How we handle security and compliance

When you're processing live sales calls—potentially containing customer data, pricing details, and strategic discussions—security isn't optional. Here's our approach to data handling, infrastructure security, and our roadmap to SOC 2 Type II certification. Note: SalesHUD is now focused on next-step certainty (wrap-up drift detection → next-step lock → proof metrics).

The security challenge of real-time call processing

SalesHUD listens to live conversations on Zoom, Google Meet, and Microsoft Teams, extracts context, and surfaces information in real-time. That means:

• Audio streams (potentially containing sensitive customer info)
• Transcripts of every word said on a call
• CRM data pulled in for context
• Playbooks that might contain proprietary sales strategies

Every part of this pipeline is a potential security surface. Here's how we think about protecting it.

Our security principles

How we handle call audio and transcripts

Audio processing

When SalesHUD joins a meeting, it receives an audio stream. Here's what happens:

1. Audio is transcribed in real-time using a speech-to-text service (we use Deepgram, which is SOC 2 Type II certified).
2. Audio itself is never stored. Once transcribed, the audio stream is discarded. We don't keep recordings.
3. Transcripts are retained for the duration specified by your retention policy (default: 90 days). After that, they're permanently deleted.

Why this matters: Many call recording tools store full audio files indefinitely. We don't. If you want recordings, you should use a dedicated tool (like Gong or Chorus). SalesHUD is for real-time guidance, not archival. Learn more about how it works →

Transcript redaction

Sometimes sensitive information gets mentioned on calls: credit card numbers, Social Security numbers, API keys. We automatically redact these using pattern matching before transcripts are stored.

What gets redacted:

• Credit card numbers (16-digit patterns)
• Social Security numbers (XXX-XX-XXXX patterns)
• API keys and tokens (detected via entropy analysis)

You can also configure custom redaction rules for industry-specific identifiers (e.g., patient IDs in healthcare).

Infrastructure security

Cloud architecture

SalesHUD runs on AWS, leveraging managed services where possible to benefit from their security posture:

• Compute: ECS Fargate (no SSH access, ephemeral containers)
• Database: RDS with automated backups and point-in-time recovery
• Object storage: S3 with versioning and lifecycle policies
• Networking: VPCs with private subnets, no public database access

Tenant isolation

Every organization's data is logically isolated. We use row-level security policies and per-tenant encryption keys. Even if an attacker gained database access (which would require multiple layers of compromise), they couldn't access other tenants' data without the corresponding keys.

Secrets management

API keys, database credentials, and encryption keys are stored in AWS Secrets Manager. They're rotated automatically every 90 days. Engineers never see production credentials—access is granted via IAM roles with MFA enforcement.

Application security

Authentication and authorization

We use industry-standard OAuth 2.0 / OpenID Connect for authentication. Sessions expire after 24 hours of inactivity. We enforce strong password policies (min 12 characters, complexity requirements) and support SSO via SAML for enterprise customers.

Input validation and output encoding

Every user input is validated server-side. We use parameterized queries to prevent SQL injection and context-aware output encoding to prevent XSS. We follow OWASP Top 10 best practices.

Rate limiting and DDoS protection

CloudFront and AWS WAF sit in front of our application. We implement rate limiting at multiple layers (per-IP, per-user, per-endpoint) to prevent abuse.

Monitoring and incident response

What we monitor

• Failed login attempts: Alert after 5 failures in 10 minutes
• Unusual data access patterns: E.g., user downloading 1000+ transcripts in an hour
• Infrastructure anomalies: Unexpected traffic spikes, resource exhaustion
• Application errors: Centralized logging with alerting on critical errors

Incident response plan

We maintain a documented incident response playbook:

1. Detection: Automated alerts or manual report
2. Containment: Isolate affected systems, revoke compromised credentials
3. Investigation: Forensic analysis of logs and access patterns
4. Remediation: Patch vulnerabilities, restore from backups if needed
5. Notification: Communicate with affected customers within 72 hours (GDPR requirement)

Compliance and certifications

Current status

We're currently building toward SOC 2 Type II certification. Here's where we are:

• GDPR compliance: Data processing agreements, right to erasure, data portability
• CCPA compliance: Consumer data request handling, opt-out mechanisms
• SOC 2 Type II: Audit in progress, expected completion Q2 2025

What SOC 2 Type II means

SOC 2 is an independent audit of our security controls. Type I verifies controls are designed correctly; Type II verifies they're operating effectively over time (typically 6-12 months).

We're pursuing all five Trust Service Criteria:

• Security: Protection against unauthorized access
• Availability: Systems are available for operation and use
• Processing integrity: System processing is complete, valid, accurate
• Confidentiality: Data designated as confidential is protected
• Privacy: Personal information is collected, used, and disclosed appropriately

What you can do

For administrators

• Enforce SSO: Require all users to authenticate via your identity provider
• Set retention policies: Configure how long transcripts are kept (7 days to 2 years)
• Enable audit logs: Track who accessed what data and when
• Configure data residency: Choose which AWS region your data is stored in (US, EU, UK)

For reps

• Use privacy mode: Pause SalesHUD during sensitive discussions
• Review redactions: Check that sensitive info was properly redacted before sharing transcripts
• Manage consent: Always inform prospects when recording/transcribing (required by law in many jurisdictions)

Questions we get from security teams

"Do you train AI models on our data?"

No. We use third-party LLMs (OpenAI, Anthropic) for generating cues and notes, but your data is not used to train their foundational models. We use zero-retention API endpoints where available.

"Can you deploy on-premises or in our VPC?"

Not yet, but it's on our roadmap for enterprise customers. Currently, we offer data residency (choose your AWS region) and private connectivity (AWS PrivateLink for API calls from your environment). See enterprise features →

"What happens if SalesHUD gets breached?"

We follow our incident response plan (outlined above) and notify affected customers within 72 hours. We carry cyber insurance to cover breach-related costs. We also publish a public security page with any incidents (none so far).

"Can we get a copy of your SOC 2 report?"

Once our Type II audit is complete (expected Q2 2025), we'll share it under NDA. In the meantime, we can provide our security questionnaire and architecture diagrams.

Want to dig deeper?

We publish detailed documentation on our security practices at saleshud.app/security. If you have specific questions or need to fill out a security questionnaire, contact our security team. Also explore our integrations (note: CRM integrations like HubSpot and Salesforce are on the roadmap) and use cases.