Built for conversations
that can’t leak.
ISO 27001-certified and SOC 2 Type II-audited infrastructure, UK GDPR, NHS DSPT compliance, PCI DSS-compliant payment handling, BYO-KMS, and UK or EU residency — implemented as runtime controls, not policy documents. The artifacts your security and compliance teams will actually want to read, on a service we run end to end for you.
Three commitments
everything else follows from.
Security at Convexa starts with three rules. Every control below is how we enforce them, and they are committed in writing in our data processing agreement.
Your data stays yours
We don’t train on your call audio, transcripts, or knowledge base content. It’s in every contract, and the runtime enforces it.
Least-privilege by default
Per-agent secrets, per-call scopes, and per-role access. The model never sees raw credentials. Our operators see only what their role permits, and every access is logged.
Reversible and auditable
Every action is recorded in a tamper-evident log. Every change is versioned. Every export is reproducible. The compliance trail is part of the service we run for you, not a quarterly project.
Controls, verified
by independent auditors.
Where the bytes go.
Where they don't.
For every conversation, this is the lifecycle — at rest, in transit, in scope, out of scope. It is the same handling we run for regulated work in healthcare and financial services.
In flight
- SRTP media · TLS 1.3 signaling
- Per-call ephemeral session keys
- Tokenized PAN capture if present
- No raw audio retained outside region
At rest
- AES-256-GCM, per-deployment KEK
- PII / PHI auto-redacted in transcripts
- Retention per your policy
- BYO-KMS on Enterprise
In use
- RBAC + SSO required
- Audit log on every read
- Watermarked exports
- Right-to-delete actioned on request
Your data stays
where you need it.
Choose a region for each deployment. Convexa keeps recordings, transcripts, and derived data inside it — including for AI inference.
Every vendor who can
see anything.
| Sub-processor | Purpose | Data accessed | Region |
|---|---|---|---|
| Amazon Web Services | Cloud hosting · object storage | encrypted data at rest | US · EU · UK · AU · CA |
| Google Cloud Platform | Secondary cloud · regional residency | encrypted data at rest | EU · UK · BR · JP |
| Cloudflare | Edge CDN, DDoS protection | request metadata | global |
| Twilio | Carrier-grade telephony | call metadata, signaling | US · EU |
| Bandwidth | US PSTN termination | call metadata | US |
| Stripe | Customer billing | billing contact only | US · EU |
| DataDog | Infra observability | metrics, error traces (no PII) | US |
| PagerDuty | Internal on-call paging | infra alerts only | US |
Customers are notified by email 30 days before a new sub-processor is added.
Documents your security
team will ask for.
Available on request through our trust center, under NDA — usually within 30 minutes. Infrastructure certifications are provided from our platform provider; service-level documents are our own.
Things everyone asks.
Talk to a security engineer who's been through your industry's audit.