1. Compliance posture
Vantara maintains SOC 2 readiness and uses controls aligned with SOC 2 security principles. Our privacy program is designed to support GDPR and POPIA privacy principles where applicable to customer use cases and contractual commitments.
Any regulated workflow must be reviewed for scope, agreement terms, configuration, data flows, and operational responsibilities before use.
2. Healthcare/PHI boundary
Vantara is not offered for PHI processing by default. HIPAA-regulated workflows require a signed Business Associate Agreement and approved configuration before any PHI is submitted, processed, stored, or transmitted through the platform.
Regulated healthcare workflows require written agreement and configuration. Customers are responsible for identifying regulated data, obtaining required permissions, and using only approved workflows for sensitive healthcare use cases.
3. Security controls
Vantara applies technical and organisational safeguards intended to protect platform data, reduce unauthorized access risk, and support operational resilience.
Safeguards may include access controls, least-privilege practices, environment separation, operational logging, secure configuration review, vulnerability awareness, and incident response procedures appropriate to the service scope.
4. Privacy controls
Vantara follows a privacy-first approach that emphasizes data minimization, purpose limitation, customer-controlled workflow configuration, and reasonable retention practices.
Customers remain responsible for lawful basis, consent, notice, contact permissions, call recording disclosures, and industry-specific obligations that apply to their campaigns and data subjects.
5. Data handling
Vantara may process account information, campaign configuration, lead or prospect records, call metadata, transcripts, summaries, recordings where enabled, booking information, support communications, and operational logs as needed to provide the service.
Data handling is governed by the applicable customer agreement, product configuration, privacy policy, and operational controls. Sensitive or regulated data should not be submitted unless the relevant written agreement and approved configuration are in place.
6. AI processing
AI processing is used to support outbound calling, conversation handling, summarization, structured outcomes, quality review, and related workflow automation where enabled.
Customers should not submit regulated, confidential, or highly sensitive data into AI-enabled workflows unless that use is expressly covered by written agreement, approved configuration, and customer-side authorization.
7. Vendor/subprocessor governance
Vantara uses vendor and subprocessor governance to evaluate service providers that support platform operations. Review criteria may include service purpose, data access needs, security posture, contractual protections, and operational dependency.
Vendor names are not listed on this public page unless confirmed for public disclosure. Customers who require subprocessor details should contact Vantara for the current customer-facing disclosure process.
8. Responsible disclosure
If you believe you have found a security issue involving Vantara, please report it to support@ai-vantara.com with a clear description, affected endpoint or asset, reproduction steps, and any relevant evidence.
Please do not access, modify, delete, or exfiltrate data that does not belong to you. Vantara reviews good-faith reports and prioritizes remediation based on severity and customer impact.
9. Legal disclaimer
This page is informational only and does not create warranties, certifications, regulatory attestations, or contractual commitments beyond those expressly stated in a signed agreement with Vantara.
Security, privacy, and compliance responsibilities depend on customer configuration, use case, data type, jurisdiction, and applicable law. Customers should consult their own legal, privacy, and security advisors before using Vantara for regulated workflows.