Security & trust

How we handle your data and calls.

Plain answers about how we store your data, handle recordings, and stay compliant. We list what's true today and we don't claim certifications we don't have.

Security posture

How we protect your data and access.

Encryption

  • At rest: stored call recordings, transcripts, and customer data are encrypted (AES-256) through the enterprise-grade cloud providers we run on.
  • In transit: TLS 1.2+ for all API connections, webhooks, and data transfers between systems.

Infrastructure

We run on enterprise-grade cloud providers with automated backups and standard infrastructure hardening: network isolation, patch management, and access logging.

Access controls

  • Secrets management: credentials are stored in encrypted vaults and never committed to code.
  • Least privilege: internal access is restricted by role; production access is logged and auditable.
  • Two-factor authentication: required on all operator accounts with production or customer-data access.

Formal certifications

We're a small team and not currently certified to a formal audit framework such as SOC 2. If a certification is a hard requirement for your organization, tell us and we'll be straight with you about exactly where we stand.

Call recording & consent

How we handle recordings and disclosure.

Recording practices

  • Calls are recorded: every AI-handled call is recorded for quality, tuning, and your review.
  • TCPA-compliant disclosure: the AI announces that the call may be recorded at the start, meeting federal disclosure requirements.
  • Two-party consent states: we flag calls from two-party consent states (CA, FL, PA, and others) so you can configure explicit consent language. We don't provide legal advice; consult your attorney for state-specific compliance.

Retention & deletion

  • Default retention: 90 days.
  • Configurable: 0–365 days per your policy.
  • Deletion on request: we provide a full export and complete deletion after your request.
Compliance

Regulatory frameworks we support.

TCPA — Telephone Consumer Protection Act

The AI provides a compliant disclosure at call start. You maintain your own Do Not Call lists; we honor suppression lists provided via API or dashboard.

CCPA — California Consumer Privacy Act

California residents can request data access or deletion by emailing privacy@vertexops.ai. Requests are fulfilled within the timelines CCPA requires.

GDPR — General Data Protection Regulation

Supported for UK and EU clients. A Data Processing Agreement is available on request, and GDPR rights (access, rectification, erasure, portability) are fulfilled within statutory timelines.

Data handling

Who owns your data and how you get it back.

You own your data

All call recordings, transcripts, caller information, and booking data belong to you. We're a processor; you're the controller. We never sell, share, or use your data for anything outside your service agreement.

Retention policy

Default retention is 90 days, configurable per client (0–365 days). After the retention period, data is permanently deleted unless you ask us to extend it.

Data export & deletion

On cancellation or on request, we provide a full export (JSON plus audio files) and delete your data after the request completes. Nothing is held hostage.

Third-party subprocessors

We rely on trusted services to deliver the platform. Current subprocessors:

ServicePurpose
TwilioTelephony (inbound and outbound calls)
VapiAI voice orchestration and real-time conversation
AnthropicClaude language models for understanding and response
Cal.comScheduling and calendar integration
SendGridTransactional email (confirmations, summaries)

The subprocessor list is reviewed regularly. Contact us for the current list or to request DPAs from specific subprocessors.

Emergency handling

How we route true emergencies — and what we're not.

Emergency routing

  • Life-threatening emergencies: the AI detects keywords (chest pain, difficulty breathing, fire, break-in) and directs the caller to dial 911.
  • Mental health crisis: the AI detects crisis keywords and directs the caller to 988 (Suicide & Crisis Lifeline).
  • We're not an emergency service: Vertex Ops is a business automation tool, not a medical alert system or emergency dispatch service.

Limitation of liability: the AI is trained to detect emergencies but isn't infallible. You must maintain alternative emergency contact methods. We aren't liable for emergency-routing failures.

Company information

Vertex Ops.

Questions about our security posture?

If you're evaluating Vertex Ops for a regulated vertical or a larger deployment, we're happy to walk through our controls and answer honestly about where we are.

hello@vertexops.ai →