Security & compliance

Security overview.

How we encrypt, where we host, who has access, and what we do (and don't do) with your customer call data.

Encryption

At rest. AES-256, separate keys per customer, rotated automatically every 90 days.
In transit. TLS 1.3 for all browser, API, and inter-service traffic.
Call media. Encrypted in transit (SRTP) and at rest. Stored only as long as your retention setting permits (default 90 days, configurable 7d–7y).

Hosting + regions

We run on AWS in four regions: Sydney (default for AU customers), us-east-1 (default for US), eu-central-1 (EEA + UK), ap-southeast-1 (rest of APAC). Pick your data residency region during setup; it cannot be changed without a migration ticket.

Access controls

SSO via SAML 2.0 (Okta, Azure AD, Google Workspace, JumpCloud). MFA enforced.
Role-based access. Default roles: Owner, Admin, Operator, Analyst, Read-only.
Audit log of every dashboard action, retained 12 months.
Per-role PHI/PII unlock for healthcare and legal customers.

Certifications

SOC 2 Type II — annual audit, current report available on request via the Trust Center.
PCI DSS Level 1 — for the payment-handling subset of the platform.
HIPAA-aligned, BAA available on Growth and Scale plans.
GDPR + CCPA + APP-compliant. DPA available on request.

What we don't do with your data

We don't train foundation models on customer call data. Period. Aggregate, de-identified statistics may be used to improve persona templates only with your written agreement. There is no opt-out checkbox you have to find — the default is no.

Incident response

Status updates are published in real time at status.izzyops.com. Security incidents are disclosed to affected customers within 72 hours, sooner where applicable law requires.

For security teams. The full architecture diagram, subprocessor list, pen-test summary, and SOC 2 report are available from the Trust Center. Request once, we share within one business day.