Security & Compliance
How we protect your data — and the agreements we sign.
SIPmind handles your customers' calls, messages, and records. We treat that data as yours, not ours. This page describes exactly how it is protected, where it can live, and the contracts that put it in writing. We deliberately keep our claims accurate — we describe what we actually do, and we tell you plainly where a capability is provisioned per engagement rather than enabled by default.
SIPmind is built and operated by Techdab LLC, a United States company. It is available directly, or through certified local partners and integrators who can handle billing, deployment, and specific compliance requirements in your region.
Your data is yours — we are your processor
You remain the owner and controller of your data. SIPmind processes it only on your instruction, for the purpose of running your service — never for our own purposes, and never to train models for anyone else. We sign a Data Processing Agreement (DPA) with every customer that puts this in writing, including the list of subprocessors, security obligations, and data-deletion terms. We do not sell your data.
Encryption
All data is encrypted in transit (TLS 1.2+) and at rest. API keys and credentials are stored server-side only, never exposed to the browser or returned by our APIs, and shown masked in the interface.
Strict tenant isolation
Every account's data is scoped to its tenant in application code on every request — one customer's account cannot read, write, or even see another's. Row-level security is enabled at the database layer as an additional backstop.
Access control & auditability
Role-based access (administrator vs. operator) with least-privilege defaults: operators see conversations and leads, not settings, keys, or billing. Sensitive actions are logged, and device access (mobile / softphone) can be revoked instantly.
You choose where your data lives
This is where SIPmind goes further than a typical cloud product. You can:
- Regional data residency — our platform database is in the EU by default; where your jurisdiction requires the primary database to be in-country, we provision a dedicated in-region database and storage as part of the engagement.
- Run on your own telephony — connect your own PBX/SIP so live call audio is handled on your own infrastructure (production-proven with our lab customer in Kazakhstan). Live call audio is processed in real time by the AI model (OpenAI); under a BAA on eligible endpoints it is not retained. Records and recordings are stored in our database — EU by default, or in-region per the option above.
We adapt to your local data-protection requirements, localize storage where your jurisdiction mandates it, and sign the agreements your regulator expects. For data that does cross a border (for example, to an AI processor), we do so only on a lawful basis you control, and we name every recipient in your DPA.
Healthcare: HIPAA-ready
For healthcare customers, "HIPAA-ready" is a concrete commitment, not a slogan. When you onboard, we provision your environment to meet the administrative, physical, and technical safeguards that HIPAA requires, sign a Business Associate Agreement (BAA), and put that protected setup in place before any protected health information is processed. It is built on HIPAA-eligible infrastructure.
We are deliberately precise about wording — there is no such thing as a HIPAA "certification" to hold, so we never imply one — but the substance is real and set up per practice: a signed BAA, an environment configured to the required safeguards, and a clear division of responsibilities. The moment a healthcare customer comes on board, this is exactly how we set it up.
Subprocessors, transparently
We rely on a small, vetted set of subprocessors for AI processing, database, and hosting. The current list — and the safeguards each one provides — is named in your DPA and available on request. We notify you before adding a new subprocessor that handles your data.
Retention & deletion you control
You decide how long data is kept. Call recordings, message attachments, and records have configurable retention with automatic deletion, and you can disable storage of sensitive attachments entirely. Deletion and export on request are part of our standard terms.
Incident response
We operate a documented detection and incident-response process and continuously monitor our systems. If an incident affects your data, we notify you promptly with the facts you need to meet your own obligations to your customers and your regulator.
Aligned with leading frameworks
Our security controls are designed around the objectives of SOC 2 and ISO 27001, and — for healthcare — HIPAA. We pursue formal, independent attestation in step with enterprise customer requirements. If you have a security questionnaire or need a specific control mapping, send it over — we answer them directly.
The agreements we sign
Trust should be in writing, not just on a page. With each customer we put in place:
- Data Processing Agreement (DPA) — roles, purposes, security obligations, subprocessors, deletion.
- Business Associate Agreement (BAA) — for healthcare customers handling protected health information.
- Confidentiality and a clear allocation of responsibilities between you (the data controller) and SIPmind (your processor).
Common questions
Where does our data live?
By default our platform database is in the EU. Where your jurisdiction requires the primary database to be in-country, we provision a dedicated in-region database as part of the engagement, and your telephony can run on your own infrastructure. The AI processor (OpenAI) is in the US — that step always crosses a border, on a lawful basis you control and named in your DPA.
What about the AI processing in another country?
Only the conversation text needed to answer is sent to our AI processor, on a lawful basis you control (your customers' consent — we give you the wording). Sensitive records — for example medical results — stay in your own system; we don't process them. Every recipient is named in your DPA.
What happens if there's a breach?
Encryption, strict per-tenant isolation, role-based access, and configurable retention + auto-deletion of recordings, plus a documented incident process — we notify you promptly so you can meet your own obligations.
How do you handle HIPAA?
We're HIPAA-ready: when a healthcare customer onboards, we provision the environment to the safeguards HIPAA requires and sign a BAA before any protected health information is processed. We don't claim a certification that doesn't exist.
Do you have SOC 2 or ISO 27001?
Our controls are designed around their objectives; we pursue formal, independent attestation as enterprise requirements call for it — and we'll complete your security questionnaire directly in the meantime.
Do you use our data to train AI?
No. We process your data only to run your service — never to train models for anyone else — and we never sell it.
Can we pay in our local currency, or not by card?
Yes. You can pay directly by card, or work through a certified local partner who bills you in your region and handles setup — useful where an international card payment isn't an option. For specific procurement, contracting, or on-premise requirements, we also work with you directly.
Talk to us
Security questionnaire, DPA, BAA, or a copy of our security overview — we'll get it to you quickly. Contact hello@sipmind.net.