Security & Compliance Overview
Converse is designed for regulated industries. Whether you operate in healthcare, financial services, or handle EU or Indian personal data, this section explains exactly how the platform protects your data and your customers' data.
Data Isolation
How multi-tenancy works. Every workspace is completely siloed — at the database, application, and pipeline layers.
HIPAA (Healthcare)
Enabling PHI protection, encryption, and audit logging for healthcare deployments in the US.
GDPR (EU / UK)
Data residency, retention policies, right to erasure, and consent management for European users.
Finance & PCI DSS
Controls for financial services: PCI DSS cardholder data, SOC 2, and call recording requirements.
India (DPDP / TRAI)
India's Digital Personal Data Protection Act and TRAI telemarketing regulations for outbound calls.
Security baseline — every workspace
These controls are active for every organization on the platform, regardless of plan:
Storage-level isolation
Your organization's data is isolated at the storage layer itself — not just in application logic. Even in the event of an application bug, the storage layer independently prevents cross-tenant data access.
Encrypted credentials
Telephony provider credentials are encrypted at rest before being stored. They are never returned in API responses, logged, or visible to any user — including your own team.
Encryption in transit
All data in transit — dashboard, API calls, voice streams, webhooks — is encrypted using current industry-standard protocols.
Token-based authentication
All API requests use short-lived signed tokens. Tokens are verified against your organization's identity before any data operation is permitted.
Activity logging
Every configuration change, login, and API call is recorded in an append-only activity log with actor, timestamp, and before/after values.
Pipeline isolation
During a live call, the system loads only the agents, flows, knowledge, and tools belonging to that session's organization. Access to another organization's resources within a session is not possible.
Optional security features
Enable additional controls from Settings → Security for regulated deployments:
| Feature | What it does | Required for |
|---|---|---|
| PHI Protection | Redacts phone numbers, emails, and card numbers from stored transcripts | HIPAA |
| End-to-End Encryption | Encrypts call audio at the media layer so it cannot be decrypted in transit by any intermediate party | HIPAA, high-security |
| Call Recording | Stores audio recordings with per-track encryption | Financial audit, QA |
| Tamper-evident Audit Log | Immutable log of all changes, logins, and API calls | HIPAA, SOC 2, GDPR |
| Consent Tracking | Records explicit consent before recording begins | GDPR, CCPA, TRAI |
| Data Residency (India) | Keeps all data within Indian data centers | DPDP Act, RBI guidelines |
