Trust & security
Our posture, stated precisely.
Legal buyers get burned by vendors rounding up. Each line below says exactly what's true today — in words your counsel can hold us to.
Tamper-evident audit trail
in the productEvery call event is appended to a SHA-256 hash chain, serialized per call, with an on-demand verification endpoint (GET /audit/verify) that names the exact broken link if a record were altered. Tamper-evident, not tamper-proof.
AI disclosure
in the productThe agent identifies itself as AI at the start of every call. There is no 'sound human' mode, and there never will be.
Human oversight
in the productLive transcripts stream to your team in real time; a supervisor can take over any call with one tap. Qualification decisions are made by deterministic gates your firm configures — the model proposes, the code decides.
Tenant isolation
in the productEvery record is scoped to your organization — data, numbers, API keys, webhooks. Access is role-based via your identity provider. Cross-tenant access is denied by construction and covered by tests.
Outbound governance (The Floor)
in the productConsent attestation, DNC/opt-out suppression, statute-cited per-state quiet hours, and frequency caps run on every outbound touch with no bypass parameter, failing closed on missing data.
SOC 2
in progressOur controls are built to SOC 2 expectations. A Type II attestation is on the roadmap — we'll publish it when an auditor has signed it, not before.
HIPAA
in progressVoice pipelines can be deployed on HIPAA-eligible infrastructure under a Business Associate Agreement, configured accordingly. There is no such thing as 'HIPAA certified' software, so we don't claim it.
Data handling
Your docket is not our training set.
Claimant conversations are privileged-adjacent by nature. The platform is built accordingly.
Enterprise model paths.
On our enterprise voice deployments, call content and prompts are not used to train the underlying foundation models, per the providers' terms.
Recording is policy-gated.
Call recording follows a per-tenant policy gate — recording consent rules vary by state, and the configuration reflects that rather than defaulting to 'record everything.'
Named infrastructure.
Voice runs on Google Cloud (Vertex AI) with AssemblyAI speech recognition and Cartesia synthesis over LiveKit; telephony via Vonage, Telnyx, or Twilio — your choice of carrier. We'll walk your security team through the full subprocessor list on request.
Exportable, always.
Calls, transcripts, attribution records, and audit chains are org-scoped and exportable. Verifiable records you can't take with you wouldn't be worth much.
The fine print, in large print
Standing disclaimers
These appear in our footer, our contracts, and here — because a governance product that buries its own limits isn't one.
- Compensable's voice agents identify themselves as artificial intelligence at the start of each call, consistent with the FCC's 2024 TCPA ruling on AI-generated voices and applicable state disclosure laws.
- Compensable is not a law firm and does not provide legal advice. AI-assisted intake, outreach, and qualification are not a substitute for attorney judgment or supervision.
- Customer is responsible for obtaining and documenting any consent required under the TCPA and applicable state laws before placing outbound calls or texts, and for honoring opt-out and Do-Not-Call requests in its broader program. Compensable provides governance controls and evidentiary records but does not by itself guarantee legal compliance.
- HIPAA-eligible deployment requires appropriate infrastructure under a signed Business Associate Agreement, configured accordingly; no software product is 'HIPAA certified.'
- Statements about model data use apply to enterprise/paid deployment paths per the providers' then-current terms.
- Audit trails are tamper-evident (hash-chained and verifiable), which is not the same as tamper-proof or 'immutable.'
- Performance figures (such as latency percentiles) reflect internal benchmarks on specific configurations and dates, and are not guaranteed for all carriers, regions, or deployments.
Thirty minutes. Ask the hard questions.
We'll run a live call, work a sample docket, and show you the system refusing a call it shouldn't make.