Trust & security

Security at Callweave

If you are reviewing Callweave, this page is for your security and compliance team. It covers how we protect your call data, the controls running today, and what we are still building. We are a young company, so we tell you where things actually stand, with dates, instead of leaning on badges we have not earned yet.

Last updated 29 May 2026

Callweave handles recorded calls and the customer data inside them, so security is not a side feature for us. The controls below are what we run today. Anything we have not finished yet sits in the roadmap section, marked as planned or in progress.

In place today

These are running now, on every customer deployment.

Data encryption

Live

Encrypted in transit with TLS and encrypted at rest. No customer call data moves or sits unencrypted.

Access control

Live

Role-based access control on the principle of least privilege. People and services get only the access the task requires.

Tenant isolation

Live

Each customer's data is logically isolated from every other tenant. One customer's review work never touches another's data.

PII redaction

Live

Configurable redaction of personal data in transcripts and evidence, so sensitive fields are masked before they reach reviewers or downstream systems.

Audit logging & utterance-level traceability

Live

Every reviewer action is logged. Every flag traces back to the exact utterance, timestamp, and rule that produced it.

Human review on escalations

Live

Every escalation gets human review. The model surfaces and proposes; a person decides on anything that escalates.

EU data residency

Live

EU data residency is available on request, so customer call data can be kept within the EU region.

No training on your data

Live

We do not train models on your customer data. Your calls and transcripts are used to serve you, not to improve a shared model.

Configurable retention

Live

Retention is configurable per workflow. Call samples are deleted after a review unless you opt into retention.

Compliance roadmap

We are not certified yet. Here is where each programme stands and when we expect it to be done.

ItemStatusTarget
SOC 2 Type II In progress Observation period during 2026, report targeted for H1 2027.
ISO 27001 Planned Under evaluation, targeted for 2027.
Third-party penetration test Planned First annual external test planned for 2026.
GDPR Article 28 processor terms / DPA Live Available now. Sample at /dpa.html.
Subprocessor transparency Live Published list at /subprocessors.html, with change notice under the DPA.

How customer call data is handled

We keep the data path narrow. Before a call, Callweave reads only the context it needs for that workflow. During the call, it processes the audio to run the conversation and catch what matters. Afterwards, it writes the evidence, flagged transcript, and any resulting actions back into your systems.

Recordings can stay in your own storage bucket rather than being held by us. Deletion and retention are configurable per workflow, so you decide what is kept and for how long. Every reviewer action against that data is logged, so there is always a record of who looked at what and when.

Data residency & transfers

EU hosting is available on request for customers who need their data to stay in the EU region. Fractal Signals LLC, the company behind Callweave, is a US entity. Where a deployment involves transferring personal data from the EU or UK to the US, those transfers are governed by the Standard Contractual Clauses incorporated into the DPA.

AI safety & human oversight

On anything that matters, a person decides, not the model. When the model is unsure, it escalates instead of guessing. The decisions that carry real weight stay with a human: any action that could harm a customer, any AML or SAR judgment, and any account restriction.

And you can check that oversight after the fact. Every flag traces back to the exact words, timestamp, and rule that raised it, so a reviewer or a regulator can see why.

What you can request

Your security and procurement teams can ask us for:

We would rather tell you what is not done yet than have a procurement review find it for you. If a control you need is on the roadmap rather than live, ask us about timing and interim mitigations and we will give you a straight answer.

Report a vulnerability

If you believe you have found a security issue, email security@callweave.ai. We practise responsible disclosure: please give us a reasonable window to investigate and remediate before any public disclosure, and we will keep you updated on our progress and acknowledge your report.