Security Is Operational Infrastructure
Compliance and data protection aren't features we added — they're the foundation we built on. Every call, every message, every data point is handled with the rigor your business requires.
How We Protect Your Data and Your Compliance
Each layer of the platform is built with security and regulatory compliance as a hard requirement — not an afterthought.
Data Privacy & Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Call recordings, transcripts, and customer data are isolated per organization with row-level security enforced at the database layer.
Multi-Tenant Isolation
Every organization operates in a fully isolated environment. Row-level security policies ensure that data access is scoped to the authenticated user's organization — no cross-tenant data leakage is possible at the query layer.
TCPA Compliance
Calling hours are hard-enforced to 8 AM – 9 PM in the recipient's timezone. Maximum attempt limits (2/day, 5/week per contact) and Do Not Call list enforcement are built into the calling engine — not configurable overrides.
A2P 10DLC Registration
All SMS messaging is sent through verified A2P 10DLC channels. Brand and campaign registration is handled automatically during onboarding, ensuring carrier-level deliverability and regulatory compliance.
Access Controls
Role-based permissions control who can access what. Organization owners manage team members, and administrative actions are restricted to verified platform administrators. No shared logins, no ambiguous access.
Audit Trail & Consent Tracking
Every outbound call includes explicit AI and recording disclosures. Compliance consent records are immutable — once stored, they cannot be modified or deleted. Full call logs, transcripts, and consent records provide a complete audit trail.
Infrastructure Security
- Application served over TLS with automatic certificate management, DDoS protection, and global edge networking
- Managed PostgreSQL database with encrypted connections, row-level security, and automated daily backups
- Telephony infrastructure with per-organization isolation and AES-256-GCM encrypted credential storage
- Real-time voice processing with automatic restarts, health monitoring, and graceful shutdown on failure
Compliance Architecture
- TCPA calling hours enforced at the application layer — cannot be overridden by users
- All-party recording consent statement on every outbound call
- Inbound calls follow FCC guidelines — no AI disclosure required
- DNC lists checked before every outbound dial, with immediate opt-out enforcement
- Maximum attempt limits prevent over-contacting (2/day, 5/week per contact)
Data Handling
- Customer data never leaves your organization's security boundary
- Telephony credentials encrypted with AES-256-GCM before database storage
- Call recordings stored in organization-scoped storage with configurable retention
- Database row-level security ensures queries cannot access other organizations' data
A Note on Transparency
We follow SOC 2-aligned security practices but have not yet completed a formal SOC 2 Type II audit. We are transparent about where we are in the certification process and will update this page as formal audits are completed.
If you have specific security requirements or need additional documentation for your compliance review, contact us at admin@vancom.io.
Security & Compliance Questions
Yes. TCPA calling hours (8 AM – 9 PM in the recipient's timezone) are hard-enforced in the calling engine. All outbound calls include AI and recording disclosures. Do Not Call lists are checked before every dial. Maximum attempt limits are enforced automatically.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Telephony credentials are encrypted with AES-256-GCM before storage. Row-level security at the database layer ensures complete tenant isolation.
Call recordings are stored in encrypted, organization-scoped storage. Access is restricted to authenticated members of the organization that owns the recording. Retention periods are configurable by tier (7 days to 1 year).
All outbound calls begin with an AI disclosure and recording consent statement. Consent records are stored immutably — they cannot be modified or deleted after creation. This provides a clear audit trail for compliance purposes.
GetsYou maintains both a global DNC list and per-organization DNC lists. Both are checked before every outbound dial. When a contact requests to be removed during a call, it takes effect immediately.
We follow SOC 2-aligned security practices including encryption at rest and in transit, role-based access controls, audit logging, and tenant isolation. We have not yet completed a formal SOC 2 Type II audit. We will update this page when formal certification is achieved.
All SMS is sent through A2P 10DLC registered channels. Brand and campaign registration is automated during onboarding. Consent is verified before any message is sent, ensuring carrier-level deliverability and regulatory compliance.
Yes. Organization owners can request full data deletion. Contact our team and we will purge all associated data including call recordings, transcripts, contacts, and configuration within the timeframe required by applicable regulations.
Built for Businesses That Take Compliance Seriously
See how GetsYou handles real conversations — with full compliance baked in. Book a walkthrough with our team.