Security

Enterprise-grade security, built in

From APPI compliance to encryption and access control β€” security is baked in from the start, not bolted on.

πŸ”’

APPI Compliance

  • βœ“Per-call consent flag management (Consented / Unconfirmed / Refused)
  • βœ“Immutable audit log of consent changes (who, when, how)
  • βœ“Per-call retention period override
  • βœ“Automatic PII redaction (no third-party NLP)
  • βœ“PII diff view (admins and QA only)
πŸ‘€

Authentication & Access Control

  • βœ“TOTP MFA (mandatory for admins)
  • βœ“4-tier RBAC (Admin / Supervisor / QA / Agent)
  • βœ“Short-lived JWT + refresh tokens
  • βœ“Configurable session timeout
  • βœ“API key for external system integration
πŸ”

Data Protection & Encryption

  • βœ“Encryption at rest: S3 SSE-S3, RDS encryption
  • βœ“Encryption in transit: TLS 1.2+
  • βœ“No raw transcript logging in production
  • βœ“PII redacted before sending to OpenAI
  • βœ“Secrets managed via AWS Secrets Manager
🌐

Network & Infrastructure

  • βœ“AWS WAF + rate limiting (slowapi)
  • βœ“Enforced HTTPS + HSTS
  • βœ“Per-tenant CORS allowlist
  • βœ“Private VPC topology (Enterprise)
  • βœ“AWS Tokyo region (ap-northeast-1) by default
πŸ“Š

Audit & Observability

  • βœ“Structured JSON logs with request_id and tenant_id
  • βœ“Audit logs for sensitive operations (consent, export, webhook)
  • βœ“SQS dead-letter queue monitoring
  • βœ“RDS automated snapshots and restore testing
  • βœ“Health check API (/api/health)
πŸ”„

Reliability & Availability

  • βœ“Idempotent upload and job creation (safe retries)
  • βœ“Worker auto-scaling by SQS queue depth
  • βœ“Exponential backoff retries (AmiVoice & OpenAI)
  • βœ“Blue-green deployment supported
  • βœ“SLA: Starter 99.5% / Pro 99.9% / Enterprise 99.95%

Architecture

Data Flow Overview

Browser ──upload──▢ FastAPI (TLS) ──S3──▢ SQS ──▢ Worker ──AmiVoice──▢ PostgreSQL
Browser ──live───▢ wss://acp-api.amivoice.com/v1/nolog/ (direct WebSocket)
Browser ◀──────── FastAPI (TLS) ◀──────────────────────── PostgreSQL

All traffic: TLS 1.2+
All data at rest: Encrypted (S3 SSE-S3 / RDS)
PII redaction: Server-side before OpenAI
Secrets: AWS Secrets Manager

Certifications & Compliance

Compliance Status

☁️
AWS Tokyo Region
Active
πŸ“‹
ISO 27001
Roadmap
πŸ›οΈ
SOC 2 Type II
Roadmap
πŸ‡―πŸ‡΅
APPI Compliance
Active
πŸ”‘
ISMS
Roadmap

Data governance & compliance documentation

Everything your procurement team needs

πŸ‡―πŸ‡΅

Data residency: AWS Tokyo region (ap-northeast-1)

Audio files, transcripts, and analytics are stored exclusively in AWS ap-northeast-1 (Tokyo, Japan). No audio file is ever transferred outside the Japan region. Only PII-redacted transcript text is sent to OpenAI, subject to their zero data retention API policy.

Subprocessor list

ServiceProviderCountryPurpose
AmiVoiceAdvanced Media Inc.JapanAudio transcription (batch & live)
OpenAIOpenAI, L.L.C.USA (zero data retention)Analytics generation (PII-redacted text only)
Amazon Web ServicesAmazon Web Services, Inc.Japan (ap-northeast-1 Tokyo)Cloud infrastructure (compute, storage, database)
ResendResend, Inc.USATransactional email (auth & notifications)
πŸ—„οΈ

Data Subject Rights (APPI Β§28 / GDPR Art. 17)

Data access and deletion requests under APPI Β§28 and GDPR Art. 17 can be fulfilled directly from the admin panel. Identifying, processing, and deleting subject data β€” calls, transcripts, and analytics β€” is fully recorded in the immutable audit log for regulatory submission.

πŸ“‹

Security brief (print-ready)

Deployment options, data flow, encryption, retention, subprocessors, and access control model β€” compiled into a single printable document for your procurement and legal teams.

View security brief β†’
πŸ“„

Download the Security Brief

Detailed security specs, data flow diagrams, and compliance information in one PDF.

Get the BriefTalk to Sales