The certifications, controls, and physical security behind every program.
SOC 2 Type II, PCI-DSS, and HIPAA are the foundation. What sits underneath is a facility, a workforce, and a control set designed to pass enterprise security review.
The audits enterprise procurement actually asks for.
Every certification listed is active and verified. Evidence is available under NDA.
SOC 2 Type II
Annual third-party audit of security, availability, and confidentiality controls. Executive summary available under NDA. Baseline requirement for enterprise technology and financial services clients.
PCI-DSS
Scope and Report on Compliance (ROC) available on request. Payment IVR removes agents entirely from card capture. Agents never see or hear card data.
HIPAA / HITECH
BAAs executed with all applicable clients. PHI processing confined to designated restricted-access environments. All agents handling health data complete HIPAA awareness training at onboarding.
Data Processing Agreements (DPAs) available. Standard Contractual Clauses (SCCs) executed for cross-border EU data transfers.
Controls in place for California consumer privacy rights including data subject access and deletion requests.
DNC list scrubbing before every outbound campaign. Prior express written consent verified and logged. Violations trigger escalation and corrective action within 24 hours.
On the floor, not just in the cloud.
Prospects ask what happens on the floor, not just in the cloud. The following controls apply to our San Salvador facility and are verified annually as part of our SOC 2 Type II audit.
Biometric access control at all facility entry points
Layered access zones
Production floor restricted to authorized personnel only.
No personal devices permitted on the production floor
24/7 on-site security guards
Comprehensive CCTV surveillance with recorded footage retention
Screen privacy filters on production workstations where applicable
USB and peripheral device restrictions enforced on all production machines
Identity is the first layer. Access is the second.
Identity is the first security layer. Access is the second. Both are centralized.
Identity
- Role-Based Access Control (RBAC) with least-privilege principle across all systems
- Active Directory and Microsoft Intune for centralized identity and device management
- Sophos Endpoint Protection with automated patch management, continuous threat monitoring, and advanced threat protection
Access
- Data Loss Prevention (DLP) controls at both endpoint and network layer
- Access revocation confirmed within 2 hours of any employee departure
Five gates before any system access.
Every agent passes structured screening before touching any client system.
Government-issued identity verification
Criminal history review
Employment history verification
Periodic re-screening for agents handling PCI or HIPAA-scoped data
All agents sign NDAs and acceptable use agreements before accessing any client system
Common questions, answered.
The questions enterprise buyers ask before signing. Don't see yours? Send it our way during the discovery call.
Yes. Executive summary is available under NDA. Full report on request for active contracting engagements.
Need the security pack before the first call?
Request the documentation set. Executive summary of the SOC 2 Type II report, PCI-DSS scope overview, HIPAA controls summary, and completed responses to common security questionnaires.