Trust & compliance

Enterprise-grade security. Built into the platform.

Q: Can I get a SOC 2 report and DPA?

Yes. SOC 2 Type II reports, DPAs, BAAs and procurement questionnaires are on file and delivered within one business day under NDA.

Q: How is SSO and provisioning handled?

SAML 2.0 SSO works with Okta, Azure AD, Google Workspace and OneLogin. SCIM auto-provisioning keeps seats in sync with your IdP, so deprovisioning is instant.

Q: What about call-path protection — STIR/SHAKEN, E911, 10DLC?

Outbound carries attestation A on STIR/SHAKEN. E911 syncs per-seat addresses (RAY BAUM's + Kari's Law). 10DLC is vetted, and we are listed in the FCC Robocall Mitigation Database.

Q: How do encryption and tenant isolation work?

Every tenant gets logical isolation across queues, recordings and transcripts. Keys rotate quarterly. Backups encrypted with AES-256, RPO 15 minutes, RTO 4 hours, and recovery drills run quarterly.

Acepeak security is verified annually — SOC 2 Type II, GDPR, HIPAA-aligned, PCI-DSS. Encryption everywhere, SSO out of the box, audit log streamed to your SIEM. The hard stuff, already done.

SOC 2 Type IISTIR/SHAKENGDPRHIPAA-aligned

Audit · 2025

SOC 2 Type II
Passed

Trust · Availability · Confidentiality

Live

Encryption posture

Transit

TLS 1.3 · SRTP

At rest

AES-256

SSO active

SOC 2

Type II

GDPR

EU/EEA

HIPAA

Aligned

PCI

v4.0

4 frameworks · 1 audit window

Compliance is a posture, not a checkbox. We pass the audit so you don't have to explain ours.

Compliance frameworks

Audited annually.
Documented for procurement.

Every framework below is current. Reports, BAAs, DPAs and questionnaires are kept on file — your compliance team can have them within a business day.

SOC 2 Type II

Annual audit covering protection, availability, confidentiality.

GDPR

EU/EEA personal data handled per Articles 25 & 32. DPA on request.

HIPAA-aligned

BAA available. PHI stays in-region with encryption at rest.

PCI-DSS v4.0

Card data handled via tokenisation. No CHD on our systems.

POPIA

South Africa data residency. Local DPO contact provided.

STIR/SHAKEN

Caller-ID attestation A at the carrier. Spoofing blocked upstream.

Carrier & call protection

The threat starts at the wire.
So does our defence.

Spoof calls, robocallers, and toll fraud get blocked before they hit your numbers — at the carrier, not at the platform. Same for emergency routing and 10DLC handling.

Tier 1 voice network

Direct interconnects with Sparkle, Lumen, Telin, T-Mobile, Airtel.

STIR/SHAKEN at carrier

Outbound attestation level A. Inbound spoof drops happen pre-platform.

E911 dynamic

Per-seat address sync. RAY BAUM's Act + Kari's Law compliant.

FCC RMD listed

Robocall Mitigation Database registered. 10DLC vetted.

Data protection

Encrypted in transit.
Encrypted at rest. Isolated by tenant.

Defense in depth at every layer of the data path — from your handset to our backup vaults.

Step 01

TLS 1.3 · SRTP

Encryption in transit

Signalling, media, and app surface — all encrypted end-to-end.

Step 02

AES-256

Encryption at rest

Every database, recording bucket, and backup volume is encrypted.

Step 03

Per-tenant

Tenant isolation

Logical isolation per tenant. No shared queues, recordings, or transcripts.

Step 04

RPO 15m · RTO 4h

Backups & recovery

Daily encrypted backups. Recovery rehearsed every quarter.

Keys rotated quarterly

Per-region storage

Field-level redaction

Pen-tested annually

Identity & access

SSO, RBAC, SCIM, audit log.
Your IdP is the source of truth.

Wire Acepeak to Okta, Azure AD, or Google in minutes. Provision and deprovision through SCIM. Stream every action to your SIEM via webhook or syslog.

SSO / SAML 2.0

Okta, Azure AD, Google Workspace, OneLogin. Enforce IdP-only login.

Role-based access

Granular roles for admin, supervisor, agent, billing, read-only.

Immutable audit log

Every action stamped, exportable to SIEM via webhook or syslog.

SCIM provisioning

Auto-provision and deprovision seats from your IdP. Zero stale users.

Incident response

24/7 on-call. Notification within 24 hours.

A documented IR plan, tested twice a year. If something happens, your account team and DPO hear from us before you read about it.

Status page →

Ready for a phone stack the auditors approve?

FAQ

Questions, answered.

How does Acepeak handle security and compliance?

Acepeak runs a defense-in-depth program audited annually: SOC 2 Type II, GDPR, HIPAA-aligned, and PCI-DSS v4.0. Encryption is on by default — TLS 1.3 in transit, AES-256 at rest — and every action streams to your SIEM via webhook or syslog.

Can I get a SOC 2 report and DPA?

How is SSO and provisioning handled?

What about call-path protection — STIR/SHAKEN, E911, 10DLC?

How do encryption and tenant isolation work?

SOC 2 · GDPR · HIPAA

Your security, by default.

24/7 support included. Numbers ported from any carrier worldwide.

24/7 support60+ countriesSOC 2 Type IISSO included

Last updated: May 2026

Enterprise-grade security. Built into the platform.

Audited annually.Documented for procurement.

SOC 2 Type II

GDPR

HIPAA-aligned

PCI-DSS v4.0

POPIA

STIR/SHAKEN

The threat starts at the wire.So does our defence.

Tier 1 voice network

STIR/SHAKEN at carrier

E911 dynamic

FCC RMD listed

Encrypted in transit.Encrypted at rest. Isolated by tenant.

Encryption in transit

Encryption at rest

Tenant isolation

Backups & recovery

SSO, RBAC, SCIM, audit log.Your IdP is the source of truth.

SSO / SAML 2.0

Role-based access

Immutable audit log

SCIM provisioning

24/7 on-call. Notification within 24 hours.

Questions, answered.

Your security, by default.

Audited annually.
Documented for procurement.

The threat starts at the wire.
So does our defence.

Encrypted in transit.
Encrypted at rest. Isolated by tenant.

SSO, RBAC, SCIM, audit log.
Your IdP is the source of truth.