Security & Trust

Security first.
Always.

Every call processed through Resonera.ai contains sensitive personal data — voice recordings, transcripts, and caller information. Here is exactly how we protect it.

Last updated: June 19, 2026

Built for call recording security

Resonera.ai processes voice call recordings, transcripts, and AI-derived analytics that constitute Sensitive Personal Data or Information (SPDI) under the IT (SPDI) Rules 2011. We apply strict technical and organisational controls to protect this data in compliance with the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023.

01

Call Recording & Transcript Security

Call recordings and transcripts are among the most sensitive data we handle. We protect them with:

Audio in Transit

TLS 1.3 encryption for all audio streams
SRTP (Secure Real-time Transport Protocol) for voice data
Encrypted WebSocket connections for live transcription

Audio at Rest

AES-256 encryption for stored audio files
AES-256 encryption for transcript storage
Encrypted database backups with secure key rotation

Retention Controls

Target 90-day retention for recordings
Shorter retention available on request
Scheduled deletion being rolled out; deletion on request in the interim

Access to Recordings

Only the Platform Customer can access their call recordings
Resonera.ai staff access requires explicit authorisation and is logged
No cross-customer data access is possible by design
02

Data Encryption — End to End

All data processed by Resonera.ai is encrypted throughout its lifecycle:

In transit: TLS 1.3 for all API calls, dashboard traffic, audio streams, and webhook payloads
At rest: AES-256 for databases, file storage, and backup archives
Key management: Encryption keys are managed using a dedicated key management service with automated rotation
Database: Column-level encryption for sensitive fields including phone numbers and personally identifiable information
03

Access Controls

We enforce strict access controls to protect personal data and call records:

Multi-Factor Authentication (MFA): Mandatory for all Resonera.ai team members and customer-facing accounts
Role-Based Access Control (RBAC): Granular permissions — customer agents, managers, and admins have segregated access scopes
Principle of Least Privilege: Engineers and staff only access data required for their specific function
Privileged Access Management: All administrative access to production systems requires just-in-time authorisation with time-limited sessions
Access Reviews: Quarterly review of all user permissions and service account access
04

Infrastructure Security

Cloud Hosting

Call recordings are stored in the AWS Mumbai (ap-south-1) region. Some AI processing (speech and language models) occurs with providers outside India under contractual safeguards — see our Privacy Policy.

Network Isolation

Production, staging, and development environments are fully isolated. VPC with private subnets for data processing layers.

DDoS Protection

Layer 3/4/7 DDoS mitigation active on all public-facing infrastructure including voice ingress endpoints.

Firewall Controls

Strict ingress/egress rules with default-deny posture. Only explicitly permitted traffic is allowed.

Patch Management

Operating system and dependency patches applied within 14 days of release for critical vulnerabilities, 30 days otherwise.

Secure Boot

All compute instances use verified boot to detect tampering at startup.

05

Monitoring & Audit Logging

We maintain comprehensive audit trails for all access to personal data and call records:

Audit logs: Every access to call recordings, transcripts, and personal data is logged with timestamp, user ID, and action — as required under Rule 8 of the IT (SPDI) Rules 2011
Log retention: Audit logs are retained for 2 years and cannot be deleted by regular users
Real-time alerting: Automated alerts for anomalous access patterns, bulk data downloads, and failed authentication attempts
Intrusion detection: SIEM-based threat detection running continuously across all infrastructure layers
Uptime monitoring: 24/7 monitoring of all service endpoints with automated incident escalation
06

Compliance & Indian Law

Our security practices are designed to meet or exceed the requirements of:

IT Act 2000 & IT (SPDI) Rules 2011: Reasonable security practices as defined in Rule 8, including encryption, access controls, and audit logging for SPDI (call recordings constitute SPDI)
DPDP Act 2023: Data minimisation, purpose limitation, storage limitation, and security safeguards as required for Digital Personal Data processing
TRAI Regulations: Compliance with telecom recording and data storage obligations
RBI IT Framework (for financial sector customers): We can provide security documentation to support your own RBI IT Framework compliance on request
07

Incident Response

We maintain a documented incident response procedure with defined response times:

Detection & Classification

Automated systems detect potential security events in real-time. All alerts are triaged within 1 hour.

Containment & Remediation

Affected systems are isolated immediately. Root cause analysis begins within 4 hours of detection.

Notification

Data breach notification to affected Platform Customers within 72 hours of confirmation, as required by the DPDP Act 2023 and IT Act 2000.

08

Sub-Processor Security

We use a vetted set of sub-processors for telephony, speech-to-text, AI language models, text-to-speech, cloud hosting, authentication, and payments. All sub-processors are bound by contractual data-processing terms that require appropriate security standards. The named list of sub-processors is published in our Privacy Policy, and an up-to-date list is available to Platform Customers on request at [email protected].

09

Report a Vulnerability

If you discover a security vulnerability in the Resonera.ai platform, please report it immediately to our security team. We follow responsible disclosure principles and will acknowledge your report within 24 hours.

Security Contact

Email: [email protected] · Response: within 24 hours

Please include: description of the vulnerability, steps to reproduce, potential impact, and your contact information.

Our security controls are aligned with the IT (SPDI) Rules 2011 and DPDP Act 2023. This page was last updated on June 19, 2026. Security practices are reviewed periodically. This page describes our security approach and is not a binding warranty.

On this page
Compliance Standards
IT Act 2000
IT (SPDI) Rules 2011
DPDP Act 2023
TRAI Regulations
Indian Contract Act 1872