you send us your report?' Voxago is audited annually against the AICPA Trust Services Criteria — Security, Availability, and Confidentiality — with the report available under NDA. The questionnaire that used to take three weeks now takes thirty minutes.

Audit prep time
2business days

Controls we map to

  • Type II Audit — Annual

    Independent third-party audit covering a minimum 6-month observation window. Renewed every year without lapse. Latest report covers January through December of the most recent calendar year.

  • Security — TSC CC6 Controls

    Logical and physical access controls, encryption at rest and in transit, change management with peer review, vulnerability scanning quarterly, pen-testing annually.

  • Availability — 99.95% Uptime SLA

    Multi-region active-active infrastructure with documented failover playbooks. 99.95% uptime commitment with service credits for breach. Live status page with historical incident data.

  • Confidentiality — Data Handling

    Customer data isolated per-tenant with encryption keys scoped per-org. No customer data used for model training, marketing, or sub-processor analytics without explicit opt-in.

  • Vendor & Sub-Processor Management

    Published sub-processor list (carriers, AI providers, cloud infrastructure). Customers notified 30 days before any new sub-processor processes their data. DPA available on request.

  • Incident Response Program

    24/7 on-call rotation, documented runbooks for the top 20 incident classes, post-mortems published internally within 5 business days, customer-facing post-mortems for SEV-1 within 10.

What we can hand your auditor

  • SOC 2 Type II Report

    Full audit report available under NDA — request via security@voxago.com.

  • Sub-Processor List

    Current sub-processors with data-handling scope, published on /trust.

  • Penetration Test Report

    Annual third-party pen-test summary, sanitized version available under NDA.

  • Customer DPA

    Standard Data Processing Agreement (countersign-ready) on request.

GDPREuropean Union · Personal Data

General Data Protection Regulation

If your business touches EU residents — and most modern businesses do — GDPR isn't optional. Voxago ships an EU data residency option, a countersigned DPA on request, and self-service tooling for every subject right under Articles 15-22. The 'right to be forgotten' takes a click, not a Jira ticket.

Audit prep time
3business days

Controls we map to

  • EU Data Residency

    Optional EU-only data plane: calls, recordings, transcripts, and metadata stay in Frankfurt or Paris regions. No transit through US infrastructure for EU tenants. Available on all plans.

  • Countersigned Data Processing Agreement

    Standard DPA with EU Standard Contractual Clauses (SCCs) for any cross-border transfer. Countersigned within 2 business days. Customer-redline accepted on request.

  • Subject-Rights Tooling

    Self-service export of all personal data tied to a phone number or email — Article 15 access, Article 16 rectification, Article 17 erasure, Article 20 portability — all available in the admin UI.

  • Lawful Basis Documentation

    Per-tenant configuration of recording consent flow — two-party-consent prompts, opt-out IVR, recording disclosures. Lawful basis documented per data category in our Records of Processing.

  • Sub-Processor Transparency

    Published list of sub-processors with data-handling scope and country of operation. 30-day notice before adding any new sub-processor that touches EU customer data.

  • Breach Notification — 72 hours

    Internal incident response targets 72-hour notification to affected customers — well inside the GDPR Article 33 supervisory authority window. Notification includes scope, mitigation, and timeline.

What we can hand your auditor

  • Data Processing Agreement

    Countersigned in ≤2 business days, with SCCs for cross-border transfers.

  • Records of Processing Summary

    Article 30 RoPA extract for Voxago as processor, mapped to your tenant.

  • Sub-Processor List

    Current sub-processors with country of operation, on /trust.

  • Transfer Impact Assessment

    TIA for US sub-processors per Schrems II, available on request.

Direct line · No sales hand-off

Talk to a real security engineer.

SOC 2 reports, custom DPAs, redlines, vendor questionnaires, pen-test summaries — handled directly by the team that owns the controls. One business day, every time.

security@voxago.comTalk to security
Response SLA
≤ 1 business day
Pen-test
Annual, under NDA
Sub-processors
Published & versioned
See it live

Book a 15-minute demo. We'll show you the exact setup for your team.

Get up and running in minutes — no credit card required. Cancel anytime.

See pricing
99.9%
Uptime SLA
24/7
Expert Support
< 5 min
Setup Time