Trust & Compliance

Is the call data secure and private?

Q: Is the call data secure and private?

Yes. All calls with DirectCall AI are encrypted in transit using TLS and at rest using AES-256. Transcripts and recordings are stored in isolated, access-controlled storage accessible only to your account. DirectCall AI does not sell or share call data with third parties. HIPAA-aligned configurations are available for healthcare and other regulated industries.

Yes. All calls handled by DirectCall AI are encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. Call recordings and transcripts are stored in isolated, access-controlled infrastructure. Only authenticated users on your account can view, search, or export that data — no one at DirectCall AI accesses it without explicit permission, and it is never used to train models or shared with any third party.

Practically speaking, encryption in transit means that the audio stream between the caller's phone, our voice infrastructure, and our servers cannot be intercepted and read by anyone on the network path. Encryption at rest means that the files sitting on disk — recordings, transcripts, caller contact details — are stored in an encrypted format. Even if a storage system were compromised, the data would be unreadable without the decryption keys, which are managed separately and rotated regularly.

Access to your call data is controlled by the credentials you set up during onboarding. You can grant or revoke dashboard access for team members at any time. No DirectCall AI employee views call recordings or transcripts unless you open a support ticket and explicitly share a transcript for troubleshooting purposes. Our data retention policy keeps your recordings and transcripts for the duration of your active subscription, plus a 30-day window after cancellation for data export. After that window, data is permanently deleted.

For businesses in regulated industries — particularly healthcare, dental, and mental health practices — we offer HIPAA-aligned configurations. This includes a signed Business Associate Agreement (BAA), restricted data handling procedures, and audit logging of all access events. If your practice handles Protected Health Information (PHI) over the phone, contact us before going live so we can set up the appropriate configuration. GDPR-relevant businesses operating in the EU or handling EU resident data can similarly request a Data Processing Agreement (DPA) that outlines our processing activities and your rights as a data controller.

If your organization requires compliance documentation — security questionnaires, SOC 2 summaries, data flow diagrams, or our full privacy policy and DPA templates — these are available on request through your account manager or by emailing our compliance team. We aim to make the documentation process straightforward so security reviews do not slow down your deployment.