Login
Contact sales

Squaretalk AI Platform – Security and Compliance Policy

Table of Contents

Last Edited: June 11, 2025

1. Overview

This document outlines the security, data handling, compliance, and policy protocols for Squaretalk’s AI platform, addressing key aspects relevant to enterprise clients, particularly those operating in regulated industries.

2. AI Platform Scope

Squaretalk AI provides a cloud-based and/or on-premise conversational AI platform enabling deployment of voice-based and text-based virtual agents. The platform includes:

  • Speech recognition
  • Natural Language Understanding (NLU)
  • Voice synthesis
  • Telephony services
  • Dashboards and analytics
  • Third-party integrations

AI orchestration may include third-party models such as ChatGPT (OpenAI) and Gemini (Google).

3. Data Storage & Transmission

  • All data, including call recordings, is securely stored in our third-party GCP account in the United States (us-east4).
  • Transcripts are stored in MongoDB Atlas, hosted in the United States, with strict access controls and encryption at rest and in transit.
  • Data is encrypted both in transit and at rest using industry-leading standards.
  • Role-Based Access Control (RBAC) is enforced. Only authorized personnel can access sensitive data.

4. Logging & Auditing

  • Policies are in place to monitor all system activity.
  • Audit Trails are maintained for all transactions to ensure data provenance.

5. Data Handling by AI Models

  • Squaretalk uses OpenAI, Gemini, and other providers for NLU and language tasks.
  • Clients must obtain end-user consent before processing voice or biometric data.
  • AI models are accessed via secure APIs and are not trained or fine-tuned on client data.
  • Data used for analysis or improvement is anonymized and aggregated.

6. Privacy & Regulatory Compliance

  • GDPR: Compliant
  • HIPAA: Compliant
  • SOC 2: Certified
  • PCI DSS: In progress

Data Subject Rights (depending on jurisdiction):

Data Sharing:

  • No call recordings, transcripts, or personal data are used for training by Squaretalk AI or any third-party AI provider.
  • Minimal necessary data is sent to AI models to perform tasks.
  • Data is sent in “private” mode under vendor agreements prohibiting training usage.
  • All data sent to sub-processors is encrypted and handled per our standards.

7. Data Processing Addendum (DPA)

  • Roles: Squaretalk AI is the Processor; the Client is the Controller.
  • Obligations:
    • Process only under client instruction
    • Maintain data security
    • Notify in case of breach
    • Assist with data subject rights
  • Subprocessors: List available on request; advance notice for changes
  • Transfers: International data transfers follow SCCs
  • Audits: Permitted annually with notice
  • Data Return/Deletion: Executed upon termination unless required otherwise

8. Acceptable Use Policy

Users must not:

  • Engage in unlawful, fraudulent, or harmful use
  • Use voice cloning or deepfake tech without consent
  • Train competing AI models on our platform
  • Disrupt or attempt to compromise platform operations

9. Fraud Detection & Compliance

  • Real-Time Flagging: Anomaly detection models flag potential fraud. Alerts are delivered via webhook based on client-defined triggers.
  • Reporting: Clients receive webhook data for use in external BI tools and reports are accessible in the Squaretalk system.
  • Audit Trails: Maintained and not deleted.

10. Monitoring & Incident Response

  • Tool Integration: Compatible with DataDog, AWS CloudWatch, Google Cloud Monitoring, Crowdstrike NG SIEM (client integration required).
  • Detection:
    • Performance issues
    • Cybersecurity anomalies
    • Infrastructure outages & behavioral anomalies
  • Incident Escalation: Through Freshservice or JIRA

11. Security Governance

Encryption
All data is encrypted at rest and in flight. Encryption standards used (AES-256). Transport Layer Security (TLS) version 1.2 and above, ensuring secure, encrypted communications that align with current industry best practices and compliance requirements. Older and less secure versions of TLS are explicitly disabled to protect data integrity, confidentiality, and to mitigate potential vulnerabilities.

Logging & Retention
Comprehensive logging is implemented across all systems to capture authentication events, user actions, system changes, and operational metrics. Logs are stored in a centralized and secure location with access restricted to authorized personnel. Retention policies are in place to ensure logs are preserved for an appropriate duration to support auditing, security investigations, and compliance requirements. All logs are time-stamped, tamper-resistant, and monitored continuously to detect anomalies or unauthorized activities.

Policy Enforcement
Security and operational policies are enforced consistently across all systems and environments to ensure compliance with internal standards and client requirements. Access controls, data handling procedures, and development practices are governed by documented policies that are reviewed and updated regularly. Enforcement is supported through automated tools, code reviews, and infrastructure-as-code validations. Violations are logged, monitored, and addressed promptly through defined escalation and remediation processes. All employees and contractors are required to acknowledge and adhere to these policies as a condition of access.

Business Continuity and Disaster Recovery
The system is designed to ensure high availability and rapid recovery in the event of disruptions. Critical services are deployed across multiple availability zones to reduce the impact of localized failures. Automated backups are performed regularly, including hourly, daily, weekly, and monthly snapshots, with defined retention periods to support data restoration. Disaster recovery procedures are tested periodically to validate recovery time objectives (RTO) and ensure operational readiness. Monitoring and alerting systems are in place to detect incidents promptly, enabling a coordinated response to maintain service continuity and minimize downtime.

A formal Business Continuity Plan (BCP) is in place to ensure that essential operations can continue during and after a disruptive event. The plan outlines procedures for maintaining critical business functions, communication protocols, and roles and responsibilities across the organization. It includes predefined recovery strategies for various scenarios, such as infrastructure outages, data loss, or third-party service disruptions. Regular reviews and tabletop exercises are conducted to validate the plan’s effectiveness and to ensure that all key personnel are prepared to respond swiftly and effectively in the event of an incident.

Authentication and Authorization
We enforce secure authentication and role-based authorization across our platform. User sessions are managed using short-lived, signed JWT tokens following best practices. Access control is strictly role-based, ensuring that users and systems can only perform actions or access data permitted by their assigned roles. All authentication and authorization events are logged for auditing, with ongoing monitoring in place to detect anomalies or unauthorized access attempts.

Infrastructure Segregation
Our infrastructure is architected with strict segregation to protect client data and maintain system integrity. Production environments are isolated from development and testing environments using separate Virtual Private Clouds (VPCs). Access to the production environment is restricted to a small group of designated personnel and is only permitted for critical support and monitoring purposes. Customer data is logically separated, and enterprise deployments can be hosted in dedicated environments to meet specific isolation or compliance requirements. Network-level controls, firewall policies, and role-based access are enforced to prevent unauthorized access across environments.

12. Administrative Features

  • Dashboards: Customizable BI dashboards via the Analytics tab; campaign-specific metrics available.
  • Policy Control: Admins can manage access and behavior.
  • Model Tuning: Clients can configure campaigns and models to suit business requirements.

13. Vendor Qualifications

  • Enterprise Experience: Proven deployments in regulated industries (e.g., financial trading sector)
  • Compliance Status:
    • SOC 2: Certified
    • GDPR: Compliant
    • HIPAA: Compliant
    • PCI DSS: In progress

14. AI Risk Disclosure

  • AI outputs may be incomplete, inaccurate, or misleading.
  • Human oversight is required for critical decision-making.
  • Squaretalk disclaims liability for reliance on AI-generated outputs.

15. Contact

Squaretalk
Email: support@squaretalk.com
Website: https://squaretalk.com

Get a Free Growth Session and Demo

A woman with a "Wait!" sign

Experience a live demo customized around your unique business goals, workflows, pain points and challenges, and find out why Squaretalk is the perfect call center solution for organizations like yours.