Security & Compliance

How we protect your data — and the agreements we sign.

SIPmind handles your customers' calls, messages, and records. We treat that data as yours, not ours. This page describes exactly how it is protected, where it can live, and the contracts that put it in writing. We deliberately keep our claims accurate — we describe what we actually do, and we tell you plainly where a capability is provisioned per engagement rather than enabled by default.

SIPmind is built and operated by Techdab LLC, a United States company. It is available directly, or through certified local partners and integrators who can handle billing, deployment, and specific compliance requirements in your region.

Your data stays yours
Processor model · DPA with every customer
You choose where it lives
Regional hosting or fully self-hosted
Healthcare-ready
We sign a BAA before any PHI flows

Your data is yours — we are your processor

You remain the owner and controller of your data. SIPmind processes it only on your instruction, for the purpose of running your service — never for our own purposes, and never to train models for anyone else. We sign a Data Processing Agreement (DPA) with every customer that puts this in writing, including the list of subprocessors, security obligations, and data-deletion terms. We do not sell your data.

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest. API keys and credentials are stored server-side only, never exposed to the browser or returned by our APIs, and shown masked in the interface.

Strict tenant isolation

Every account's data is scoped to its tenant in application code on every request — one customer's account cannot read, write, or even see another's. Row-level security is enabled at the database layer as an additional backstop.

Access control & auditability

Role-based access (administrator vs. operator) with least-privilege defaults: operators see conversations and leads, not settings, keys, or billing. Sensitive actions are logged, and device access (mobile / softphone) can be revoked instantly.

You choose where your data lives

This is where SIPmind goes further than a typical cloud product. You can:

We adapt to your local data-protection requirements, localize storage where your jurisdiction mandates it, and sign the agreements your regulator expects. For data that does cross a border (for example, to an AI processor), we do so only on a lawful basis you control, and we name every recipient in your DPA.

Healthcare: HIPAA-ready

For healthcare customers, "HIPAA-ready" is a concrete commitment, not a slogan. When you onboard, we provision your environment to meet the administrative, physical, and technical safeguards that HIPAA requires, sign a Business Associate Agreement (BAA), and put that protected setup in place before any protected health information is processed. It is built on HIPAA-eligible infrastructure.

We are deliberately precise about wording — there is no such thing as a HIPAA "certification" to hold, so we never imply one — but the substance is real and set up per practice: a signed BAA, an environment configured to the required safeguards, and a clear division of responsibilities. The moment a healthcare customer comes on board, this is exactly how we set it up.

Subprocessors, transparently

We rely on a small, vetted set of subprocessors for AI processing, database, and hosting. The current list — and the safeguards each one provides — is named in your DPA and available on request. We notify you before adding a new subprocessor that handles your data.

Retention & deletion you control

You decide how long data is kept. Call recordings, message attachments, and records have configurable retention with automatic deletion, and you can disable storage of sensitive attachments entirely. Deletion and export on request are part of our standard terms.

Incident response

We operate a documented detection and incident-response process and continuously monitor our systems. If an incident affects your data, we notify you promptly with the facts you need to meet your own obligations to your customers and your regulator.

Aligned with leading frameworks

Our security controls are designed around the objectives of SOC 2 and ISO 27001, and — for healthcare — HIPAA. We pursue formal, independent attestation in step with enterprise customer requirements. If you have a security questionnaire or need a specific control mapping, send it over — we answer them directly.

The agreements we sign

Trust should be in writing, not just on a page. With each customer we put in place:

Common questions

Where does our data live?

By default our platform database is in the EU. Where your jurisdiction requires the primary database to be in-country, we provision a dedicated in-region database as part of the engagement, and your telephony can run on your own infrastructure. The AI processor (OpenAI) is in the US — that step always crosses a border, on a lawful basis you control and named in your DPA.

What about the AI processing in another country?

Only the conversation text needed to answer is sent to our AI processor, on a lawful basis you control (your customers' consent — we give you the wording). Sensitive records — for example medical results — stay in your own system; we don't process them. Every recipient is named in your DPA.

What happens if there's a breach?

Encryption, strict per-tenant isolation, role-based access, and configurable retention + auto-deletion of recordings, plus a documented incident process — we notify you promptly so you can meet your own obligations.

How do you handle HIPAA?

We're HIPAA-ready: when a healthcare customer onboards, we provision the environment to the safeguards HIPAA requires and sign a BAA before any protected health information is processed. We don't claim a certification that doesn't exist.

Do you have SOC 2 or ISO 27001?

Our controls are designed around their objectives; we pursue formal, independent attestation as enterprise requirements call for it — and we'll complete your security questionnaire directly in the meantime.

Do you use our data to train AI?

No. We process your data only to run your service — never to train models for anyone else — and we never sell it.

Can we pay in our local currency, or not by card?

Yes. You can pay directly by card, or work through a certified local partner who bills you in your region and handles setup — useful where an international card payment isn't an option. For specific procurement, contracting, or on-premise requirements, we also work with you directly.

Talk to us

Security questionnaire, DPA, BAA, or a copy of our security overview — we'll get it to you quickly. Contact hello@sipmind.net.