Is customer data processed in the UK or EU, and will you sign proper processor terms?
Yes. Regulated deployments need to know exactly where data is processed, which subprocessors are involved, and what contractual controls apply. Callweave publishes a current subprocessor list, makes regional hosting clear, and signs processor terms aligned to GDPR Article 28(3) rather than relying on generic cloud language. EU hosting is available on request; UK-only deployments can be scoped during the security review. Change-notice, export, and deletion terms are defined contractually, rather than buried in a generic vendor MSA.
Do you train your models on our customer audio, transcripts, or case data?
No. Customer recordings, transcripts, and case notes are used only to run the workflows you have configured. They are not used to train shared models, shared benchmarks, or other customers' deployments. Tenant data stays isolated and is contractually protected as well as technically separated. The records exist for one purpose: running the agreed workflow, building the audit trail, and writing structured outcomes back into your systems.
What happens if the AI gets something wrong on a regulated call?
Routine actions can be automated within approved rules. Materially important actions, such as customer-harm interventions, suspicious-activity judgments, account restrictions, or anything that significantly affects the customer, stay bounded by retrieval from approved policy content and human review. Low-confidence moments escalate rather than improvise. Every flag, trigger, and reviewer action is preserved with a timestamp so corrections become part of the evidence trail rather than a private fix.
How do you evidence responsible-gambling, vulnerability, or self-exclusion interventions?
What matters here is the evidence trail behind each interaction, more than a sentiment score. Callweave captures the trigger, the customer context visible at the time, the action taken, the reviewer, and the outcome, then writes that record back into your case or CRM tool. For UKGC LCCP SR 3.4.3, the workflow supports the identify–act–evaluate model; self-exclusion confirmations are timestamped and propagated to suppress later marketing across product and channel. Records are built to hold up in a Commission audit.
How do you handle card data and PCI scope on calls?
PCI is scoped per workflow. Card-sensitive workflows are designed so sensitive payment data is never captured by the AI layer; it is redirected, suppressed, or segmented to match your existing PCI design. We define the system-of-record for payment entry, where redaction applies, and the PCI boundary per workflow. Retention rules avoid storing prohibited fields after authorization. We do not claim blanket PCI compliance; we make the scope deliberate.
Can you produce evidence for disputes, complaints, and ombudsman or scheme reviews?
Yes. In payments, this means representment-ready evidence for Visa CE3.0 and Mastercard chargeback flows: identity, fulfillment, prior history, and timestamps captured as structured fields. In collections, it means FOS-ready packs with call recordings, correspondence, notices, and dispute history at the contested phrase. In gambling, it means UKGC interaction logs with trigger, action, reviewer, and outcome. The artifact is the same shape your compliance team would build manually, just exportable, indexed, and complete.
How does Callweave fit our telephony, CRM, KYC, AML, and case stack?
Callweave reads the minimum customer and case context needed before the call (from CRM, KYC/AML, and case systems), applies workflow controls during the call, and writes structured records back into your systems of record afterward. It is a voice layer inside your existing operating model, not a replacement for your systems of record. Fallback behavior is defined for upstream outages so the call workflow degrades safely rather than failing silently. Integration scope and resilience posture are documented before any pilot starts.
Which actions are automated, and which always stay with a human reviewer?
Routine identity checks, intake, triage, routing, reminders, and evidence capture can be automated within approved rules. Materially important escalations, such as customer-harm interventions, suspicious-activity judgments, AML/SAR decisioning, account-restriction or refund decisions, and FCA CONC 7 vulnerability handling, stay human-reviewed. The system can recommend; it does not finalize on its own. Override paths, contest rights, and the review trail are defined before a workflow goes live and preserved in the audit log.