- Enterprise infrastructure and relevant subprocessor controls reviewed
- Encryption in transit and at rest through configured platforms
- Environment, resilience, residency, and backup requirements scoped
HaileyAI uses enterprise-grade infrastructure supported by SOC 2-audited subprocessors, with deployment-specific HIPAA- and GDPR-aligned data handling, encryption, controlled access, and PII redaction where configured. Final controls depend on the selected systems, data types, integrations, agreements, and customer requirements.
| Area | Status Language | Deployment Approach |
|---|---|---|
| SOC 2 | Audited subprocessors | Relevant infrastructure and service providers may maintain SOC 2 Type I and Type II reports. HaileyAI does not imply independent certification unless separately documented. |
| HIPAA | Scope-dependent support | HIPAA-sensitive workflows require review of PHI, vendors, BAAs, access, retention, recording, data flow, and permitted actions before launch. |
| GDPR | Processing and DPA review | GDPR-related deployments may address purpose limitation, minimization, processor terms, transfer mechanisms, retention, deletion, access rights, and subprocessor disclosure. |
| Privacy | Workflow and contract review | CCPA, CPRA, and other privacy requirements are evaluated based on the customer’s role, data categories, consumer rights, retention, and applicable agreements. |
| PCI DSS | Approved payment-provider scope | Payment collection should use an approved PCI-compliant payment flow. Raw payment card data should not be captured or stored by HaileyAI outside an explicitly approved design. |
| Calling and consent | Use-case dependent | Recording notices, consent, outbound campaigns, opt-outs, calling windows, DNC requirements, and TCPA-sensitive workflows require customer and legal review. |
Important: Compliance depends on the full system, including the customer’s policies, configured vendors, data flow, permissions, contracts, and operating practices. This page is not a blanket certification statement.
HaileyAI uses selected infrastructure, telephony, AI, storage, integration, and communication providers based on the deployed workflow. Relevant vendor security programs, attestations, data locations, encryption controls, and service commitments are reviewed during implementation.
Encryption in transit and at rest is provided through configured platforms and infrastructure where supported. The final design should document which systems store or transmit customer information, how credentials are protected, and which party manages keys or access.
Data residency, regional processing, backup, disaster recovery, failover, recovery objectives, and availability requirements should be confirmed in the deployment design and applicable agreements.
Relevant vendor testing, vulnerability management, available penetration-test materials, and customer-specific security testing requirements can be reviewed as part of due diligence and deployment planning.
HaileyAI is designed to collect only the information required for approved call workflows. Data categories, required fields, prohibited fields, transcript scope, recording scope, and reporting visibility should be defined before production launch.
PII redaction can be configured for supported workflows and platforms. The design should identify which information must be captured, which information should be masked or excluded, and whether redaction applies before storage, in transcripts, in reporting, or at another point in the data flow.
Hashing such as SHA-256 may be used for integrity checks, verification, or non-reversible identifiers where appropriate. Hashing is not a substitute for encryption and should not be described as reversible data protection.
Access should follow operational need and least-privilege principles. Role-based access, administrative permissions, service accounts, credential ownership, secret storage, MFA, SSO, and audit visibility are reviewed based on the systems selected for the deployment.
Customer system access should be limited to the approved fields and actions required by the workflow. Access changes, credential rotation, offboarding, and emergency revocation responsibilities should be documented.
Retention should be based on operational need, legal requirements, customer policy, vendor capability, and contractual scope. Different records may require different retention periods, including recordings, transcripts, structured summaries, audit records, and integration data.
Deletion, export, legal hold, backup aging, and end-of-service requirements should be reviewed across every system that stores customer information. Vendor limitations and timeframes should be documented where relevant.
Customer data should be processed only for the approved service purpose. Model-training restrictions, data-use limitations, and vendor terms should be confirmed in the applicable DPA, service agreement, and subprocessor documentation when required.
Recording notices, consent language, two-party-consent considerations, transcript use, disclosure language, outbound calling rules, opt-out handling, calling windows, and Do Not Call requirements vary by jurisdiction and use case.
HaileyAI can support compliance-aware workflow design, but the customer remains responsible for confirming legal requirements, approved language, campaign rules, and consent standards with counsel where appropriate.
HaileyAI deployments may use subprocessors for telephony, voice, AI inference, hosting, storage, analytics, integration, email, SMS, and workflow execution. The applicable list depends on the actual architecture.
Security review can include available SOC 2 reports, privacy terms, data-processing agreements, BAAs, data residency, training restrictions, incident obligations, deletion commitments, and subprocessor-change requirements. Some documentation may require an NDA or depend on vendor disclosure rules.
Potential security events, vendor incidents, suspected exposure, service compromise, or material workflow failures should follow documented escalation and investigation procedures. The response process may involve containment, evidence preservation, vendor coordination, impact assessment, remediation, and customer communication.
Notification obligations, breach definitions, points of contact, reporting content, and timelines should be defined in the applicable agreement. Customer-specific notification windows can be reviewed during contracting.
Security also depends on what the AI call agent is permitted to do. Each workflow should define approved actions, prohibited actions, authentication requirements, escalation triggers, fallback behavior, and decisions that must remain with a human.
Material workflow, integration, permission, retention, or security changes should follow review, testing, approval, and controlled rollout. Reporting and QA can help identify unexpected behavior, tool failures, transfer issues, and out-of-scope requests after launch.
Review PHI, BAAs, access, recording, retention, minimum necessary data, escalation, and approved patient-facing workflows.
Review SSO, MFA, RBAC, internal directories, vendor controls, incident terms, data residency, and customer IT ownership.
Review identity handling, approved account actions, payment-provider scope, logging, sensitive fields, and human authorization.
Review customer records, asset details, location data, technician access, ticketing, on-call escalation, and retention.
HaileyAI can support customer security review, available vendor documentation, DPA and BAA discussions, subprocessor review, incident terms, data-use restrictions, retention requirements, and security questionnaires based on the proposed deployment.
Contact: security@gohailey.ai
Bring your questionnaire, DPA, BAA, subprocessor requirements, retention rules, or customer security standard into the deployment review.
Final answers depend on the deployed architecture, customer requirements, subprocessor scope, contracts, data flow, and permitted workflows.
HaileyAI uses relevant subprocessors and infrastructure providers that maintain SOC 2 Type I or Type II reports where applicable. HaileyAI does not represent that it independently holds a SOC 2 report unless that status is separately documented during due diligence.
HaileyAI can support HIPAA-sensitive workflows when the complete deployment uses appropriate vendors, agreements, access controls, data handling, retention, recording, and approved operational scope. Whether a BAA is required must be reviewed before launch.
GDPR-related deployments can be reviewed for processor terms, purpose limitation, minimization, data-subject rights, retention, deletion, international transfers, subprocessor disclosure, and DPA requirements.
Encryption in transit and at rest is provided through the configured infrastructure and platforms where supported. The deployment review should identify which systems store or transmit customer data, how credentials are protected, and which controls apply to each component.
PII redaction can be configured where supported. The exact fields, timing, transcript behavior, recording treatment, and report visibility depend on the workflow, vendor capability, and customer requirements.
Retention and deletion are defined by deployment. Recordings, transcripts, summaries, integration data, and audit records may have different requirements. Vendor capabilities, backup aging, legal holds, exports, and end-of-service deletion should be documented.
Purpose limitation and model-training restrictions should be documented in the applicable customer agreement, DPA, and vendor terms. Where required, the selected providers and configurations should prohibit customer data from being used for general model training without authorization.
Subprocessors are reviewed based on their role, data access, security posture, available SOC 2 reports, privacy terms, incident obligations, residency, retention, deletion, and contract requirements. The applicable subprocessor list depends on the deployed architecture.
Security events follow documented escalation, investigation, containment, vendor coordination, impact assessment, remediation, and customer-communication procedures. Notification obligations and timelines are defined in the applicable agreement.
Yes. HaileyAI can support security questionnaires, available vendor documentation, DPA and BAA review, subprocessor questions, data-flow review, retention requirements, and customer-specific security discussions based on the proposed deployment.
Contact the security team for documentation, agreement review, subprocessors, data handling, retention, or customer questionnaires.
Security review connects directly to deployment design, reporting access, system integrations, managed operations, and the workflows HaileyAI supports.
Enter your details • Hailey calls in 30 seconds