Security & Compliance

Security and Data Controls Built Into the Deployment

HaileyAI uses enterprise-grade infrastructure supported by SOC 2-audited subprocessors, with deployment-specific HIPAA- and GDPR-aligned data handling, encryption, controlled access, and PII redaction where configured. Final controls depend on the selected systems, data types, integrations, agreements, and customer requirements.

SOC 2-audited subprocessors Encryption in transit and at rest PII redaction where configured Deployment-specific security review

Security Control Areas

Reviewed by deployment
  • Enterprise infrastructure and relevant subprocessor controls reviewed
  • Encryption in transit and at rest through configured platforms
  • Environment, resilience, residency, and backup requirements scoped
  • Data minimization and purpose limitation by workflow
  • PII redaction, transcript, and recording controls where configured
  • Approved fields, retention, deletion, and access requirements documented
  • Role-based and least-privilege access principles
  • MFA, SSO, service credentials, and account ownership reviewed
  • Audit visibility depends on platform capability and scope
  • Retention periods aligned to business and contractual requirements
  • Deletion and export requirements reviewed by system and vendor
  • Model-training restrictions and purpose limits documented where required
  • Recording notices and consent language by client requirement
  • State, industry, and use-case requirements reviewed
  • Outbound, opt-out, DNC, and TCPA-sensitive workflows scoped separately
  • Subprocessors identified based on data flow and workflow function
  • Available SOC 2 reports, DPAs, BAAs, and security materials reviewed
  • Change-notice and contractual requirements addressed where applicable
  • Security and operational issues follow documented escalation paths
  • Vendor events, service failures, and suspected exposure reviewed by scope
  • Customer notification obligations and timelines defined contractually
  • Approved actions, prohibited actions, and human escalation documented
  • Reporting access and data visibility configured by need
  • Production changes follow testing, approval, and controlled rollout

Security and Compliance Positioning

AreaStatus LanguageDeployment Approach
SOC 2Audited subprocessorsRelevant infrastructure and service providers may maintain SOC 2 Type I and Type II reports. HaileyAI does not imply independent certification unless separately documented.
HIPAAScope-dependent supportHIPAA-sensitive workflows require review of PHI, vendors, BAAs, access, retention, recording, data flow, and permitted actions before launch.
GDPRProcessing and DPA reviewGDPR-related deployments may address purpose limitation, minimization, processor terms, transfer mechanisms, retention, deletion, access rights, and subprocessor disclosure.
PrivacyWorkflow and contract reviewCCPA, CPRA, and other privacy requirements are evaluated based on the customer’s role, data categories, consumer rights, retention, and applicable agreements.
PCI DSSApproved payment-provider scopePayment collection should use an approved PCI-compliant payment flow. Raw payment card data should not be captured or stored by HaileyAI outside an explicitly approved design.
Calling and consentUse-case dependentRecording notices, consent, outbound campaigns, opt-outs, calling windows, DNC requirements, and TCPA-sensitive workflows require customer and legal review.

Important: Compliance depends on the full system, including the customer’s policies, configured vendors, data flow, permissions, contracts, and operating practices. This page is not a blanket certification statement.

Infrastructure, Encryption, and Resilience

HaileyAI uses selected infrastructure, telephony, AI, storage, integration, and communication providers based on the deployed workflow. Relevant vendor security programs, attestations, data locations, encryption controls, and service commitments are reviewed during implementation.

Encryption

Encryption in transit and at rest is provided through configured platforms and infrastructure where supported. The final design should document which systems store or transmit customer information, how credentials are protected, and which party manages keys or access.

Residency, Backup, and Availability

Data residency, regional processing, backup, disaster recovery, failover, recovery objectives, and availability requirements should be confirmed in the deployment design and applicable agreements.

Security Testing

Relevant vendor testing, vulnerability management, available penetration-test materials, and customer-specific security testing requirements can be reviewed as part of due diligence and deployment planning.

Data Protection, Minimization, and PII Redaction

HaileyAI is designed to collect only the information required for approved call workflows. Data categories, required fields, prohibited fields, transcript scope, recording scope, and reporting visibility should be defined before production launch.

PII Redaction

PII redaction can be configured for supported workflows and platforms. The design should identify which information must be captured, which information should be masked or excluded, and whether redaction applies before storage, in transcripts, in reporting, or at another point in the data flow.

Hashing and Verification

Hashing such as SHA-256 may be used for integrity checks, verification, or non-reversible identifiers where appropriate. Hashing is not a substitute for encryption and should not be described as reversible data protection.

Identity, Access, and Credential Management

Access should follow operational need and least-privilege principles. Role-based access, administrative permissions, service accounts, credential ownership, secret storage, MFA, SSO, and audit visibility are reviewed based on the systems selected for the deployment.

Customer system access should be limited to the approved fields and actions required by the workflow. Access changes, credential rotation, offboarding, and emergency revocation responsibilities should be documented.

Retention, Deletion, Purpose Limitation, and Model Training

Retention should be based on operational need, legal requirements, customer policy, vendor capability, and contractual scope. Different records may require different retention periods, including recordings, transcripts, structured summaries, audit records, and integration data.

Deletion and Export

Deletion, export, legal hold, backup aging, and end-of-service requirements should be reviewed across every system that stores customer information. Vendor limitations and timeframes should be documented where relevant.

Purpose Limitation and AI Training

Customer data should be processed only for the approved service purpose. Model-training restrictions, data-use limitations, and vendor terms should be confirmed in the applicable DPA, service agreement, and subprocessor documentation when required.

Vendor and Subprocessor Management

HaileyAI deployments may use subprocessors for telephony, voice, AI inference, hosting, storage, analytics, integration, email, SMS, and workflow execution. The applicable list depends on the actual architecture.

Security review can include available SOC 2 reports, privacy terms, data-processing agreements, BAAs, data residency, training restrictions, incident obligations, deletion commitments, and subprocessor-change requirements. Some documentation may require an NDA or depend on vendor disclosure rules.

Incident Response and Customer Notification

Potential security events, vendor incidents, suspected exposure, service compromise, or material workflow failures should follow documented escalation and investigation procedures. The response process may involve containment, evidence preservation, vendor coordination, impact assessment, remediation, and customer communication.

Notification obligations, breach definitions, points of contact, reporting content, and timelines should be defined in the applicable agreement. Customer-specific notification windows can be reviewed during contracting.

Operational Governance, Human Control, and Change Management

Security also depends on what the AI call agent is permitted to do. Each workflow should define approved actions, prohibited actions, authentication requirements, escalation triggers, fallback behavior, and decisions that must remain with a human.

Material workflow, integration, permission, retention, or security changes should follow review, testing, approval, and controlled rollout. Reporting and QA can help identify unexpected behavior, tool failures, transfer issues, and out-of-scope requests after launch.

Security Review by Deployment Type

Healthcare

Review PHI, BAAs, access, recording, retention, minimum necessary data, escalation, and approved patient-facing workflows.

Enterprise Operations

Review SSO, MFA, RBAC, internal directories, vendor controls, incident terms, data residency, and customer IT ownership.

Financial and Payment Workflows

Review identity handling, approved account actions, payment-provider scope, logging, sensitive fields, and human authorization.

Service and Dispatch Operations

Review customer records, asset details, location data, technician access, ticketing, on-call escalation, and retention.

Agreements and Security Documentation

DPA, BAA, Security Questionnaire, and Vendor Review

HaileyAI can support customer security review, available vendor documentation, DPA and BAA discussions, subprocessor review, incident terms, data-use restrictions, retention requirements, and security questionnaires based on the proposed deployment.

Contact: security@gohailey.ai

Review Your Security Requirements

Bring your questionnaire, DPA, BAA, subprocessor requirements, retention rules, or customer security standard into the deployment review.

Security and Compliance FAQ

Final answers depend on the deployed architecture, customer requirements, subprocessor scope, contracts, data flow, and permitted workflows.

Is HaileyAI SOC 2 certified?

HaileyAI uses relevant subprocessors and infrastructure providers that maintain SOC 2 Type I or Type II reports where applicable. HaileyAI does not represent that it independently holds a SOC 2 report unless that status is separately documented during due diligence.

Can HaileyAI support HIPAA-sensitive workflows?

HaileyAI can support HIPAA-sensitive workflows when the complete deployment uses appropriate vendors, agreements, access controls, data handling, retention, recording, and approved operational scope. Whether a BAA is required must be reviewed before launch.

How does HaileyAI support GDPR-related requirements?

GDPR-related deployments can be reviewed for processor terms, purpose limitation, minimization, data-subject rights, retention, deletion, international transfers, subprocessor disclosure, and DPA requirements.

How is customer data encrypted?

Encryption in transit and at rest is provided through the configured infrastructure and platforms where supported. The deployment review should identify which systems store or transmit customer data, how credentials are protected, and which controls apply to each component.

Can HaileyAI redact PII from transcripts or reports?

PII redaction can be configured where supported. The exact fields, timing, transcript behavior, recording treatment, and report visibility depend on the workflow, vendor capability, and customer requirements.

How long is call data retained, and can it be deleted?

Retention and deletion are defined by deployment. Recordings, transcripts, summaries, integration data, and audit records may have different requirements. Vendor capabilities, backup aging, legal holds, exports, and end-of-service deletion should be documented.

Is customer data used to train AI models?

Purpose limitation and model-training restrictions should be documented in the applicable customer agreement, DPA, and vendor terms. Where required, the selected providers and configurations should prohibit customer data from being used for general model training without authorization.

How are subprocessors reviewed?

Subprocessors are reviewed based on their role, data access, security posture, available SOC 2 reports, privacy terms, incident obligations, residency, retention, deletion, and contract requirements. The applicable subprocessor list depends on the deployed architecture.

What happens if there is a security incident?

Security events follow documented escalation, investigation, containment, vendor coordination, impact assessment, remediation, and customer-communication procedures. Notification obligations and timelines are defined in the applicable agreement.

Can HaileyAI complete a security questionnaire or review a DPA or BAA?

Yes. HaileyAI can support security questionnaires, available vendor documentation, DPA and BAA review, subprocessor questions, data-flow review, retention requirements, and customer-specific security discussions based on the proposed deployment.

Discuss Your Security Requirements

Contact the security team for documentation, agreement review, subprocessors, data handling, retention, or customer questionnaires.