AIVA
  • Home
  • Voice12 langs
    AI phone agents via Twilio
    Web widget
    Drop-in chat for any site
    SMS
    Two-way text conversations
    SDK
    React, Next, Node, Python
    WorkflowsNew
    Visual automation builder
    Analytics
    Real-time conversation insights
    WhatsAppSoon
    Coming Q3 · join waitlist
    Security
    SOC 2, GDPR, custom DPA
    View all features→All systems normal
  • Pricing
  • Customers
  • Docs
  • About
  • Contact
Sign in
Get started→
Platform
Voice →Web widget →SMS →SDK →Workflows →Analytics →
Company
Pricing →Customers →Docs →About →Contact →Demo →
Sign in →
Get started free

Customer support that actually answers. We are building the future of conversational AI with precision and care.

The shipping log

Monthly: what we shipped + what we learned. No fluff. Read archive →

Get in touch

hello@aivachat.io+91 832 086 0425

Platform

  • Voice
  • Web widget
  • SMS
  • SDK
  • WorkflowsNew
  • WhatsAppSoon
  • Analytics

Resources

  • Documentation
  • API reference
  • Changelog
  • Blog
  • Customer stories
  • Status
  • Book a demo
  • Pricing details

Company

  • About
  • Careers3 open
  • Contact
  • Security

Legal

  • Privacy policy
  • Terms of service
  • Data processing
  • GDPR
  • Cookies
© 2026 AIVA Technologies Pvt. Ltd.
PrivacyTermsSitemap
All systems normal
Made with care in Rajkot. Shipped to 14 countries.

Security

Your customers' data. Locked down.

Encrypted everywhere. Audited annually. SOC 2 in progress. Built for enterprise diligence teams.

Request a security reviewBrowse trust documents ›
SOC 2 Type II
Audit started Q1 2026
In progress
GDPR · UK GDPR
DPA + SCCs available
Compliant
ISO 27001
Aligned controls
Self-attested
DPDP Act 2023
India data protection
Compliant

How we secure your data

Three layers. Always on.

Encryption in transit, at rest, and in use. Regional isolation by default. Tight access controls on everyone, including us.

Encryption

Encrypted everywhere. All the time.

Your customer data is encrypted from the moment it leaves the customer's device until it lands in our database — and stays encrypted while it sits there. TLS 1.3 in transit, AES-256 at rest, no exceptions.

Even backups are encrypted. Even our internal team's read-only access goes through encrypted, audited tunnels with session-bound credentials.

In transitTLS 1.3 minimum
At restAES-256 (per-tenant keys)
BackupsEncrypted + region-locked
Key rotationQuarterly + on-demand
In transitTLS 1.3 — every endpoint, every region
At restAES-256 — per-tenant encryption keys
In useMemory-protected processing only
BackupsAES-256 + region-locked
InternalmTLS between services
Data residency

Your data stays where you choose.

Three regions, each fully isolated. EU customer data lives in Frankfurt and never leaves. India data stays in Mumbai. US data stays in Virginia. Cross-region transfers are governed by Standard Contractual Clauses only when explicitly required.

Enterprise customers can request a dedicated single-tenant region — a fully isolated deployment with its own database, its own keys, its own DNS.

Default regions3 (Mumbai · Frankfurt · Virginia)
Cross-region transfersOnly with SCCs in place
Dedicated regionsAvailable · Enterprise tier
🇮🇳
Mumbai · India
aws-ap-south-1 · 3 AZs · 99.99% SLA
Default · IN
🇩🇪
Frankfurt · Germany
aws-eu-central-1 · 3 AZs · GDPR
Default · EU
🇺🇸
Virginia · United States
aws-us-east-1 · 3 AZs · CCPA
Default · US
+
Custom region
Single-tenant · isolated keys + DNS
Enterprise
Access control

Tight controls. Including on us.

Our own team has the least possible access to your customer data. Production access requires SSO + 2FA + role-based grant + a signed audit log entry. “I needed to debug something” is not a sufficient reason.

For your team: SSO, SAML, SCIM, role-based access control, full audit log, granular permissions. Standard enterprise IAM stack — and we don't charge extra for SSO.

SSO / SAML / SCIMIncluded on Growth+
Audit log retention365 days
Internal access reviewsQuarterly
Background checksAll employees · annual
SSO + SAML + SCIM
Okta, Azure AD, Google Workspace, more
Live
2FA — required for admins
TOTP, FIDO2, WebAuthn, hardware keys
Live
Role-based access control
Custom roles + per-feature permissions
Live
Audit log — everything
365-day retention · CSV export · SIEM-ready
Live
Just-in-time admin access
Time-limited grants + session recording
Q3 2026

Security specifications

The numbers your security team wants.

Specific commitments. Verifiable. Available in our SOC 2 report and the DPA.

Pentests / year
2
Independent firm. Annual full-scope + quarterly delta. Reports under NDA.
Breach notification
72hr
GDPR Article 33 max. Internal target: confirm scope within 4 hours.
Encryption keys
256-bit
AES-256 at rest, per-tenant keys, quarterly rotation. AWS KMS.
Uptime SLA
99.99%
Enterprise tier. Auto-credit if missed. Live status.

What we don't do

The never list.

Specific commitments, not aspirational ones. If we ever change one, we'll tell every customer 90 days in advance.

×
We never train AI models on your customer conversations.
Zero-data-retention contracts with OpenAI and Anthropic. Conversation data is processed in real time, then immediately discarded by the AI provider. No fine-tuning without explicit, written opt-in.
×
We never sell your data. Not even anonymized.
No data brokers, no advertising partners, no behavioral profiling exports. Your customer data is yours; aggregated metrics are ours only for product improvement.
×
We never share data with third parties beyond named sub-processors.
Our DPA lists every sub-processor. We notify enterprise customers 30 days in advance of any addition. You can object before the change takes effect.
×
We never charge extra for security features.
SSO, audit logs, encryption — all included on Growth and Enterprise. No “SSO tax”. Our pricing is transparent at /pricing.
×
We never hide breaches or incidents.
Public status page with 90-day history. Postmortems published within 5 business days of any major incident. If we mess up, you'll hear it from us first.
×
We never decline a reasonable security review.
Send your questionnaire — we usually respond within 5 business days. We'll sign your custom DPA if it's fair. We don't gate diligence behind a sales conversation.

Trust documents

Read the paperwork.

Public documents anyone can read. Confidential documents (SOC 2, pentest reports) available under NDA on request.

Privacy Policy

What we collect, how we use it, your rights as a data subject. Plain English, ten sections.

Read ›

Data Processing Addendum

Standard DPA with SCCs for EU transfers. Auto-included for Enterprise. Sign-able PDF available.

Read ›

GDPR Compliance

Article-by-article compliance details. Includes Article 27 EU representative info.

Read ›

Sub-processors list

Every third-party we share data with, what they receive, where they're located. Updated continuously.

Read ›

SOC 2 report

Type II audit in progress (target Q3 2026). Type I report available now under NDA. Email to request.

Request ›

Pentest summary

Latest annual pentest executive summary. Available under NDA. Findings remediated within 30 days.

Request ›

Direct line

Talk to our security team.

Real humans. Real responses. No tickets, no chatbots — for security questions, you reach us directly.

Replies under 4 hours · weekdays IST

Email security@aivachat.io

For security questionnaires, vendor reviews, custom DPA negotiation, or anything else security-adjacent. Our DPO is Priya Sharma. Disclosure of vulnerabilities (responsible disclosure) goes to the same address — please include “[VULN]” in the subject.

Email security teamBook a call

Diligence done. Try it free.

Free for 14 days. No credit card. Custom security reviews available for Enterprise prospects.

Get started freeTalk to sales ›