Trust Center
handles phone calls, transcripts, customer context, SMS, and follow-up records — work the customer owns and can audit. Below is what we actually do in each area, not just a wall of policy links.
Posture
What we hold, and what we're building toward
- SOC 2 Type IIIn progress
Readiness program in flight. Controls mapped to all five Trust Services Criteria; auditor selection underway.
- GDPRAligned
Data subject access + erasure paths in production. EU subprocessors disclosed; SCCs in place where required.
- CCPA / CPRAAligned
California consumer requests honored through the same support pathway as GDPR DSARs.
- HIPAA-awareAvailable on request
We are not a Covered Entity. Customers in regulated verticals can build BAA-eligible paths via our infrastructure providers (Twilio HIPAA, Vercel Enterprise).
- TCPA / SMS consentIn production
Every outbound SMS is gated on ContactMethod.optInStatus. STOP / UNSUBSCRIBE keywords honored on the wire.
By topic
Click any topic to see what we actually do
Each card opens in place. The substantive bullets are the controls + practices we run today — not promises or pointer-to-documents.
Compliance
How we map day-to-day operations onto SOC 2, GDPR, CCPA, and TCPA — and where we are on each.
SOC 2 Type II readiness
Controls inventoried against all five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Engineering changes ride through code review + pull-request gates; production deploys require status checks to pass; access reviews run quarterly. The Type II observation window opens once auditor selection finalizes.
GDPR + UK GDPR
Data subject access requests (export of the customer's data) and right-to-erasure are honored via the support inbox — documented response window of 30 days. EU-based subprocessors are disclosed with notice obligations on changes.
CCPA / CPRA
California consumer requests use the same intake. We do not sell personal information; the Do Not Sell signal (Global Privacy Control) is honored if a visitor's browser sends it.
TCPA / SMS consent
Every outbound message routes through a consent check on ContactMethod.optInStatus. Opt-out keywords (STOP, UNSUBSCRIBE, CANCEL, END, QUIT) flip the recipient's status atomically. Conversations resume only on explicit opt-in.
Product Security
RBAC, scoped API keys, audit trails, and field-change history baked into the application itself.
Role-based access control
Members get role-based permissions inside their organization. The Ops Console is additionally gated by Clerk publicMetadata.adaptliveAdmin = true — a small allow-list separate from per-org admin.
Scoped API keys
Per-org API keys carry explicit scopes (READ / WRITE / ADMIN). Keys are issued from /portal/api-keys, hashed at rest, and revocable instantly. The plaintext is shown exactly once on mint — neither we nor the customer can recover it after.
Audit events
Sensitive actions write an AuditEvent row: API key mint + revoke, role changes, routing edits, partner approvals, webhook subscription changes. Records are immutable from the customer UI and queryable from the Ops Console.
Field change history
Every edit to a customer record or work record is captured as an entry in the field change history — who changed what, from what value, at what time. Operators see it inline as a per-field history popover.
Webhook delivery audit + replay
Outbound webhook deliveries are recorded with request body, response, status code, and latency. Failed deliveries can be replayed from the portal — diagnostic and backfilling after a customer's endpoint recovers.
Data Security
Encryption at rest and in transit, per-organization isolation, retention policy enforcement, and verified deletion.
Encryption in transit
TLS 1.2+ on the entire wire — web, API, SMS via Twilio Conversations, voice via Twilio Voice SDK. We don't accept HTTP downgrades.
Encryption at rest
Postgres at rest is encrypted by Neon (AES-256). Vercel Blob storage for media uses provider-managed AES-256. Audio recordings are stored on Twilio's HIPAA-eligible storage.
Per-organization isolation
Every Prisma query in the codebase is org-scoped — there is no global read path that crosses tenants. The Ops Console is the only surface that intentionally crosses; access there is gated on the publicMetadata flag described under Product Security.
Retention policies
Per-organization RetentionPolicy rows configure transcript TTL, recording TTL, and message-thread TTL. The nightly steward job sweeps records past their TTL and writes a deletion record so the customer's audit trail captures the event.
Deletion + export pathways
Customer-initiated export and erasure requests are handled through the support inbox at /messages → Contact AdaptLive Support. Acknowledged within 7 days; completed within 30. Exports include records, transcripts, and audit trail.
Access Control
Clerk SSO + MFA, least-privilege, short-lived sessions, and one-time-secret API keys.
Authentication
Identity is managed by Clerk. SSO via SAML / OIDC is available on the Business plan; MFA is enforceable per-organization. We never store plaintext passwords.
Least privilege
Ops staff need an explicit publicMetadata.adaptliveAdmin flag on their Clerk account to reach the Ops Console. Within the console, individual actions are additionally gated on per-action role checks — the flag is necessary, not sufficient.
Session lifecycle
Short-lived JWTs with refresh on activity. Idle sessions expire automatically per Clerk's configured policy.
One-time API key secrets
Keys are hashed at rest. The first-mint response is the only time the plaintext exists; neither staff nor the customer can recover it after. Lost keys are revoked + replaced.
Infrastructure
What we run on, where it sits, and what each underlying provider brings to our compliance posture.
Application hosting
Vercel (SOC 2 Type II, ISO 27001, PCI DSS). US regions by default. Production deploys are gated on CI status checks and require explicit promotion from a preview deployment.
Database
Neon Postgres (SOC 2, GDPR-compliant). Point-in-time recovery covers 7 days on production. The dev branch is separately instanced — production data does not flow into dev.
Telephony
Twilio (SOC 2, HIPAA-eligible products available). SMS rides Conversations; voice rides Voice SDK + Programmable Voice. Recording storage stays with Twilio under their compliance posture.
Realtime + background jobs
Ably for cockpit realtime fan-out (SOC 2). Inngest for durable background jobs with retries + dead-letter handling (SOC 2; reports available under MNDA).
AI inference
Anthropic Claude (SOC 2 Type II). Zero-data-retention contract available — customer call transcripts and content are not used to train models.
Email + identity
Resend for transactional email (SOC 2). Clerk for authentication + organization management (SOC 2 Type II).
App Security
How shipped code gets vetted — dependencies, static analysis, secrets, and runtime input validation.
Dependency review
GitHub Actions dependency-review check runs on every pull request; flags new advisories, license changes, and version downgrades. Renovate-equivalent automation keeps base dependencies current.
Static analysis
CodeQL semantic analysis runs on every push to main. Issues block merges via required status checks.
Secret scanning
scripts/secret-scan.mjs runs in pre-deploy CI. GitHub secret scanning is also enabled at the repo level. Tokens caught by either path trigger immediate rotation.
Runtime input validation
Every server action and API route validates inputs through Zod schemas before any database write. TypeScript strict mode is on across the monorepo.
Code review + branch protection
Every production change ships via pull request. Direct pushes to main are blocked. Automated review (Greptile + Codex) runs on every PR; PRs hit production only after passing both plus deploy preview checks.
Network Security
Webhook signing, secret rotation, and how we keep the surface area small.
Inbound webhook signature verification
Every inbound webhook (Twilio, Inngest, Resend, Clerk, Stripe) is verified against the provider's signature scheme before any handler logic runs. Missing or bad signatures get rejected at the route boundary.
Outbound webhook signing
Customer-bound webhook deliveries are signed with a per-subscription secret. Customers verify with the algorithm documented at /developers/api.
Surface area
Marketing pages are the only public surface. Every /api/v1 route is bearer-auth-gated; every /api/twilio/* route is signature-gated; the entire (app) route group is Clerk-gated.
Secret rotation
Provider secrets (Twilio Auth Token, Anthropic key, Resend key, etc.) are stored in Vercel project env vars and rotated on staff offboarding or any suspected exposure. Rotation is a two-step deploy to avoid downtime.
Reliability
Public status page, durable background jobs, and the retry/replay paths that keep things moving when something blips.
Public status page
Uptime + per-component status at /status. Incidents posted within 15 minutes of detection; postmortems published for any incident over 30 minutes.
Durable background jobs
Inngest backs every async path — voicemail transcription, missed-call recovery, appointment SMS, partner provisioning. Jobs retry with exponential backoff; dead-lettered jobs surface in the Ops Console for manual replay.
Twilio Conversations mirror
Every SMS event lands in our Postgres mirror via the Conversations webhook. The Conversations service itself is the source of truth; our mirror is the queryable audit copy. A reconcile job runs hourly to verify no events were missed.
Deploy strategy
Vercel preview deployments per pull request. Production promotion is explicit — a passing preview can be promoted with one click. Bad promotions roll back to the previous build instantly.
Privacy
Consent-aware capture, customer data ownership, transparent subprocessor list, and the requests pathway.
Consent-aware capture
Recording, transcription, and outbound SMS are each gated on consent. Recording requires an inbound consent greeting or a manual operator confirm; transcription respects per-org opt-out; SMS rides through ContactMethod.optInStatus checks on every send.
Customer data ownership
Call records, transcripts, contact context, and message history belong to the customer's organization. We do not use customer content to train models. Anthropic Claude is contracted with zero-data-retention for our inference traffic.
Subprocessors
We publish the full subprocessor list at /legal/subprocessors with a commitment to give notice on additions. Vendors that touch customer data are vetted for SOC 2 (or equivalent) before adoption.
Cookies + analytics
Consent Mode v2 — analytics and advertising storage default to denied until the visitor accepts. Marketing pages have a cookie banner; in-app pages do not set analytics cookies without consent.
Privacy requests
Access, portability, correction, and erasure requests are handled through the support inbox at /messages → Contact AdaptLive Support. Acknowledged within 7 days; completed within 30.
Gated artifacts
Request access under NDA
Audit reports, pentest summaries, and security questionnaires are shared under a confidentiality agreement. Submit the request below and we'll send the artifact within 2 business days.
- Planned for Q3 2026
SOC 2 Type I Report
Independent audit evaluating the design of our security controls at a point in time.
- Planned for Q4 2026
SOC 2 Type II Report
Examines operational effectiveness of those controls over a multi-month observation window.
- Scheduled July 2026
Penetration Test Summary
Executive report covering full external + application security assessments.
- Planned 2027
ISO 27001 Certificate
Comprehensive Information Security Management standard, audited annually.
- Draft complete
SIG Lite Questionnaire
Industry-standard security assessment questionnaire — draft available under NDA.
Report a vulnerability
Coordinated disclosure path for security researchers. We respond within 2 business days and partner on fix + disclosure timing.
Reviewer + procurement questions
If you're evaluating adaptlive for a buyer's security review, hit us — we'll point you at the right artifact and answer questions on the record.