ISO/IEC 27001
Information security management. CallScope is designed and operated around the Annex A control set: access control, cryptography, logging, supplier and operations security.
Compliance & security
Compliance you can take to your reviewers.
CallScope is built for organisations that get audited: government, defence, education, healthcare and regulated business. It is engineered around the controls those reviews expect, deployable in the region or on the infrastructure your obligations require, and backed by evidence, not marketing claims.
Frameworks we align to
One platform, mapped to the frameworks you are held to.
CallScope is designed and operated around the control principles of the standards below. Where a formal certification is relevant to your procurement, we state exactly what is and is not certified. We never overclaim.
SOC 2
Built around the Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy. Control evidence provided for your auditor.
ISO 9001
Quality management discipline in how the product is built, changed and released: documented process, traceable change control and continual improvement.
NIST CSF 2.0
Mapped to Govern, Identify, Protect, Detect, Respond and Recover, so US-aligned buyers can place CallScope in a familiar control framework.
CIS Controls v8
Implements the high-value safeguards: inventory, access control, audit logging, secure configuration, data protection and recovery.
NZISM
Engineered for the New Zealand Information Security Manual: residency control, access control, audit, and on-premise or air-gapped deployment for classified settings.
ACSC Essential Eight
Supports the Australian Essential Eight mitigation strategies through hardened configuration, MFA, least privilege and tested backups.
NZ Privacy Act 2020
Aligned to the Information Privacy Principles: lawful collection, purpose limitation, security, access and correction, and notifiable-breach support.
AU Privacy Act / APPs
Aligned to the Australian Privacy Principles for organisations operating across the Tasman, with AU data residency available.
GDPR
Data-protection-by-design, data minimisation, data-subject rights support and an EU/UK hosting region for organisations with European obligations.
HIPAA
For healthcare contact centres: access control, audit, encryption and on-premise deployment to keep protected health information inside your boundary.
Control families
The controls behind the badges.
Frameworks are only as good as the controls underneath them. Here is what CallScope actually implements, in the language your security team uses.
Identity & access control
Role-based access with least-privilege, default-deny defaults; Microsoft Entra ID single sign-on with enforced MFA for privileged accounts; per-feature restriction for sensitive views; short, rotated sessions with idle and absolute timeouts.
Audit & accountability
A tamper-evident, hash-chained, append-only audit log of access and changes, exportable to your SIEM (RFC 5424 syslog). Sensitive-data access is itself audited.
Encryption
Encryption in transit (TLS) everywhere, and sensitive secrets encrypted at rest. Key handling is centralised, not scattered through the code.
Data residency & sovereignty
Choose the SaaS region your data lives in, run on your own infrastructure, or deploy fully air-gapped so no call data ever leaves your boundary.
Data minimisation & retention
CallScope reads what it needs and no more; retention is configurable and records are soft-deleted (recoverable) rather than silently destroyed.
Tenant isolation
Every record is scoped to its owner; one tenant can never read another tenant's data. Single-tenant and dedicated deployments are available.
Read-only & propose-only
CallScope reads your phone system; it does not control it. Any automation drafts an action for a human to approve and never acts on its own.
Secure development & change control
Tested, reviewed, version-controlled changes with documented release and rollback. Security review and dependency scanning are part of the pipeline.
Vulnerability & patch management
Dependencies and infrastructure are monitored and patched on a defined cadence, with a documented process for security fixes.
Backup & disaster recovery
Encrypted, offsite, restore-tested backups and documented recovery procedures so the service and its audit trail survive failure.
Incident response
A defined incident-response process with breach assessment and notification aligned to the Privacy Act and your contractual obligations.
Vendor & subprocessor transparency
A clear list of any subprocessors and where data is processed, so your due-diligence team can assess the full chain. On-premise and air-gapped options remove third-party processing entirely.
Data protection & privacy
Your data, minimised, protected and accountable.
CallScope processes call records and the recordings and transcripts your phone system already produces. It reads only what it needs to deliver the analytics and quality features you turn on, encrypts data in transit and sensitive material at rest, and records every access and change in a tamper-evident audit log. Retention is configurable to your policy, and records are soft-deleted so an administrator can recover them rather than have data silently destroyed.
For privacy obligations under the NZ Privacy Act 2020, the Australian Privacy Principles and the GDPR, CallScope supports lawful, purpose-limited collection, data-subject access and correction, and notifiable-breach assessment. We provide a Data Processing Agreement, a clear subprocessor list, and documentation of exactly where your data is processed. If your obligations require zero third-party processing, on-premise and air-gapped deployment remove subprocessors from the picture entirely.
Discretion by default
We do not name our clients. That is the point.
As a security-focused product, we do not publish customer names, logos or identifying case studies, because the organisations we serve value discretion. Our credibility comes from our controls, our deployment options and the evidence we hand your reviewers, not from a wall of logos. If a vendor is happy to broadcast exactly who their customers are, ask yourself what else they are happy to share.
For your procurement team
The evidence pack, ready when you are.
Control evidence
A mapped pack showing how CallScope meets the controls in your chosen framework, with the certification status stated honestly.
Security questionnaires
We complete your vendor security and privacy questionnaires and support your due-diligence process.
DPA & subprocessors
A Data Processing Agreement plus a clear list of any subprocessors and processing locations.
Architecture & data flow
Documentation of how CallScope is built, where data lives and how it moves, for your architecture review.
Penetration-test summary
A summary of independent security testing, available on request under NDA.
Deployment assurance
On-premise and air-gapped options for when the answer has to be that nothing leaves your boundary.
Compliance FAQ
What security and privacy teams ask us.
Is CallScope certified to ISO 27001 or SOC 2?
CallScope is designed and operated around the ISO 27001 control set and the SOC 2 Trust Services Criteria, and we provide a control-evidence pack for your auditor. We do not overclaim certification: during procurement we tell you exactly which certifications are held, in progress, or not held, so your reviewers can make an informed decision.
How do you keep our data in our country?
Managed SaaS pins your data to the region you choose (New Zealand, Australia, the USA, UK, Germany, Singapore, Hong Kong or South Africa). On-premise and air-gapped deployments keep all call data inside your own environment with no offshore egress.
What data does CallScope process, and how is it protected?
CallScope processes call records and the recordings and transcripts your phone system already produces. Data is encrypted in transit, sensitive material is encrypted at rest, access is role-based and audited, and retention is configurable. Read-only ingestion and data minimisation keep the footprint small.
Can we get a DPA and complete a security questionnaire?
Yes. We provide a Data Processing Agreement, complete your security questionnaires, and share architecture and data-flow documentation, a subprocessor list, and a penetration-test summary on request.
Do you publish a customer list or case studies?
No. As a security-focused product we do not publish client names, logos or identifying case studies. Discretion is part of the service. Our credibility comes from our controls and the evidence we provide, not from naming who we work with.
Is CallScope suitable for classified or defence environments?
For the highest-assurance settings, CallScope runs on-premise or fully air-gapped, keeping all data inside your boundary with no offshore egress, and is built around NZISM and Essential Eight controls. We scope the exact requirements with you per engagement.
Send us your control requirements.
Tell us the frameworks, residency and assurance level you need, and we will respond with the evidence pack, a deployment plan and pricing built around them.