Receptic AI logoReceptic AI
Back to home
Security

Security built into every layer.

From the call path to the dashboard, we protect customer data with the controls you'd expect from infrastructure that handles voice, transcripts, and billing every day.

Last updated · May 1, 2026
Read SOC 2
01

Overview

Receptic AI handles voice, transcripts, and customer information for thousands of businesses every day. Security isn't a feature for us — it's a prerequisite. This page summarizes how we protect that data at every layer of the stack.

02

Infrastructure

The platform runs on hardened cloud infrastructure in SOC 2, ISO 27001, and PCI-certified data centers. Production is fully isolated from staging and corporate networks.

  • Multi-region failover for the call path and dashboard.
  • Private VPCs, security groups, and zero public ingress to data stores.
  • Infrastructure-as-code with reviewed changes only.
  • EU data residency available on request.
03

Encryption

  • In transit: TLS 1.2+ across all public endpoints; mTLS between internal services.
  • At rest: AES-256 for databases, object storage, and backups.
  • Key management: KMS-backed envelope encryption with annual key rotation.
  • Secrets: Centralized secret store; no secrets in source or logs.
04

Access control

  • SSO is required for all employees; hardware-key 2FA for production access.
  • Role-based access with least-privilege defaults and quarterly reviews.
  • Just-in-time elevation for production with full audit trail.
  • Automated deprovisioning on offboarding within one business hour.
05

Application security

  • Mandatory peer review and automated security checks on every pull request.
  • Static analysis, dependency scanning, and secret scanning in CI.
  • Annual third-party penetration tests; remediation tracked to closure.
  • Continuous control monitoring through Vanta.
06

Monitoring & incident response

We collect application, infrastructure, and access logs into a central SIEM with 24/7 alerting on anomalous behavior.

  • Documented incident response runbook with on-call rotation.
  • Customer notification within 72 hours of a confirmed breach affecting their data.
  • Quarterly tabletop exercises and annual disaster recovery drills.
07

Data handling

Call recordings and transcripts are retained for 12 months by default and deleted on schedule. Customers can shorten retention or purge specific records at any time.

We do not use customer call content to train shared third-party AI models. Sub-processors are bound by data protection agreements with the same commitments.

08

Compliance

  • SOC 2 Type II — audited annually. See our SOC 2 page.
  • HIPAA BAA available on the Scale plan.
  • GDPR and CCPA support, including DPAs and Standard Contractual Clauses.
  • ISO 27001 alignment; certification roadmap in progress.
09

Responsible disclosure

If you believe you've found a vulnerability, please email security@receptic.ai with steps to reproduce. We acknowledge reports within 24 hours and commit to good-faith collaboration on remediation.