Security at Callweave
If you are reviewing Callweave, this page is for your security and compliance team. It covers how we protect your call data, the controls running today, and what we are still building. We are a young company, so we tell you where things actually stand, with dates, instead of leaning on badges we have not earned yet.
Callweave handles recorded calls and the customer data inside them, so security is not a side feature for us. The controls below are what we run today. Anything we have not finished yet sits in the roadmap section, marked as planned or in progress.
In place today
These are running now, on every customer deployment.
Data encryption
LiveEncrypted in transit with TLS and encrypted at rest. No customer call data moves or sits unencrypted.
Access control
LiveRole-based access control on the principle of least privilege. People and services get only the access the task requires.
Tenant isolation
LiveEach customer's data is logically isolated from every other tenant. One customer's review work never touches another's data.
PII redaction
LiveConfigurable redaction of personal data in transcripts and evidence, so sensitive fields are masked before they reach reviewers or downstream systems.
Audit logging & utterance-level traceability
LiveEvery reviewer action is logged. Every flag traces back to the exact utterance, timestamp, and rule that produced it.
Human review on escalations
LiveEvery escalation gets human review. The model surfaces and proposes; a person decides on anything that escalates.
EU data residency
LiveEU data residency is available on request, so customer call data can be kept within the EU region.
No training on your data
LiveWe do not train models on your customer data. Your calls and transcripts are used to serve you, not to improve a shared model.
Configurable retention
LiveRetention is configurable per workflow. Call samples are deleted after a review unless you opt into retention.
Compliance roadmap
We are not certified yet. Here is where each programme stands and when we expect it to be done.
| Item | Status | Target |
|---|---|---|
| SOC 2 Type II | In progress | Observation period during 2026, report targeted for H1 2027. |
| ISO 27001 | Planned | Under evaluation, targeted for 2027. |
| Third-party penetration test | Planned | First annual external test planned for 2026. |
| GDPR Article 28 processor terms / DPA | Live | Available now. Sample at /dpa.html. |
| Subprocessor transparency | Live | Published list at /subprocessors.html, with change notice under the DPA. |
How customer call data is handled
We keep the data path narrow. Before a call, Callweave reads only the context it needs for that workflow. During the call, it processes the audio to run the conversation and catch what matters. Afterwards, it writes the evidence, flagged transcript, and any resulting actions back into your systems.
Recordings can stay in your own storage bucket rather than being held by us. Deletion and retention are configurable per workflow, so you decide what is kept and for how long. Every reviewer action against that data is logged, so there is always a record of who looked at what and when.
Data residency & transfers
EU hosting is available on request for customers who need their data to stay in the EU region. Fractal Signals LLC, the company behind Callweave, is a US entity. Where a deployment involves transferring personal data from the EU or UK to the US, those transfers are governed by the Standard Contractual Clauses incorporated into the DPA.
AI safety & human oversight
On anything that matters, a person decides, not the model. When the model is unsure, it escalates instead of guessing. The decisions that carry real weight stay with a human: any action that could harm a customer, any AML or SAR judgment, and any account restriction.
And you can check that oversight after the fact. Every flag traces back to the exact words, timestamp, and rule that raised it, so a reviewer or a regulator can see why.
What you can request
Your security and procurement teams can ask us for:
- Our sample DPA, with GDPR Article 28 processor terms, at /dpa.html.
- The current subprocessor list at /subprocessors.html.
- A mutual NDA before exchanging anything confidential.
- Security questionnaire responses. We will complete standard questionnaires such as SIG and CAIQ during procurement.
Report a vulnerability
If you believe you have found a security issue, email security@callweave.ai. We practise responsible disclosure: please give us a reasonable window to investigate and remediate before any public disclosure, and we will keep you updated on our progress and acknowledge your report.