Converse Logo
Security & Compliance

Security & Compliance Overview

Converse is designed for regulated industries. Whether you operate in healthcare, financial services, or handle EU or Indian personal data, this section explains exactly how the platform protects your data and your customers' data.

Security baseline — every workspace

These controls are active for every organization on the platform, regardless of plan:

🔒

Storage-level isolation

Your organization's data is isolated at the storage layer itself — not just in application logic. Even in the event of an application bug, the storage layer independently prevents cross-tenant data access.

🔐

Encrypted credentials

Telephony provider credentials are encrypted at rest before being stored. They are never returned in API responses, logged, or visible to any user — including your own team.

🌐

Encryption in transit

All data in transit — dashboard, API calls, voice streams, webhooks — is encrypted using current industry-standard protocols.

🔑

Token-based authentication

All API requests use short-lived signed tokens. Tokens are verified against your organization's identity before any data operation is permitted.

📋

Activity logging

Every configuration change, login, and API call is recorded in an append-only activity log with actor, timestamp, and before/after values.

🏢

Pipeline isolation

During a live call, the system loads only the agents, flows, knowledge, and tools belonging to that session's organization. Access to another organization's resources within a session is not possible.

Optional security features

Enable additional controls from Settings → Security for regulated deployments:

FeatureWhat it doesRequired for
PHI ProtectionRedacts phone numbers, emails, and card numbers from stored transcriptsHIPAA
End-to-End EncryptionEncrypts call audio at the media layer so it cannot be decrypted in transit by any intermediate partyHIPAA, high-security
Call RecordingStores audio recordings with per-track encryptionFinancial audit, QA
Tamper-evident Audit LogImmutable log of all changes, logins, and API callsHIPAA, SOC 2, GDPR
Consent TrackingRecords explicit consent before recording beginsGDPR, CCPA, TRAI
Data Residency (India)Keeps all data within Indian data centersDPDP Act, RBI guidelines

Compliance is a shared responsibility

Converse provides the technical controls described in this documentation. However, achieving compliance in your specific deployment also requires your organization to implement appropriate policies, staff training, business associate agreements, and ongoing risk assessments. This documentation describes platform capabilities, not a compliance certification.