Security
Privacy
Governance
Built for the regulated,
ready for the rest.
365Agents pairs AI voice and text agents with the controls enterprise security teams expect — SOC 2, ISO/IEC 42001 AI governance, PCI-DSS scope-minimization, HIPAA-ready, and a unified U.S. data-privacy program — all running on AES-256 + TLS 1.3 with 24×7 monitoring.
✓ SOC 2 Type I
✓ ISO/IEC 42001
✓ PCI-DSS
✓ HIPAA-ready
✓ GDPR DPA-ready
✓ CCPA Compliant
Trust & Compliance Brief · v1.0 · 365Agents, Inc.
Publish date:
Compliance posture at a glance
Independent attestation; renewed annually. Type II observation period commencing — see full roadmap in InfoSec Policy.
ISO/IEC 42001:2023
AI Management System
✓ Certified
The first ISO standard purpose-built for AI governance. Covers risk management, lifecycle controls, transparency, and human oversight.
PCI DSS — Service Provider
✓ Attested
Scope-minimization design — cardholder data is not stored on the Platform unless Customer enables PCI-compliant payment flows.
Administrative, physical, and technical safeguards consistent with the HIPAA Security Rule. PHI requires signed BAA + PHI-mode enabled at account level.
U.S. Data Privacy (USDP)
● In Progress
Vanta-tracked unified U.S. multi-state privacy program — CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, plus the rolling wave of state laws (TX, OR, TN, FL, MD, MN, NJ, DE, NH, IA, IN, MT, etc.).
GDPR / UK GDPR / Swiss FADP
✓ DPA-ready
Data Processing Addendum incorporates EU Standard Contractual Clauses (SCCs) and UK Addendum; available on request prior to processing EU/UK personal data.
Consumer rights portal at 365agents.com/privacy-requests; "Do Not Sell or Share" honored; 45-day response window.
TCPA · TSR · State AI Laws
✓ Configurable
Consent capture, do-not-call list integration, AI-disclosure prompts, "click-to-cancel" mechanics, and time-window controls built into the platform.
Core security controls
🔒
Encryption
AES-256 at rest · TLS 1.3+ in transit
🔑
Identity
MFA-required admin access · RBAC, least privilege
👁
Monitoring
24×7 SOC · IR team activated within 1 hour
🔄
Resilience
4-hr RTO · 24-hr RPO · daily geo-distributed backups
👥
Personnel
Background checks · annual security awareness training
💻
Software
Code review · automated vuln scanning · annual pen-test
Data handling
| Data Type | Retention |
|---|
| Voice recordings | 30 days default — longer on Customer request |
| Voice models (synthetic voices) | Retained until Customer requests deletion or account closure |
| Usage logs / telemetry | 12 months |
| Customer account data | Up to 7 years post-closure for legal & tax compliance |
| Customer Data (other) | Subscription Term + 30 days, then deleted; archive backups expire on rotation |
Incident notification commitment: 365Agents will notify affected Customers without unreasonable delay and no later than 72 hours after confirming a Personal Data breach (24 hours for active material risk). Full details in the Data & InfoSec Policy.
