KarunaAI
Book a demo
Back to home

Trust

Security at KarunaAI

We answer your phone, but we also handle pet owner information, clinic schedules, and PMS credentials. Here is exactly how we protect them.

Last updated · May 7, 2026

The short version. Australian hosting, TLS 1.3 in transit, AES-256 at rest, least-privilege access, full audit logging, zero-retention agreements with our AI providers, vendor due diligence, and a documented incident-response process. SOC 2 Type II in progress.

Hosting and data residency

  • Application: Vercel — syd1 (Sydney).
  • Database and object storage: Supabase managed Postgres — ap-southeast-2 (Sydney).
  • Telephony: Twilio with Australian numbering and AU/US carrier routing.
  • AI inference: Vapi (orchestration) and OpenAI (LLM) under zero-retention API agreements. Audio and prompts are not retained by these vendors and are not used to train their models.

Encryption

  • In transit: TLS 1.3 with modern cipher suites enforced everywhere; HSTS preloaded; HTTP/2 and HTTP/3.
  • At rest: AES-256 across application data, backups, and recordings.
  • Secrets: stored in encrypted secret managers; never in source control.

Authentication and access control

  • Operator accounts require MFA.
  • Least-privilege role-based access with separate roles for engineering, support, and billing.
  • Production access is limited to a small named group, gated through short-lived credentials, and fully audit-logged.
  • SSO (SAML / OIDC) is available on the Group plan.

Data lifecycle

  • Recordings default to a 90-day retention window, configurable from 7 days to 2 years per clinic.
  • Transcripts and appointments persist for the life of the account or until deleted by the clinic.
  • Backups are encrypted, taken daily, retained for 30 days, and tested for restore quarterly.
  • Deletion is honoured within 30 days of request, subject to legal hold obligations.

Application security

  • All inbound API calls are authenticated; webhook payloads are signature-verified with timing-safe comparisons.
  • Strict input validation, parameterised queries, and Postgres row-level security.
  • Output encoding to defend against XSS; strong CSP, Referrer-Policy, and Permissions-Policy response headers.
  • Dependencies tracked and patched; automated vulnerability scanning in CI; static analysis on every pull request.

Telephony & voice safety

  • Carrier-grade fraud filters on inbound numbers; rate-limiting on outbound traffic to prevent toll abuse.
  • Configurable disclosure script so callers know they may be speaking with AI and that calls may be recorded.
  • Triage protocol with human warm-transfer or after-hours emergency routing for red-flag situations.
  • The AI is configured to refuse payment card numbers, government identifiers, and clinical advice.

AI privacy controls

  • We do not use clinic call data to train or fine-tune third-party foundation models.
  • OpenAI API access operates under a zero-retention agreement; data is not stored beyond the request.
  • Voice models are tuned with synthetic and consented data only.

Vendor due diligence

Every sub-processor is reviewed before onboarding and re-reviewed annually for security posture, certifications, and data handling. A current sub-processor list is maintained on the Privacy page and is available on request.

Compliance roadmap

  • Australian Privacy Act 1988 & APPs — compliant.
  • GDPR (EU) — and other applicable international privacy regimes — honoured for in-scope data subjects.
  • SOC 2 Type II — in progress; report available under NDA on completion.
  • ISO 27001 — planned next.

Monitoring & incident response

  • 24/7 uptime monitoring with on-call rotation.
  • Centralised logs and alerting on anomalous access, failed auth, and unusual call patterns.
  • Documented incident-response playbook with target notification of affected clinics within 72 hours of a confirmed personal-data incident, in line with the Australian Notifiable Data Breaches scheme.

Responsible disclosure

If you believe you have found a security vulnerability, please email info@karunaai.com with details and reproduction steps. We commit to acknowledging reports within 72 hours and will coordinate a responsible disclosure timeline. We will not pursue legal action against good-faith researchers who follow these guidelines.

Get our security pack

Practice managers, IT teams, and procurement: email info@karunaai.com for the KarunaAI security questionnaire response, sub-processor list, and DPA template.