Skip to content
Security & Compliance

Your voice data,
protected by design

Encryption in transit and at rest, BYOC credential isolation, no training on customer data, and compliance certifications aligned with the regulations that matter for voice.

Core security principles

The five guarantees we make on every plan.

Encryption in transit and at rest

All API traffic and SIP signalling use TLS 1.2 or higher. SRTP secures the media path. Recordings, transcripts, and credentials are encrypted at rest with AES-256.

BYOC credential isolation

Bring your own OpenAI, Twilio, and Stripe credentials. Each tenant's keys are encrypted with a dedicated key separate from Laravel's app key, scoped per account, and decrypted only at request time.

No training on customer data

Your call audio, transcripts, and knowledge-base content are never used to train Kalem's models or any third-party model. The OpenAI Realtime API is configured with zero data retention for opted-in enterprise tenants.

Tenant isolation

Every resource — agents, calls, numbers, knowledge bases, vector collections — is scoped to an account. Vector embeddings live in dedicated per-account collections. Cross-tenant queries are blocked at the application layer.

Configurable retention

You decide how long call recordings, transcripts, and logs are kept. Set per-account retention windows or trigger immediate deletion via API. GDPR right-to-erasure requests are honoured within statutory timelines.

Independent verification

Annual third-party penetration tests, SOC 2 Type II audited controls, and continuous monitoring. Findings are remediated on a fixed SLA and re-tested.

Compliance certifications

Frameworks and agreements available across our plans.

GDPR

Full compliance with EU General Data Protection Regulation. Data residency options, right to erasure, and DPA available.

SOC 2 Type II

Audited controls for security, availability, and confidentiality. Regular third-party audits ensure continuous compliance.

End-to-End Encryption

TLS/SSL encryption in transit and AES-256 encryption at rest. Voice data, transcripts, and credentials are always encrypted.

HIPAA

Enterprise

HIPAA-compliant configurations for healthcare. Business Associate Agreements (BAA) available for Enterprise customers.

PCI DSS

Enterprise

Payment Card Industry compliance for handling sensitive payment data during voice interactions securely.

Custom SLA

Enterprise

Custom Service Level Agreements with guaranteed uptime, response times, and dedicated incident management.

Custom DPA

Enterprise

Custom Data Processing Agreements tailored to your organization's data governance requirements.

Data Residency Options Regular Penetration Testing Custom DPA Available No Data Used for AI Training Configurable Data Retention

How data flows through Kalem

A typical voice call, traced from caller to AI and back.

  1. 1

    Inbound call

    A SIP or PSTN call hits your telephony provider (Twilio, your own carrier, or our SIP gateway). Signalling is TLS-protected; media is SRTP-encrypted.

  2. 2

    Tenant resolution

    Kalem authenticates the inbound number, resolves the agent and account, and decrypts your BYOC OpenAI key in memory using the per-tenant encryption key.

  3. 3

    Realtime conversation

    Audio is streamed directly to OpenAI's Realtime API over a TLS WebSocket. Knowledge-base lookups query a per-account vector collection. Tool calls hit your webhook URLs over HTTPS.

  4. 4

    Storage

    Recordings (if enabled) and transcripts are written to encrypted storage with AES-256. Retention follows your configured policy. Billing metadata is separated from call content.

  5. 5

    Access

    Dashboard access uses Sanctum-issued tokens. API tokens are scoped per integration and revocable. Every administrative action is logged via the activity-log audit trail.

Subprocessors

Third-party services that may process customer data, with their role.

Vendor Purpose Data
OpenAI Realtime speech-to-speech model Call audio, transcripts (BYOC: your own API key)
Twilio Telephony and SMS/WhatsApp Phone numbers, call signalling, message metadata
Stripe Subscription billing and card payments Billing email, payment tokens (no PAN stored by Kalem)
AWS Hosting, encrypted storage, queues Application data, encrypted recordings/transcripts
Qdrant Vector search for knowledge bases Document embeddings (per-account collection)

Enterprise customers receive an up-to-date subprocessor list as part of their DPA, with 30-day advance notice of changes.

Report a vulnerability

If you believe you've found a security issue, please email security@kalem.me. We acknowledge reports within one business day and will keep you posted through resolution. Please do not publicly disclose the issue until we've had a chance to fix it.

Email security@kalem.me Request DPA / BAA