Security, Compliance, and Data Privacy 

At Invoca, we prioritize the protection of your data. We undergo rigorous certifications, security audits, and vulnerability testing. Our policies and platform security adhere to the latest industry standards, ensuring data accessibility only to authenticated users. Learn more about our security compliance and data privacy practices below.

SOC 2 Type 2 Certified

Invoca is SOC 2 Type 2 certified by independent third-party auditors. This certification is an important validation of Invoca's commitment to maintaining the highest levels of data security, confidentiality, and availability for its customers. SOC 2 Type 2 certification is granted to companies that have demonstrated that their internal controls are designed and operating effectively to meet the Trust Services Criteria related to security, confidentiality, and availability. By achieving this certification, Invoca has proven that it has implemented critical controls to safeguard customer data and protect against cyber threats.

ISO 27001 Compliant

Invoca is ISO 27001 compliant. This validates Invoca's commitment to protecting its customers' information by implementing and maintaining an Information Security Management System (ISMS) that meets the high standards set forth by the International Organization for Standardization (ISO). This compliance shows that Invoca has implemented the necessary controls and processes to protect customer data confidentiality, integrity, and availability. 

HIPAA Compliant

Invoca is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and does not transmit protected health information (PHI) to third-party systems unless the customer explicitly creates such a data feed. To ensure that the Invoca platform adheres to our customers’ individual PHI policies, Invoca requires that activating new integrations or creating new data flows must be initiated by a customer. This ensures each customer remains in control of their data and knows what information is flowing.

Invoca can accommodate requests to execute Business Associate Agreements (BAAs) for those organizations that are subject to HIPAA. Invoca also offers its own industry-standard BAA template and can provide it upon request.

PCI DSS Certified

Invoca is certified compliant with the standards set forth by the Payment Card Industry Data Security Standards (PCI DSS) for safeguarding payment card information. Achieving this certification demonstrates Invoca's commitment to protecting sensitive financial information from data breaches, fraud, and other forms of cybercrime.

In the case that sensitive data — e.g. credit card information, date of birth — may be disclosed by consumers during your calls, Invoca can automatically redact this information from recordings and transcripts before they're stored. Learn more about our automated redaction feature here.

GDPR Compliant

Invoca is compliant with The General Data Protection Regulation (GDPR), an EU-wide regulation that aims to give individuals greater control over their personal data. This compliance means that Invoca has implemented necessary procedures and policies as a data processor to ensure that customer data is processed lawfully, transparently, and securely, while also respecting individual rights to data access, rectification, and erasure. Learn more about Invoca's GDPR compliance.

CCPA Compliant

Invoca is compliant with The California Consumer Privacy Act (CCPA), as amended, a privacy law that gives California residents the right to know what personal information is being collected about them, the right to have their personal information deleted, and the right to opt-out of the sale of their personal information. This compliance means that Invoca has implemented the necessary controls and processes to ensure that customer data is being handled in accordance with the CCPA's strict guidelines. 

Other Certifications and Security Standards

While Invoca does not rely on Privacy Shield for cross-border data transfers, we still adhere to the Privacy Shield Principles as a matter of good practice and we maintain our Privacy Shield Certification. Invoca is also TRUSTe certified, and we support two-factor authentication and SAML single sign-on standards. 

Data Processing Addendum (DPA)

Our data processing addendum is a legally-binding document that establishes the terms and conditions governing our processing of your personal data. It ensures compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). The DPA covers critical aspects such as data security measures, data subject rights, data transfers, sub-processing, and obligations between us as the data processor and you as the data controller.

Legal Review

Invoca collaborates with legal and other professional counsel to understand its role under both current and proposed data privacy laws and regulations. By undergoing legal review, Invoca can identify and address any potential security gaps or compliance issues, ensuring that it remains at the forefront of data security and privacy protection. 

Vendor Audits

All vendors that are onboarded with Invoca are subjected to a security review by our Information Security (InfoSec) department. InfoSec will work with the department to determine what information will be shared with the vendor and verify that they meet our compliance requirements for that data. 

Customer Data Policy

  • Data Anonymization: Invoca only collects the Caller ID of the caller as personal data and redacts confidential information from call recordings and transcriptions.
  • Secure Data Access and Processing: Invoca provides secure data processing through access controls, logging and monitoring, auditability, threat and vulnerability management, encryption, incident management, and third-party audit. 
  • Data Encryption: Invoca maintains encryption standards for data both in transit and at rest.

Threat and Vulnerability Management

Invoca has a Threat and Vulnerability Management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers, or discovered internally through vulnerability scans. Threats are ranked based on severity level and assigned to the appropriate team(s) for remediation as needed.

For systems containing customer data, an external vendor conducts security penetration tests on the corporate and cloud environments at least annually to detect network and application security vulnerabilities. Critical findings from these tests are evaluated, documented, and assigned to the appropriate teams for remediation. In addition, Invoca conducts internal penetration tests periodically and remediates findings as appropriate.

Data Breach Response Plan

Invoca has a comprehensive data breach response plan in place to minimize the impact of any potential security incidents. The plan is designed to ensure that Invoca can quickly and effectively respond to any security threats, while also minimizing the potential impact on its customers. The plan consists of several key components, including a dedicated security team that is available to respond to any incidents, a detailed incident response plan that outlines the steps to be taken in the event of a breach, and regular security awareness training for all employees to ensure that they are equipped to identify and report potential threats. In the event of a breach, we ensure immediate and ongoing communication with the affected parties.

Privacy Policy

Invoca is committed to protecting your privacy and ensuring you have a positive experience on our website and when you use our products and services. You can read our privacy policy here.

Invoca Data Privacy FAQs

Where does Invoca store data?
  • UK & EU data is stored in Europe.
  • Non-UK/EU data is stored in the US.
How long is customer data stored in my Invoca account?
  • Data retention: Invoca stores calls and call transcripts for internal queries (and access for subpoenas) for approximately 26 months. The current roll-off process is manual and happens approximately quarterly.
  • Data availability: Invoca makes call recordings and call transcripts available to customers in the platform for 25 months.
How does Invoca address security and compliance with call recordings and transcriptions?

Invoca only collects the Caller ID of the inbound caller as personal data. Invoca complies with GDPR regulations and has a comprehensive key management policy. Invoca uses a proprietary browser and server-side attribution technologies to pair a user’s session data with their potential inbound call. Invoca also maintains data encryption standards for data both in transit and at rest. Invoca has documented policies and procedures for data protection and privacy of personal information, aligned to industry standards. We also routinely pen-test our web application for vulnerabilities and have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems.

Is there an option to have my data stored only within the EU?


Does Invoca have UK and EU Representatives?


Does Invoca conduct Data Transfer Impact Assessments?

Yes, Invoca conducts a Data Protection Impact Assessment when processing personal data and evaluating the origin, nature, particularity, and severity of risks according to any applicable laws, regulations, and industry best practices.

Does Invoca sell or market my customers’ data to third parties in any way?


How often does Invoca conduct security audits?

Internal audits based on PCI, SOC 2 Type 2, and HIPAA are performed at least annually in production environments. We also perform web app pentest twice a year to remain compliant. Additionally, independent audit and assurance assessments are conducted according to relevant standards at least annually.

Where can I find Invoca’s terms of service?

Our terms of service are located on this page.