Enterprise Privacy & Compliance

Security & compliance built-in

Enterprise-grade security and compliance features designed for conversation intelligence at scale

Data Processing Agreement

GDPR-compliant DPA covering data processing activities, ensuring your organization meets regulatory requirements for conversation data.

GDPR Article 28 compliant

Standard contractual clauses

Data minimization guarantees

SOC 2 Certification

SOC 2 Type I certification in progress, validating our security controls and processes for conversation data protection.

Security & availability controls

Independent third-party audit

Type II audit scheduled Q2 2025

Data Residency

Flexible data residency options to meet your organization's geographic and regulatory requirements.

US data centers (primary)

EU data centers (Q1 2025)

Regional compliance support

Consent Management

Comprehensive consent management for multi-party conversations, ensuring ethical and legal compliance.

Multi-party consent workflows

Automated consent documentation

Granular permission controls

Certification roadmap

Our commitment to achieving the highest industry standards

ISO 27001 Certification

Global standard for information security management systems. Planned certification for Q3 2025.

ISMS framework implementation started

Risk assessment and treatment in progress

External audit scheduled Q3 2025

Resource library

Access our security documentation, policies, and compliance reports

Available

Data Processing Agreement

GDPR-compliant DPA template

Available

Security Whitepaper

Technical security overview

Available

Incident Response Policy

Security incident procedures

Q1 2025

SOC 2 Type I Report

Compliance report

Available

Data Retention Policy

Retention and deletion procedures

Available

Consent Management Framework

Multi-party consent workflows

Coming Soon

Penetration Test Report

Third-party security assessment

Security controls

Comprehensive security program across multiple domains

Access Controls & Authorization

LIVE

Multi-Factor AuthenticationCompleted

Role-Based Access ControlCompleted

Access Audit LoggingCompleted

Regular Access ReviewsIn Progress

Data Protection & Privacy

LIVE

AES-256 EncryptionCompleted

Automated BackupsCompleted

Data MinimizationCompleted

Secure Data DeletionCompleted

Infrastructure Security

LIVE

24/7 MonitoringCompleted

Automated PatchingCompleted

Network SegmentationIn Progress

Intrusion DetectionCompleted

Incident Response & Compliance

LIVE

Incident DetectionCompleted

Response ProceduresCompleted

Customer CommunicationCompleted

Regulatory ReportingIn Progress

Compliance details

Specific policies and timelines for your peace of mind

Data Retention & Deletion

Default retention period30 days

Maximum retention (configurable)7 years

Data deletion on requestWithin 30 days

Account termination cleanupWithin 90 days

Incident Response

Detection time (goal)< 15 minutes

Initial response time< 1 hour

Customer notificationWithin 72 hours

Regulatory reportingAs required

Access & Audit

Access log retention1 year

Data access monitoringReal-time

User access reviewsQuarterly

Audit report availabilityUpon request

Data Processing

Primary data locationUnited States

Encryption in transitTLS 1.3

Encryption at restAES-256

Subprocessor updates30 days notice

Frequently asked questions

Find answers to common questions about our security and compliance practices

Questions about compliance?

Our security team is ready to discuss your specific compliance requirements and provide detailed documentation.

Security & compliance built-in

Data Processing Agreement

SOC 2 Certification

Data Residency

Consent Management

Certification roadmap

ISO 27001 Certification

Resource library

Data Processing Agreement

Security Whitepaper

Incident Response Policy

SOC 2 Type I Report

Data Retention Policy

Consent Management Framework

Penetration Test Report

Security controls

Access Controls & Authorization

Data Protection & Privacy

Infrastructure Security

Incident Response & Compliance

Compliance details

Data Retention & Deletion

Incident Response

Access & Audit

Data Processing

Frequently asked questions

How long do you retain conversation data?

Who has access to our data?

What happens if you experience a security breach?

Can we delete our data at any time?

Do you process data outside the United States?

How do you ensure conversation consent compliance?

What certifications does Convo have?

How do you handle GDPR compliance?

What is your approach to security patching?

How can we audit your security practices?

Questions about compliance?