03 — Compliance & Security

AutoSpeak B2B · v1.0 · 2026-06-02 This doc covers our posture on data privacy, AI disclosure, recording consent, payments, sector rules, and security. Telephony-specific regulations are addressed as part of our regional rollout approach.

⚠️ Directional, not legal advice. This is a product and operations overview of how AutoSpeak approaches compliance. It is not legal advice. Regulations are reviewed with qualified counsel in each launch jurisdiction before go-live. Laws change; this reflects the landscape as understood in early 2026.

1. Why compliance is a product feature, not paperwork

AutoSpeak does three things regulators care about intensely: it processes voice (biometric-adjacent personal data), clones human voices (deepfake/consent risk), and autonomously calls/handles people (robocall, disclosure, fairness risk). For a global product the only sustainable answer is compliance-by-design: we build disclosure, consent, recording control, redaction, residency, and retention as runtime features configurable per tenant and per region. Enterprises buy this; skipping it is an existential risk (fines, bans, lawsuits).

2. Data privacy regimes (multi-region)

2.1 The big three (launch markets)

Regime	Region	What it demands
GDPR	EU/EEA (+ UK GDPR)	Lawful basis (consent/contract), data-subject rights (access/erasure/portability), DPA with customers, sub-processor disclosure, breach notice (72h), DPIA for high-risk, EU data transfer safeguards (SCCs), often EU data residency
DPDP Act 2023	India	Consent + notice, data-principal rights, "Data Fiduciary" duties, breach notification, children's data rules, grievance officer; rules still operationalizing in 2025–26 — tracked closely
CCPA/CPRA	California (+ growing US state patchwork: VA, CO, CT, TX, etc.)	Notice at collection, opt-out of sale/share, access/delete, "sensitive personal information" limits, service-provider contracts

2.2 Voice is sensitive data

Voiceprints/biometrics: several regimes treat voiceprints as biometric data with heightened rules — notably Illinois BIPA (private right of action, statutory damages), Texas/Washington biometric laws, GDPR Art. 9 (special category). Cloning a voice = creating a voiceprint → requires explicit, documented consent and tight handling.
Caller PII in transcripts: names, numbers, health/financial details spoken on calls → personal (sometimes special-category, e.g. health at a clinic). Minimized, encrypted, redacted, retention-limited.

2.3 Data-privacy capabilities we build

3. AI disclosure (the bot-disclosure wave)

A fast-growing body of law requires that a person know they're talking to a machine. We build disclosure as an on-by-default, per-region configurable runtime feature.

Law	Region	Requirement (essence)
EU AI Act, Art. 50	EU	Providers/deployers must ensure people are informed they are interacting with an AI (unless obvious); transparency for AI-generated content & emotion/biometric systems. Phasing in 2025–2026.
California B.O.T. Act (SB 1001)	California	Must disclose a bot in commercial/influence contexts; can't mislead about being human.
Utah AI Policy Act	Utah	Disclose use of generative AI when asked (and proactively in regulated occupations).
Colorado AI Act (SB 205)	Colorado	Consumer notice for AI systems in consequential decisions (incl. employment); effective ~2026.
EU AI Act — deepfakes	EU	AI-generated/manipulated audio (voice clones) must be labeled/disclosed.
Various (India/others)	Global	No single AI-disclosure statute in India yet (2026), but DPDP notice + consumer-protection + advisory guidance push toward disclosure; we disclose anyway as best practice.

Implementation:

Default opening line: "Hi, you've reached <business>. I'm an AI assistant — I can help, or connect you to a person anytime."
Configurable script per tenant/region; cannot be disabled in regions that mandate it; disclosure is logged.
For voice clones, additionally treat as AI-generated audio (label/consent).

Recording law varies by who must consent:

One-party consent (e.g. many US states, India for a party to the call): one participant may record.
All-party / two-party consent (e.g. California, Florida, Illinois, Pennsylvania, Washington, and the EU generally): everyone must consent to recording.

Implementation:

Recording = configurable per tenant + per caller jurisdiction, defaulting to the stricter rule.
Spoken consent prompt when required: "This call may be recorded for quality — is that okay?" with capture of the yes/no and branch (don't record if declined).
Separate consent for recording vs. transcription vs. AI training (don't bundle; training on customer data needs its own opt-in via the customer DPA).
Recording access controls + audit; encryption; retention limits; redaction of payment segments.
Cross-border: EU recordings stay in-region.

Outbound + recording in a two-party state without consent is a classic, expensive mistake. We geo-detect by callee number and apply the strict path.

5. Payments compliance (PCI-DSS)

The moment a caller communicates a card number, PCI-DSS applies. Our strategy is to minimize scope so raw card data never touches our systems (see the Technical Architecture):

Preferred: pay-by-link (hosted payment page) → out of PCI scope for cardholder data (SAQ-A level).
If spoken/keypad capture is unavoidable: use a PCI-DSS certified DTMF/voice capture provider that masks digits from the AI, agents, and recordings.
Never transcribe/store a PAN; pause recording + disable transcription logging during payment capture; redact.
Use tokenization for cards on file, never store PANs.
Maintain the appropriate SAQ and annual attestation once live.

6. Sector-specific overlays

6.1 HR / recruiting (AutoSpeak Recruit) — highest risk

Employment decisions get special scrutiny. The AI must assist, humans must decide.

Rule	Region	Requirement
EEOC / Title VII / ADA / ADEA	US	No disparate impact/treatment; reasonable accommodation; no disability-revealing questions; consistent process
NYC Local Law 144	NYC	Automated Employment Decision Tools require a bias audit, candidate notice, and disclosure
Illinois AI Video Interview Act	Illinois	Notice + consent + explanation for AI analysis of interviews; data deletion on request
Colorado AI Act / EU AI Act (high-risk)	CO / EU	Employment = high-risk AI → risk management, transparency, human oversight, documentation, possibly conformity assessment
GDPR Art. 22	EU	Right not to be subject to solely automated decisions with legal/significant effect → keep a human in the loop; provide explanation & contest path

Implementation:

Human-in-the-loop: AI scores/recommends; a human makes the hire/reject decision. Documented.
Consistent, role-relevant questions only; no protected-class questions (age, race, religion, disability, marital/family, citizenship beyond work-authorization-as-allowed).
Candidate notice + consent before an AI screen; opt-out to a human screener always available.
Adverse-impact monitoring (track pass-through by group where lawful) + periodic bias audit (LL144).
Explainability & records — store questions, answers, score rationale; allow contest/deletion.
Accessibility/accommodation path (e.g., candidate needs a human or alternative format).

6.2 Hospitality (AutoSpeak Stay)

Payments (deposits/cancellations) → PCI (§5) + clear cancellation/refund terms (consumer-protection laws vary).
Guest PII (names, stay dates, sometimes passport/ID for check-in) → privacy + residency.
Accessibility & language — provide human fallback; honor accessibility needs.
Marketing/upsell during service calls must not violate consumer-protection/unfair-practice rules.

6.3 Health-adjacent (clinics using Reception)

If a tenant is a healthcare provider (US), AutoSpeak may become a HIPAA Business Associate → requires a BAA, stricter safeguards, PHI handling. Healthcare is gated and requires a BAA before enabling, to avoid HIPAA scope creep.

7. Vendor/sub-processor & contractual stack

DPA with every customer (we act as processor for their caller data, or joint-controller in some cases — clarified per use case).
Sub-processor list — public and kept current, covering our telephony, speech, language-model, voice, hosting, database, and payments providers. Customers are notified of changes (GDPR).
Vendor due diligence: we confirm each sub-processor's certifications (SOC 2/ISO/PCI), DPAs, data-residency options, and whether they train on data (we turn that off / use enterprise/zero-retention tiers).
Zero/limited data retention modes with AI vendors so callers' data does not persist or train externally.

8. Security program

8.1 Technical controls (built into the platform)

Encryption in transit (TLS 1.2+) and at rest (DB, object store, backups); key management/rotation; secrets vault (no keys in code/repo).
Tenant isolation + RBAC + least privilege; per-request tenant scoping.
Audit logging (config changes, recording access, consent/disclosure events, data exports) — immutable, retained.
Network security, WAF, rate limiting, DDoS protection, signed webhooks.
PII/PCI redaction pipeline; data-loss-prevention on logs.
Vulnerability mgmt, dependency scanning, pen tests, secure SDLC, code review.
Backups + tested disaster recovery; defined RPO/RTO.
Incident response plan + breach-notification runbook.

8.2 Certifications

Cert	Why
SOC 2 Type II	US enterprise table-stakes
ISO/IEC 27001	Global/EU enterprise
ISO/IEC 42001 (AI management)	Emerging AI-governance assurance
PCI-DSS SAQ	Required for caller payments
HIPAA (BAA)	Only if healthcare vertical
GDPR/DPDP readiness	Required to sell in EU/India

We use compliance-automation tooling to streamline evidence collection and shorten time-to-cert.

9. AI governance & responsible-AI

Voice-clone consent registry: only clone voices with documented, revocable consent; store provenance; watermark/disclose AI audio; block cloning of non-consented/3rd-party voices (deepfake misuse).
Model/eval governance: version models; eval before deploy (accuracy, bias, hallucination, latency); rollback path.
Guardrails: abuse/jailbreak resistance; refuse out-of-scope/harmful requests; escalate self-harm/emergency mentions to humans/appropriate resources.
Transparency & contestability: people can reach a human, know it's AI, and (for decisions) contest outcomes.
Acceptable-use policy for customers: no illegal robocalling, scams, non-consented cloning, prohibited targeting. Enforced, with offboarding of violators.

10. Compliance feature ↔ runtime mapping

Compliance need	Runtime feature (ties to the Technical Architecture)
AI disclosure	Opening-script module, per-region, non-disableable where mandated, logged
Recording consent	Consent prompt + branch; recording on/off by callee jurisdiction; audit
PCI	Pay-by-link tool; recording/transcription pause + redaction during payment
Data residency	Region-pinned DB/buckets; routing by tenant/region
Erasure/DSR	Cross-store delete (database, vectors, recordings, analytics, backups)
HR fairness	Deterministic question flow, scoring rubric, human-in-loop gate, opt-out, adverse-impact logging
Voice-clone consent	Consent registry + provenance + AI-audio disclosure
Auditability	Immutable audit log of config, consent, disclosure, access

Explore the rest of the suite → 00 — Master Index · 01 — PRD · 02 — Technical Architecture · 06 — India Route Map · 07 — Vertical Opportunities

Compliance & Security

03 — Compliance & Security

1. Why compliance is a product feature, not paperwork

2. Data privacy regimes (multi-region)

2.1 The big three (launch markets)

2.2 Voice is sensitive data

2.3 Data-privacy capabilities we build

3. AI disclosure (the bot-disclosure wave)

4. Call recording & monitoring consent

5. Payments compliance (PCI-DSS)

6. Sector-specific overlays

6.1 HR / recruiting (AutoSpeak Recruit) — highest risk

6.2 Hospitality (AutoSpeak Stay)

6.3 Health-adjacent (clinics using Reception)

7. Vendor/sub-processor & contractual stack

8. Security program

8.1 Technical controls (built into the platform)

8.2 Certifications

9. AI governance & responsible-AI

10. Compliance feature ↔ runtime mapping