Trust, security & compliance
Compliance is wiring, not a workshop.
Hard tenant isolation from day one. DPDP, TCPA, and GDPR scaffolding shipped before launch — not added later under a deadline. Data-subject export and erasure finish in under 30 seconds because there's nothing to disentangle.
What's in place today
| Control | State | How it's enforced |
|---|---|---|
| Hard tenant isolation | ✓ LIVE | Postgres schema, Mongo database, Qdrant collection, Vault path, Redis namespace — all per-tenant. One bug ≠ a breach. |
| BYOK secrets encrypted at rest | ✓ LIVE | AES-256-GCM envelope encryption in Postgres. Master key in env or Vault. Provider keys never plaintext on disk. |
| PII redaction pre-LLM | ✓ LIVE | Phone (E.164), email, PAN, Aadhaar, SSN, IFSC, bank, money, address tokenised before every Claude call. |
| Recording consent | ✓ LIVE | Disclosure played on first turn of every voice call. Consent records stored per contact, per scope. |
| DPDP DSR export | ✓ LIVE | POST /dsr/export returns the full contact bundle in under 30s. Hard isolation means it's a single-schema query. |
| DPDP DSR erase | ✓ LIVE | POST /dsr/erase drops the contact's Mongo records, deletes Postgres rows per retention, pseudonymises audit-keep rows. |
| Audit log (per tenant) | ✓ LIVE | Every workflow change, every approval, every concession, every DSR action. Queryable per tenant; regulator-friendly. |
| Audit log (global) | ✓ LIVE | Tenant lifecycle events on the control plane (provisioning, suspension, archival, erasure). |
| Argon2id passwords | ✓ LIVE | OWASP 2024 parameters. Legacy bcrypt hashes rejected by policy. |
| JWT auth (HS256) | ✓ LIVE | Tenant ID + role in the claim. HttpOnly Secure cookie + bearer fallback. 7-day TTL, immediate revocation on rotation. |
| Internal DNC list | ✓ LIVE | Per-tenant. Numbers added on opt-out, sales-org request, or manual import. |
| NCPR daily scrub (India TRAI) | ● post-launch | Daily pull of the TRAI registry, exclusion applied to outbound dialer queues. |
| SOC2 Type II report | ● roadmap | Evidence collection is wired; audit scope validation TBD. Talk to us for the package. |
| HIPAA / RBI | ● on request | Added if a regulated tenant signs. Architecture supports it; controls need an explicit attestation pass. |
Hard tenant isolation
Row-level multi-tenancy is the industry default. One missing WHERE tenant_id=… in
one query and you've leaked across customers. We don't use it.
| Postgres | Per-tenant schema (cf_t_{id}) inside shared databases. Migrations fan out idempotently. | schema-per-tenant |
| MongoDB | Per-tenant database (cf_t_{id}). Erasure = dropDatabase(). | db-per-tenant |
| Qdrant | Per-tenant collections: cf_t_{id}_company_kb, cf_t_{id}_customer_data. | collection-per-tenant |
| HashiCorp Vault | Per-tenant path (secret/cf/tenants/{id}/) with per-tenant policy. | path-per-tenant |
| Redis Streams | Per-tenant key namespace (cf:t:{id}:*). | namespace-per-tenant |
| Object storage | Per-tenant prefix (t_{id}/) in shared bucket. | prefix-per-tenant |
| Keycloak | Single realm, per-tenant group (t_{id}), tenant_id claim in every JWT. | group-per-tenant |
Data residency
India data lives in Mumbai. US data lives in us-east. EU data lives in eu-west (post-launch region). Pick the region at tenant creation; we don't move it later without a written request.
Sub-processors
We use third-party providers — they're listed on the integrations page. Each one handles a specific layer (telephony, STT, TTS, LLM, payments, email, vector store). All BYOK options let you swap our provider relationship for yours. Sub-processor list is also available in the data processing addendum (DPA), available on request to dpo@callfunnel.ai.
Reporting an issue
Security disclosure: security@callfunnel.ai (PGP key on request).
DPDP / GDPR data-subject requests: dpo@callfunnel.ai.