Compliance
Built for Australian businesses. Here’s exactly how we handle your data, your customers’ calls, and the rules that apply in Australia — described as it actually works in the product, not as aspiration.
Australian data residency
Your call recordings and account database are stored in Australia — AWS Sydney (ap-southeast-2) — encrypted at rest. Some real-time voice and AI processing is performed by the subprocessors listed below, which may process call audio outside Australia during the call itself.
Call-recording disclosure
The AI states a recording disclosure at the start of every call. The wording is state-aware: callers in all-party-consent states (NSW, VIC, SA, WA, TAS) hear stricter wording; QLD, NT and mobile numbers hear the federal wording. The stricter wording applies if either the caller or the business is in an all-party state.
Privacy Act & collection notice
Our processes are aligned with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP 1–13). When enabled for an agent, the AI also speaks an APP 5 collection notice — telling the caller their details are used only to handle their enquiry.
Retention & deletion
Data retention is configurable per business, with a 365-day default. Recordings, call sessions, voicemails and notifications past the retention window are deleted automatically, and individual recordings can be deleted on request.
Encryption
Data is encrypted in transit with TLS 1.3. Telephony sub-account tokens, OAuth secrets and integration keys are encrypted at the application layer with AES-256, and data at rest is encrypted by our managed database and storage providers. Each business’s data is tenant-isolated.
Payments
We never store card numbers. Payments are handled by Stripe (PCI DSS Level 1), so card data goes directly to Stripe and is tokenised — it does not touch our servers.
Subprocessors
We use the third-party services below to run the product. We share only the data each one needs for its function.
| Subprocessor | What it handles | Region |
|---|---|---|
| Ultravox | Real-time voice AI for live call conversations | United States |
| Anthropic (Claude) | Agent reasoning and prompt building | United States |
| Twilio / Telnyx | Telephony and SMS (Australian numbers, per-business sub-accounts) | Global, AU numbers |
| Deepgram | Speech-to-text transcription | United States |
| Amazon Web Services | Call-recording storage (S3) and database (RDS) | Australia (Sydney) |
| Stripe | Subscription billing and payments (PCI DSS Level 1) | Global |
| SendGrid / Amazon SES | Transactional email (summaries, confirmations) | United States |
| Railway | Application hosting | United States |
What we don’t claim
We don’t hold a SOC 2 or ISO 27001 certification, and we don’t describe ourselves as certified to those frameworks. Our controls are aligned to them and the underlying security practices are in place, but formal third-party attestation is on the roadmap, not yet completed. If you need a signed Data Processing Agreement or have a specific compliance requirement, get in touch and we’ll work through it with you.
Privacy & data questions
Questions about how we handle data, or need a DPA? We’re happy to help.
privacy@karmasai.com