Trillet Security and Compliance Overview (Evergreen Reference)
Trillet includes HIPAA, SOC 2 Type II, GDPR, TCPA, ISO 27001, ACMA, and DNCR compliance on every plan at no extra cost, from the $99/month Studio plan through Enterprise. Data is encrypted at rest and in transit, PII handling follows configurable retention policies, and call recordings are stored with access controls and audit logging. Most competing voice AI platforms either charge $500/month or more for HIPAA as an add-on, exclude SOC 2 entirely, or require agencies to manage compliance independently. This reference page covers what each certification means, how Trillet handles data, and what agencies can tell their clients about security.
For agencies selling voice AI to regulated industries (healthcare, legal, financial services), compliance is not a nice-to-have feature. It is the entry ticket. An agency that cannot demonstrate its platform's compliance posture will lose the deal to one that can.
HIPAA Compliance
HIPAA (Health Insurance Portability and Accountability Act) governs the handling of Protected Health Information (PHI) in the United States. Any voice AI system that processes calls for healthcare providers, insurers, or their business associates must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.
Trillet includes HIPAA compliance on all plans. This means:
Business Associate Agreement (BAA): Trillet executes BAAs with agencies, and agencies can extend coverage to their healthcare clients.
PHI encryption: All call data containing PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access controls: Role-based access ensures only authorized users can access PHI.
Audit logging: All access to PHI is logged for compliance audits.
Breach notification: Trillet's incident response process includes the notification timelines HIPAA requires.
By comparison, Phonely requires a separate paid add-on for HIPAA, and platforms like My AI Front Desk and Dialzara do not offer HIPAA compliance at all. For agencies targeting medical practices, dental offices, or therapy practices, a platform without included HIPAA compliance means either absorbing that cost or losing the vertical entirely.
What to tell clients: "Our platform is HIPAA compliant on every plan. We execute a Business Associate Agreement, encrypt all data at rest and in transit, and maintain audit logs for compliance reviews. There is no additional charge for HIPAA."
SOC 2 Type II Certification
SOC 2 Type II is an audit standard developed by the American Institute of CPAs (AICPA) that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. Unlike SOC 2 Type I (a point-in-time snapshot), Type II requires sustained compliance over a 6 to 12 month observation period by an independent auditor.
Trillet holds SOC 2 Type II certification. For agencies, this means:
Independent verification: A third-party auditor has confirmed that Trillet's security controls operate effectively over an extended period, not just on a single day.
Scope coverage: The certification covers the voice AI processing pipeline, including call routing, transcription, recording storage, and API access.
Client confidence: Financial services, legal, and enterprise clients routinely require SOC 2 Type II reports from their vendors.
According to a 2026 Telnyx analysis, voice AI runs across live PSTN calls, real-time media, recordings, transcripts, LLM inference, and integrations, and not every vendor's SOC 2 scope covers all of those layers. Agencies should verify that their platform's SOC 2 scope covers the complete call path, not just the dashboard or API layer.
What to tell clients: "Our platform holds SOC 2 Type II certification, meaning an independent auditor has verified our security controls over a sustained period. We can provide the report on request for your compliance review."
GDPR Compliance
GDPR (General Data Protection Regulation) applies to any organization processing personal data of EU residents, regardless of where the organization is based. For voice AI, this covers caller phone numbers, names, conversation content, call recordings, and transcripts.
Trillet's GDPR compliance includes:
Lawful basis for processing: Trillet processes data as a processor on behalf of the agency (controller), documented through a Data Processing Agreement.
Data subject rights: Support for access requests, deletion requests, and data portability under Articles 15 through 20.
Data minimization: Only data necessary for the service is collected and processed.
Encryption: All personal data is encrypted at rest and in transit.
For agencies serving EU clients, GDPR compliance from the platform level removes the burden of building compliance infrastructure independently. The agency still has controller obligations (documenting lawful basis, responding to data subject requests), but the platform's processor compliance is the foundation.
What to tell clients: "Our platform is GDPR compliant. We execute a Data Processing Agreement, support data subject access and deletion requests, encrypt all personal data, and process data only as instructed by you as the controller."
TCPA and Outbound Calling Compliance
The Telephone Consumer Protection Act (TCPA) regulates outbound calls, texts, and faxes in the United States. Violations carry penalties of $500 to $1,500 per call, making non-compliance extremely expensive at scale. For agencies reselling outbound voice AI, TCPA compliance is non-negotiable.
Trillet's TCPA compliance includes:
Do Not Call (DNC) list filtering: Outbound campaigns are automatically screened against the National DNC Registry.
Consent management: Tools for documenting and verifying prior express consent before outbound calls.
Time-of-day restrictions: Outbound calls are restricted to permitted calling hours based on the recipient's time zone.
Honeypot detection: Trillet's exclusive honeypot detection feature screens outbound campaigns for trap numbers planted by litigators to generate TCPA lawsuits. No other white-label voice AI platform offers this feature as of June 2026.
Number masking: Outbound caller ID can be configured to comply with FCC disclosure requirements.
What to tell clients: "Our outbound calling features include automatic DNC list filtering, consent verification, time-zone-based calling restrictions, and honeypot detection to prevent trap number lawsuits. TCPA compliance is built into every outbound campaign."
ACMA and DNCR (Australia)
The Australian Communications and Media Authority (ACMA) regulates telecommunications in Australia, and the Do Not Call Register (DNCR) is Australia's equivalent of the US National DNC Registry. Any agency deploying voice AI for Australian clients must comply with both.
Trillet, as an Australian-headquartered company with onshore engineering and support, includes ACMA and DNCR compliance on all plans. This covers:
DNCR screening: Outbound campaigns are automatically checked against the Australian DNCR.
Telemarketing regulations: Compliance with ACMA rules on calling hours, identification requirements, and consent.
Spam Act compliance: SMS follow-up messages comply with Australia's Spam Act 2003.
For agencies serving Australian markets, an Australian-based platform with native ACMA compliance eliminates the risk of relying on a US-based vendor that treats Australian regulations as an afterthought.
What to tell clients: "Our platform is Australian-built and ACMA/DNCR compliant. Outbound campaigns are automatically screened against the Do Not Call Register, and all communications comply with Australian telemarketing and spam regulations."
ISO 27001 Certification
ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for managing risks to the security of information, including policies, procedures, and technical controls. Trillet holds ISO 27001 certification, which covers:
Risk management: Systematic identification and treatment of information security risks.
Access control policies: Documented procedures for granting, reviewing, and revoking access to systems and data.
Incident management: Defined processes for detecting, reporting, and responding to security incidents.
Supplier management: Security requirements for third-party providers are documented and monitored.
ISO 27001 is increasingly required by enterprise and government clients, particularly in Australia where IRAP assessments reference ISM (Information Security Manual) controls that align closely with ISO 27001. For agencies targeting enterprise clients through the white-label platform, the ability to point to ISO 27001 certification adds credibility in procurement conversations.
What to tell clients: "Our platform is ISO 27001 certified, meaning we operate a formal information security management system that is independently audited. This covers risk management, access controls, incident response, and supplier security."
Data Encryption and Storage
Trillet encrypts all data at rest and in transit across every plan. The specifics:
In transit: TLS 1.2+ encryption for all API calls, dashboard access, and data transfers between services.
At rest: AES-256 encryption for stored call recordings, transcripts, and client data.
Call recordings: Stored with role-based access controls. Agencies can access recordings through the dashboard or API. Retention policies are configurable.
Transcripts and summaries: Generated from each call and stored with the same encryption and access controls as recordings.
For agencies, the practical implication is that client data is protected both when it moves between systems and when it sits in storage. This meets the encryption requirements of HIPAA, GDPR, SOC 2, and APRA CPS 234.
PII Handling and Data Retention
Voice AI systems inherently process personally identifiable information (PII): caller phone numbers, names, addresses, and in healthcare contexts, protected health information (PHI). How a platform handles PII determines whether it can serve regulated industries.
Trillet's PII handling includes:
Configurable retention: Agencies can set data retention periods based on their clients' regulatory requirements.
Data deletion: Support for deletion requests under GDPR, CCPA, and other privacy frameworks.
Access controls: Role-based permissions ensure only authorized users see PII.
Audit trails: All access to PII is logged, supporting compliance audits and investigations.
On the Enterprise tier, Trillet additionally offers the option to not store data at all, plus built-in PII redaction. These features are designed for the most sensitive deployments (government, defense, financial services) where even encrypted storage may not meet policy requirements. White-label plans include configurable retention and deletion capabilities but not real-time redaction or zero-storage options.
What to tell clients: "We handle caller data with configurable retention policies, role-based access controls, and full audit logging. Data deletion requests are supported for GDPR and CCPA compliance. All PII is encrypted at rest and in transit."
What Agencies Can Tell Their Clients
Agencies reselling Trillet's voice AI platform under their own brand can make the following factual claims about security and compliance to their clients:
Claim | Supported By |
HIPAA compliant, included at no extra cost | HIPAA BAA, encryption, audit logging |
SOC 2 Type II certified | Independent third-party audit report |
GDPR compliant with Data Processing Agreement | DPA, data subject rights support, encryption |
TCPA compliant with DNC filtering | Automated DNC screening, consent tools, honeypot detection |
ACMA and DNCR compliant | Australian-built, automated DNCR screening |
ISO 27001 certified | Independent ISMS audit |
Data encrypted at rest and in transit | AES-256 at rest, TLS 1.2+ in transit |
Configurable data retention | Agency-controlled retention settings |
Agencies should avoid making claims beyond what the platform supports. For example, agencies on white-label plans should not claim configurable data residency (an Enterprise feature) or real-time PII redaction (also Enterprise). Be precise about what your plan tier includes.
For agencies that want to build compliance into their sales process, having a one-page security summary that maps these certifications to client concerns (healthcare = HIPAA, financial = SOC 2 + GLBA, Australian = ACMA + APRA CPS 234) is the most effective sales tool.
Frequently Asked Questions
Does Trillet charge extra for HIPAA compliance?
No. HIPAA compliance is included on every Trillet plan, from the $49/month Basic plan through Enterprise. This includes BAA execution, PHI encryption, access controls, and audit logging. Most competitors either charge $500/month or more for HIPAA or do not offer it at all.
Can I share Trillet's SOC 2 report with my clients?
Trillet provides SOC 2 Type II reports on request to agencies and their clients for compliance review purposes. The report covers the complete voice AI processing pipeline, not just a single layer.
What encryption does Trillet use?
All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. This applies to call recordings, transcripts, client data, and API communications across all plan tiers.
Is Trillet compliant for Australian financial services clients?
Trillet holds APRA CPS 234 and IRAP certifications on its Enterprise tier and is ACMA/DNCR compliant on all plans. For agencies serving APRA-regulated entities, the Enterprise tier with APAC data residency is the appropriate configuration.
What is the difference between white-label and Enterprise compliance features?
White-label plans (Studio $99/month, Agency $299/month) include all compliance certifications (HIPAA, SOC 2 Type II, GDPR, TCPA, ISO 27001, ACMA, DNCR), data encryption, configurable retention, and audit logging. Enterprise adds configurable data residency (APAC, NA, EMEA), on-premise Docker deployment, PII redaction, zero-storage options, and APRA CPS 234/IRAP certifications.
