Listen by Abilitix

Listen by Abilitix

Security, privacy & compliance

We design Listen to protect operational call data. Abilitix runs a shared assurance programme: an ISO 27001–aligned information security management system (ISMS) readiness track for Australian and enterprise procurement, and SOC 2 Type II–aligned controls for buyers who map to Trust Services Criteria. We do not hold ISO 27001 certification or SOC 2 Type II attestation yet — we do not claim certifications we have not earned. Since early 2026 we have run internal control mapping, monthly evidence packs, and gap closure with strict tenant isolation. Evidence is available for vendor review under NDA.

1. ISO 27001 & SOC 2 readiness (not yet certified)

We do not claim ISO 27001 certification or SOC 2 Type II attestation until an external body issues a certificate or report. That is deliberate — badge bluffing erodes trust faster than honest progress.

Since early 2026, Abilitix has run one structured readiness programme that supports both frameworks — the same engineering controls and monthly evidence packs:

  • ISO 27001–aligned ISMS — policies, risk register, scope and Statement of Applicability (SoA) artefacts, and management review as part of monthly evidence collection (primary framing for ANZ enterprise and BPO procurement)
  • SOC 2–aligned controls — mapping to Trust Services Criteria (Security, Availability, Confidentiality) for buyers who use SOC language
  • Internal control reviews — monthly assessments of tenant isolation, audit logging, access control, and data-handling practices
  • Engineering gates — automated tenant-isolation tests on every release; security controls documented in our engineering baseline
  • Gap closure — partial controls tracked and remediated before a formal certification or observation window

Formal ISO 27001 certification and SOC 2 Type II attestation each require an external auditor and defined observation period — separate steps from readiness. Procurement teams can request our current evidence summary under NDA: security@abilitix.com.au

2. Audio minimisation

Recordings are not kept for replay in Listen. Audio is sent over TLS to Deepgram’s Australia API endpoint for transcription; transcript text for scoring is sent to US-based AI partners (see §4). Audio is removed from Abilitix storage after transcription and scoring complete when production defaults apply.

  • Deepgram model-improvement opt-out enforced in code on batch STT and Coach Practice Voice Agent Settings (mip_opt_out); executed data processing agreement with Deepgram
  • Transcripts and QA results retained per tenant policy (typically 30–180 days, configurable)
  • All API and subprocessor traffic uses TLS

3. Tenant isolation & audit trail

  • Supabase Row-Level Security (RLS) — database queries are tenant-scoped; one customer cannot access another's jobs, transcripts, or scores through the platform
  • Role-based access control (RBAC)Admin, QA Manager, and Analyst roles; mutating settings, rubrics, alerts, and user management gated in the API and UI
  • Application enforcement — API access binds to authenticated tenant identity
  • Append-only audit events for state changes on jobs, scores, and tenant operations
  • Automated isolation tests on every code release

4. Data residency & subprocessors

At rest: transcripts, scores, and tenant metadata are stored in Sydney (AWS ap-southeast-2) on Supabase. API and background workers run on Fly.io in Sydney.

Cross-border processing: Audio is transcribed via Deepgram’s Australia API endpoint (api.au.deepgram.com). Transcript text is sent to Anthropic (United States) for scoring, sentiment, and summaries, and to optional services below when enabled. Optional Coach Practice live voice (when enabled for your tenant): agent audio for listen and speak uses Deepgram’s Australia endpoint; the customer persona think step is processed outside Australia via Deepgram’s managed LLM provider — not the same residency as batch transcription. Post-session practice scorecards use the standard batch pipeline (AU transcribe → US scoring). Content is sent over TLS for processing — it is not stored at rest on those platforms by Abilitix beyond the processing workflow. This is disclosed for APP 8 transparency; see our Privacy Policy.

For procurement (APP 8)

At rest: Sydney (ap-southeast-2). Transcription: Deepgram Australia API endpoint over TLS — mip_opt_out; executed processor DPA with Deepgram. Scoring: Anthropic (US) over TLS — no training on your data. Coach live voice (optional): listen/speak AU; think cross-border — not fully onshore. Audio: deleted after scoring. Customer DPA and evidence pack: security@abilitix.com.au. Listen is designed as an assurance layer on exported or ingested recordings — it does not require replacing your contact centre, training, or analytics stack.

No call content: our static website on Vercel does not receive or store audio, transcripts, or scores. Stripe receives billing contact and payment tokens only.

Subprocessor list with data location and safeguards
Layer Partner Purpose Data location & sovereignty Safeguards
Database & authSupabase (AWS)Multi-tenant DB, auth, private storageAustralia (Sydney, ap-southeast-2)At rest: tenant content onshore. RLS + JWT-scoped access.
ComputeFly.ioAPI & worker pipelineAustralia (Sydney)Compute onshore; cross-border calls to AI partners below.
FrontendVercelStatic UI hostingGlobal edge (vendor-managed)Zero customer call data — static assets only; API calls go to Fly.io.
Speech-to-textDeepgramTranscription (audio)Australia (api.au.deepgram.com)TLS in transit; mip_opt_out on every request; Abilitix deletes audio after scoring (production default — not a per-tenant product toggle today).
Live voice practice (optional)Deepgram Voice Agent; OpenAI (think via Deepgram)Coach Practice live roleplay — agent mic audio & customer persona dialogueSplit: listen + speak → Australia; think → outside Australia (managed provider)Only when Coach Practice live voice is enabled. mip_opt_out on Voice Agent Settings; server-side WSS proxy (API key not in browser). Abilitix does not persist live dialogue in the database. Post-session score uses batch STT + Anthropic scoring above.
Scoring LLMAnthropicScoring, sentiment, summaries (text only)United StatesCross-border transit; API terms — not used to train foundation models by default.
Embeddings (optional)Google GeminiCall Intelligence vectorsUnited StatesOnly when Call Intelligence enabled.
Knowledge (optional)Ask AbilitixKnowledge Accuracy policy lookupPer deployment URLOnly when Knowledge Accuracy enabled; query text only (no audio).
PaymentsStripeBilling & subscriptionsUnited States (vendor-managed)Billing scope only — no calls or transcripts.

Subprocessor evolution notice

To maintain security and performance, Abilitix may modify or replace subprocessors (for example regional AI endpoints when verified). Material changes will be reflected on this page and communicated in accordance with our Privacy Policy and customer agreements. We target at least 14 days’ notice where practicable for structural processing changes; enterprise contracts may specify longer periods. Enterprise customers may request subprocessor update notifications via security@abilitix.com.au.

5. Audio retention vs transcript retention

Two separate clocks. Raw audio — deleted after scoring (production default); no in-app replay. Transcripts and scores — tenant content retention (typically 30–180 days from job completion).

Contractual audio-retention needs: security@abilitix.com.au before procurement.

6. No training on your data

We do not use customer calls, transcripts, or scores to train Abilitix models. AI subprocessors are engaged under commercial API terms configured so client data is not used to train public base models; Abilitix maintains executed data processing agreements with key processors (including Deepgram). See also our Terms of Service §7.

7. Australian privacy

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including APP 8 overseas disclosures where transcript or metadata is processed by subprocessors listed above.

Full details: Privacy Policy.

8. Vendor review pack

For IT and procurement assessments we can share our security overview and internal evidence pack under NDA — including ISO 27001–aligned ISMS artefacts, SOC 2–aligned control mapping, subprocessor disclosures, and Data Processing Agreement (DPA) terms. Neither ISO 27001 nor SOC 2 Type II is certified today.

security@abilitix.com.au · privacy@abilitix.com.au

arrow_back Back to Listen (Trust & FAQ)