Security & Privacy

Talknex is built with security-first architecture. All customer data is encrypted, org-scoped, and never used to train shared models.

Encryption

In transit

TLS 1.3 for all API and WebSocket traffic. HSTS enabled. Minimum TLS 1.2 enforced.

At rest

AES-256-GCM encryption for all data at rest. Database volumes are encrypted by the cloud provider.

Audio recordings

Call recordings are encrypted in object storage with per-org encryption keys.

Vector embeddings

pgvector stores are org-scoped — no cross-org data leakage is possible at the query layer.

Compliance frameworks

SOC 2 Type II

In progress — expected Q3 2026

We are undergoing a SOC 2 Type II audit. Our controls cover security, availability, processing integrity, confidentiality, and privacy trust service categories.

HIPAA

BAA available

Talknex is architected for HIPAA-eligible workloads. We sign a Business Associate Agreement (BAA) with Fully Managed customers handling PHI. Contact sales to discuss your specific requirements.

GDPR

Compliant

EU data residency is available. We act as a Data Processor under GDPR. A Data Processing Agreement (DPA) is available on request. Data subject requests (access, deletion, portability) are fulfilled within 72 hours.

CCPA

Compliant

California residents can request data access or deletion via our privacy portal at talknex.ai/privacy.

Data residency

By default, all data is stored in the EU (Frankfurt, AWS eu-central-1). Fully Managed customers can request a specific region at account creation.

🇩🇪EU (Frankfurt)Default (all accounts)

🇺🇸US East (Virginia)Fully Managed

🇺🇸US West (Oregon)Fully Managed

🇸🇬APAC (Singapore)Fully Managed

Access control

Multi-tenancy

Every database query is scoped to organizationId at the ORM layer. A single misconfigured query cannot leak data across organizations.

RBAC

Three roles per organization: Owner, Admin, Member. Each role has defined permissions for data access, billing, and API key management.

SSO / SAML 2.0

Fully Managed supports SAML 2.0 SSO integration with Okta, Azure AD, Google Workspace, and any SAML-compliant IdP.

API key scoping

API keys can be scoped to read-only or write-only access. Keys can be revoked instantly from the dashboard.

Audit logs

All admin actions (key creation, agent deletion, billing changes) are logged with actor identity and timestamp. Logs are retained for 1 year on Fully Managed.

AI data practices

Your call transcripts, recordings, and knowledge base documents are NEVER used to train Talknex's shared AI models.

Audio recordings are processed by Deepgram (STT) and ElevenLabs (TTS) under their data processing agreements, which prohibit training on customer data.

LLM inference (GPT-4o) is conducted via OpenAI's API with zero data retention on their end (enterprise API terms).

You can request a full data deletion from Settings → Privacy → Delete Organization Data. This is irreversible.

← Analytics Contact Security Team →