Last updated 2026-05-29
CallVault is built on trusted infrastructure and a default-secure architecture.
We're 7x Systems LLC, a Wyoming-registered limited liability company operating CallVault — the long-term call intelligence vault for revenue teams who need their conversation history to stay queryable, secure, and theirs. Headquartered at 1309 Coffeen Ave, Ste 17642, Sheridan, WY 82801. Contact: support@callvaultai.com or +1 315-335-8779.
This page documents how we handle customer data, who processes it on our behalf, and how to reach us with security questions.
CallVault is a Wyoming LLC operated by a single principal as of May 2026. We are not currently SOC 2 attested. We are in active preparation for SOC 2 Type I and expect to engage an external auditor in 2026.
While we work toward attestation, the infrastructure CallVault runs on is independently audited. Our customers inherit material coverage from these providers:
| Provider | Role at CallVault | Independent attestations |
|---|---|---|
| Supabase | Database, authentication, Edge Functions | SOC 2 Type II, HIPAA-eligible plans, GDPR DPA available |
| Vercel | Frontend hosting, edge functions, CI/CD | SOC 2 Type II, ISO 27001:2022, HIPAA BAA on Enterprise plan, EU-US Data Privacy Framework certified |
| Stripe (via Polar) | Payment processing | PCI DSS Level 1, SOC 1 & 2 Type 2, ISO 27001, EU-US DPF |
| Anthropic | AI inference (via OpenRouter, on customer invocation only) | SOC 2 Type II, HIPAA BAA available, ISO 27001 |
| OpenAI | AI inference (via OpenRouter, on customer invocation only) | SOC 2 Type II, CSA STAR Level 1, HIPAA BAA available |
Inheritance is not the same as attestation, and we don't claim otherwise. The cells above link to each provider's public trust documentation so you can verify directly.
A subprocessor is a third party that processes customer data on CallVault's behalf. The current list:
| Subprocessor | Purpose | Customer data processed |
|---|---|---|
| Supabase | Database, authentication, Edge Functions | Transcripts, contacts, account records, MCP tokens, OAuth grants |
| Vercel | Frontend hosting, edge functions, CI/CD | Request logs, deployment metadata (does not include transcript content) |
| Polar | Subscription billing | Billing email, subscription state |
| Stripe | Payment processing (under Polar) | Card data (Stripe-hosted Checkout iframe; never touches CallVault servers) |
| OpenRouter | LLM routing layer for AI-tier MCP tools | Transcript text submitted at AI-tool invocation only |
| Anthropic | LLM provider (via OpenRouter) | Transcript text submitted at AI-tool invocation only |
| OpenAI | LLM provider (via OpenRouter) | Transcript text submitted at AI-tool invocation only |
We commit to notifying customers at least 15 days before adding a new subprocessor that will process their data.
Your CallVault data resides primarily in our Supabase project. Access is controlled at the database layer by Row Level Security policies that scope data to your organization and (optionally) workspace.
The minimum required to deliver the service: the transcript text and metadata you ingest; your account profile (name, email, authentication identifier); your organization and workspace structure; records of MCP tokens and OAuth grants you issue; operational logs (which tools were called, when, by which organization).
ask_call, extract_action_items, get_sentiment, get_coaching_notes).We retain your data for the lifetime of your account by default. CallVault is a long-term call intelligence vault, and customers expect data ingested today to remain queryable years from now. You can delete your data at any time:
Supabase manages encrypted backups of our production database with retention per their plan tier. We have successfully tested restore from these backups. Deleted data may persist in backup snapshots until the retention window expires.
You can export your data via the MCP API at any time using the read-tier tools (list_calls, get_transcript, list_contacts, list_folders, and others). The full schema is documented in our developer documentation.
Logical access. Production access is restricted to the single principal of 7x Systems LLC. MFA is enforced on every production admin account. The credential vault is 1Password. All workforce credentials and access reviews are governed by our Access Control Policy.
Network. All public CallVault endpoints serve over TLS 1.2+. Inter-service communication between the frontend, Edge Functions, and Supabase uses authenticated and encrypted channels.
Application. All production code changes require peer review and are merged to main through GitHub branch protection rules. Every MCP tool call passes through a category-gating layer that enforces customer-issued scope before reaching any database query. The boundary is unit-tested in CI.
Cryptography. Data at rest is encrypted by Supabase using AES-256. TLS certificates are managed by Vercel and rotate automatically. Secret material (API keys, service role keys) is stored exclusively in 1Password or platform-managed secret stores and is never committed to source control.
Monitoring. Sentry monitors the frontend and Edge Functions. Supabase, Vercel, and GitHub provide platform-level audit logs. We perform quarterly access reviews and annual subprocessor reviews.
Change management. Production deploys are auto-triggered by merges to main on Vercel. Rollback is instant via the Vercel deployment history. All changes are reviewable in git.
Incident response. We maintain an Incident Response Plan that defines detection, classification, containment, eradication, communication, and post-mortem procedures. We have not had a security-relevant incident in the trailing twelve months. When we do, we will report transparently per the Plan.
| Program | Status |
|---|---|
| SOC 2 Type I | In preparation; external audit planned for 2026 |
| SOC 2 Type II | Targeted after Type I completion |
| GDPR | DPA available; subprocessor list public; data deletion supported |
| CCPA / CPRA | Honored on customer request via support@callvaultai.com |
| HIPAA | Not a HIPAA-eligible service at this time. Customers with PHI use cases should contact us before ingesting Protected Health Information. |
| PCI DSS | Out of scope — payment data is handled by Stripe-hosted Checkout via Polar; no card data ever reaches CallVault servers |
| ISO 27001 | Not currently pursued |
We respond to mid-market and enterprise security questionnaires within 5 business days. Send your CAIQ, SIG, custom vendor security questionnaire, or DPA to support@callvaultai.com with [Security Review] in the subject line. Our pre-filled CAIQ-Lite response is available on request for SMB and mid-market evaluations.
If you believe you've found a security vulnerability in CallVault, please email support@callvaultai.com with [Security Vulnerability] in the subject line. We commit to acknowledge your report within 2 business days, provide an initial triage response within 5 business days, and coordinate disclosure timing with you in good faith. We do not currently operate a paid bug bounty program. We will credit researchers who report responsibly disclosed vulnerabilities, with the researcher's permission.
CallVault is operational. A public status page is being provisioned and will be linked here.
| Document | URL |
|---|---|
| Terms of Service | callvaultai.com/terms |
| Privacy Policy | callvaultai.com/privacy |
| Cookie Policy | callvaultai.com/cookies |
| Data Processing Addendum (DPA) | callvaultai.com/dpa |
| Document | Availability |
|---|---|
| Information Security Policy | On request, under NDA |
| Access Control Policy | On request, under NDA |
| Data Classification Policy | On request, under NDA |
| Data Retention & Deletion Policy | On request, under NDA |
| Incident Response Plan | On request, under NDA |
| Vendor & Subprocessor Management Policy | On request, under NDA |
| Pre-filled CAIQ-Lite response | On request |
This page was last updated on 2026-05-29. We refresh it at least quarterly and on any material change to the subprocessor list, security controls, or compliance posture.
Questions: support@callvaultai.com