Asisly protects every call, transcript, and customer record with the same care a regulated bank takes with deposits. Here's exactly how — in plain English — and where we are on the road to SOC 2 Type II.
TLS 1.2+ in flight; AES-256 at rest. Recordings, transcripts, and customer rows are encrypted on the database and on every backup blob.
RFC 6238 TOTP required to access the admin console. Email allow-list scoped per customer; non-listed staff can't see your data even if they try.
Every privileged action (team change, voice swap, data export, billing change) is logged with actor, IP, time, and metadata. Read-only and one-click exportable to CSV for your auditor.
pg_dump streams to an S3-compatible bucket every 24 hours. 30-day retention. RPO ≤ 24h, RTO ≤ 4h. Quarterly restore drills.
Row-level security enforced at the database. Every query runs scoped to a single business id. Zero shared service keys client-side.
Sentry on every server + browser path. Slack-paged on incident. We respond to security reports at [email protected] within one business day.
Asisly is built on a small list of vetted infrastructure providers. Every one of them signs a DPA with us, and we'll happily sign one with you.
| Provider | Purpose | Region | DPA |
|---|---|---|---|
| Supabase | Postgres, auth, file storage | US (EU on request) | Yes |
| Railway | Application hosting | US-West / EU-West | Yes |
| Vapi | Realtime voice AI orchestration | US | Yes |
| Anthropic | Conversational LLM (Claude) | US | Yes |
| OpenAI | Standard voice synthesis | US | Yes |
| ElevenLabs | Premium / cloned voice synthesis | US | Yes |
| Twilio | Phone numbers, SMS, voicemail | Global | Yes |
| Stripe | Subscriptions + Connect payouts | US / EU | Yes |
| Resend | Transactional email | US | Yes |
| Backblaze B2 | Encrypted backup storage | US-West | Yes |
| Sentry | Error tracking | US (EU on request) | Yes |
We send our DPA, BAA, security questionnaire, or a redacted incident response runbook on request. Reply within one business day.