At Invoca, we prioritize the protection of your data. We undergo rigorous certifications, security audits, and vulnerability testing. Our policies and platform security adhere to the latest industry standards, ensuring data accessibility only to authenticated users. Learn more about our security compliance and data privacy practices below.
Invoca is SOC 2 Type 2 certified by independent third-party auditors. This certification is an important validation of Invoca's commitment to maintaining the highest levels of data security, confidentiality, and availability for its customers. SOC 2 Type 2 certification is granted to companies that have demonstrated that their internal controls are designed and operating effectively to meet the Trust Services Criteria related to security, confidentiality, and availability. By achieving this certification, Invoca has proven that it has implemented critical controls to safeguard customer data and protect against cyber threats. View our certification here.
Invoca is ISO 27001 compliant. This validates Invoca's commitment to protecting its customers' information by implementing and maintaining an Information Security Management System (ISMS) that meets the high standards set forth by the International Organization for Standardization (ISO). This compliance shows that Invoca has implemented the necessary controls and processes to protect customer data confidentiality, integrity, and availability.
Invoca is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and does not transmit protected health information (PHI) to third-party systems unless the customer explicitly creates such a data feed. To ensure that the Invoca platform adheres to our customers’ individual PHI policies, Invoca requires that activating new integrations or creating new data flows must be initiated by a customer. This ensures each customer remains in control of their data and knows what information is flowing.
Invoca can accommodate requests to execute Business Associate Agreements (BAAs) for those organizations that are subject to HIPAA. Invoca also offers its own industry-standard BAA template and can provide it upon request.
Invoca is certified compliant with the standards set forth by the Payment Card Industry Data Security Standards (PCI DSS) for safeguarding payment card information. Achieving this certification demonstrates Invoca's commitment to protecting sensitive financial information from data breaches, fraud, and other forms of cybercrime. View our certification here.
In the case that sensitive data — e.g. credit card information, date of birth — may be disclosed by consumers during your calls, Invoca can automatically redact this information from recordings and transcripts before they're stored. Learn more about our automated redaction feature here.
Invoca is compliant with The General Data Protection Regulation (GDPR), an EU-wide regulation that aims to give individuals greater control over their personal data. This compliance means that Invoca has implemented necessary procedures and policies as a data processor to ensure that customer data is processed lawfully, transparently, and securely, while also respecting individual rights to data access, rectification, and erasure. Learn more about Invoca's GDPR compliance.
Invoca is compliant with The California Consumer Privacy Act (CCPA), as amended, a privacy law that gives California residents the right to know what personal information is being collected about them, the right to have their personal information deleted, and the right to opt-out of the sale of their personal information. This compliance means that Invoca has implemented the necessary controls and processes to ensure that customer data is being handled in accordance with the CCPA's strict guidelines.
While Invoca does not rely on Privacy Shield for cross-border data transfers, we still adhere to the Privacy Shield Principles as a matter of good practice and we maintain our Privacy Shield Certification. Invoca is also TRUSTe certified, and we support two-factor authentication and SAML single sign-on standards.
Our data processing addendum is a legally-binding document that establishes the terms and conditions governing our processing of your personal data. It ensures compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). The DPA covers critical aspects such as data security measures, data subject rights, data transfers, sub-processing, and obligations between us as the data processor and you as the data controller.
Invoca collaborates with legal and other professional counsel to understand its role under both current and proposed data privacy laws and regulations. By undergoing legal review, Invoca can identify and address any potential security gaps or compliance issues, ensuring that it remains at the forefront of data security and privacy protection.
All vendors that are onboarded with Invoca are subjected to a security review by our Information Security (InfoSec) department. InfoSec will work with the department to determine what information will be shared with the vendor and verify that they meet our compliance requirements for that data.
Invoca has a Threat and Vulnerability Management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers, or discovered internally through vulnerability scans. Threats are ranked based on severity level and assigned to the appropriate team(s) for remediation as needed.
For systems containing customer data, an external vendor conducts security penetration tests on the corporate and cloud environments at least annually to detect network and application security vulnerabilities. Critical findings from these tests are evaluated, documented, and assigned to the appropriate teams for remediation. In addition, Invoca conducts internal penetration tests periodically and remediates findings as appropriate.
Invoca has a comprehensive data breach response plan in place to minimize the impact of any potential security incidents. The plan is designed to ensure that Invoca can quickly and effectively respond to any security threats, while also minimizing the potential impact on its customers. The plan consists of several key components, including a dedicated security team that is available to respond to any incidents, a detailed incident response plan that outlines the steps to be taken in the event of a breach, and regular security awareness training for all employees to ensure that they are equipped to identify and report potential threats. In the event of a breach, we ensure immediate and ongoing communication with the affected parties.
Invoca only collects the Caller ID of the inbound caller as personal data. Invoca complies with GDPR regulations and has a comprehensive key management policy. Invoca uses a proprietary browser and server-side attribution technologies to pair a user’s session data with their potential inbound call. Invoca also maintains data encryption standards for data both in transit and at rest. Invoca has documented policies and procedures for data protection and privacy of personal information, aligned to industry standards. We also routinely pen-test our web application for vulnerabilities and have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems.
Yes, Invoca conducts a Data Protection Impact Assessment when processing personal data and evaluating the origin, nature, particularity, and severity of risks according to any applicable laws, regulations, and industry best practices.
Internal audits based on PCI, SOC 2 Type 2, and HIPAA are performed at least annually in production environments. We also perform web app pentest twice a year to remain compliant. Additionally, independent audit and assurance assessments are conducted according to relevant standards at least annually.
Our terms of service are located on this page.