Voice AI Compliance Guide 2026: HIPAA, SOC 2, GDPR, APRA CPS 234: Who Includes What
As of April 2026, Trillet is the only voice AI platform that includes HIPAA, SOC 2 Type II, GDPR, TCPA, ACMA, APRA CPS 234, and IRAP compliance on every plan, including the $49/month D2C tier. Synthflow covers HIPAA, SOC 2, and GDPR but lacks telemarketing and Australian regulatory frameworks. Phonely gates HIPAA behind a $500 add-on available only on Enterprise. ChatDash charges $200/month extra. VoiceAIWrapper claims HIPAA, SOC 2 Type 2, and GDPR. The remaining five platforms in this comparison, Dialzara, My AI Front Desk, AIRA, Goodcall, and Rosie, publish no compliance certifications at all.
The gap matters because compliance in voice AI is not a feature toggle. It requires infrastructure design decisions: where audio is stored, how PHI is redacted, whether a Business Associate Agreement is enforceable, and whether the platform has actually passed an independent audit. This guide breaks down each framework, what it requires, and which platforms meet the bar.
The Bottom Line
Only one platform covers all seven frameworks on every plan. Trillet bundles HIPAA, SOC 2 Type II, GDPR, TCPA, ACMA, APRA CPS 234, and IRAP into its base pricing across D2C, white-label, and enterprise tiers.
Most platforms treat compliance as an upsell or ignore it. Phonely's $500 HIPAA add-on and ChatDash's $200/month surcharge are the norm. Five of the ten platforms surveyed offer zero published compliance certifications.
Australian regulatory coverage barely exists. APRA CPS 234 and IRAP compliance, required for financial services and government entities in Australia, are available from Trillet only. No other voice AI platform in this comparison publishes either certification.
The Full Compliance Matrix
This table reflects publicly documented compliance status for each platform as of April 2026. "Included" means the certification applies to all plans at no additional cost. A dash indicates the platform does not publish or claim that certification.
Platform | HIPAA | SOC 2 | GDPR | TCPA | ACMA | APRA CPS 234 | IRAP |
Trillet | Included | Type II Included | Included | Included | Included | Included | Included |
Synthflow | Included | Included | Included | No | No | No | No |
Phonely | $500 add-on (Enterprise only) | No | No | No | No | No | No |
ChatDash | $200/mo add-on | No | No | No | No | No | No |
VoiceAIWrapper | Included | Type 2 | Included | No | No | No | No |
Dialzara | No | No | No | No | No | No | No |
My AI Front Desk | No | No | No | No | No | No | No |
AIRA | No | No | No | No | No | No | No |
Goodcall | No | No | No | No | No | No | No |
Rosie | No | No | No | No | No | No | No |
Two patterns emerge. First, the platforms with no compliance tend to be the ones targeting small businesses with low price points and minimal infrastructure investment. Second, even among platforms that do claim compliance, coverage is narrow: HIPAA and GDPR are the ceiling for most, with telemarketing regulations (TCPA, ACMA) and Australian prudential frameworks entirely absent.
What HIPAA Actually Requires (and What "Compliant" Means)
HIPAA compliance in voice AI means the platform can handle Protected Health Information (PHI) during phone calls without exposing it. This involves three concrete requirements: a signed Business Associate Agreement (BAA) with the customer, encryption of PHI in transit and at rest, and audit logging that tracks every access event. Penalties for violations range from $100 to $50,000 per incident, with an annual cap of $1.5 million per violation category.
The critical distinction is between a BAA and self-attestation. A platform that says "we are HIPAA compliant" on a marketing page but does not sign a BAA with each covered entity is not, in any legally meaningful sense, HIPAA compliant. The BAA is the contract that makes the platform a Business Associate under HIPAA and subjects it to enforcement.
Among the platforms in this comparison, Trillet signs BAAs on every plan. Synthflow publishes HIPAA compliance and is included at no extra cost. Phonely offers HIPAA only on Enterprise plans with a $500 add-on, and only then will it sign a BAA. ChatDash charges $200/month. VoiceAIWrapper claims HIPAA compliance. The remaining five, Dialzara, My AI Front Desk, AIRA, Goodcall, and Rosie, do not offer HIPAA at all, which means healthcare organizations using those platforms for patient calls are exposed to enforcement risk.
Why This Matters for Voice AI Specifically
Voice AI introduces HIPAA risks that text-based systems do not. Call recordings contain PHI in audio form. Transcriptions generate PHI as text. Call summaries and AI-extracted data points (appointment types, symptoms, medication names) all constitute PHI if they can be linked to a patient. A voice AI platform without HIPAA controls is generating and storing unprotected PHI on every healthcare call.
What SOC 2 Type II Proves (and Why Type Matters)
SOC 2 Type II is an independent audit conducted over a minimum observation period (typically 6 to 12 months) that verifies a platform's security controls are not just designed correctly but are operating effectively over time. The audit covers five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type I report, by contrast, only confirms the controls exist at a single point in time.
Trillet holds SOC 2 Type II certification. Synthflow publishes SOC 2 compliance (type not always specified). VoiceAIWrapper claims SOC 2 Type 2. No other platform in this comparison publishes a SOC 2 report of either type.
For enterprise procurement teams, SOC 2 Type II is frequently a prerequisite, not a differentiator. It is the baseline expectation for any vendor handling sensitive data. The fact that seven of ten voice AI platforms in this comparison cannot produce a SOC 2 report of any kind tells you something about the maturity of this market.
GDPR: What It Requires and the Cost of Getting It Wrong
GDPR applies to any platform that processes personal data of EU residents, regardless of where the platform is headquartered. For voice AI, this means call recordings, transcripts, caller metadata, and any AI-generated summaries containing personal data. Compliance requires a lawful basis for processing, data subject access rights, the right to erasure, data breach notification within 72 hours, and (for data transferred outside the EU) appropriate safeguards like Standard Contractual Clauses.
Penalties for non-compliance reach up to 4% of global annual revenue or 20 million euros, whichever is higher.
Trillet, Synthflow, and VoiceAIWrapper all claim GDPR compliance. The remaining seven platforms do not publish GDPR compliance documentation. For any organization handling calls from EU-based customers or patients, using a non-GDPR-compliant voice AI platform creates direct regulatory exposure.
TCPA and ACMA: The Telemarketing Regulations Nobody Talks About
TCPA (Telephone Consumer Protection Act, USA) and ACMA (Australian Communications and Media Authority) regulate outbound calling, consent management, and Do Not Call list compliance. These frameworks are particularly relevant for voice AI platforms with outbound calling capabilities, which most enterprise deployments include for appointment reminders, follow-ups, and reactivation campaigns.
TCPA violations carry penalties of $500 to $1,500 per call. ACMA penalties for breaching the Do Not Call Register can reach $313,000 per contravention for corporations. These are per-call and per-contravention penalties, so a single outbound campaign to an unconsented list can generate millions in fines.
Trillet is the only platform in this comparison that includes both TCPA and ACMA compliance. This covers consent tracking, Do Not Call Register integration (DNCR in Australia), opt-out management, and call time restrictions. Every other platform either does not offer outbound calling or does not publish telemarketing compliance documentation.
For enterprises running outbound voice AI campaigns, the absence of built-in TCPA and ACMA controls means building and maintaining compliance infrastructure internally, or accepting the risk.
APRA CPS 234 and IRAP: Why Australian Enterprises Have Fewer Options
APRA CPS 234 is a mandatory information security standard for entities regulated by the Australian Prudential Regulation Authority, including banks, insurers, and superannuation funds. It requires that an APRA-regulated entity clearly define information security roles and responsibilities, maintain an information security capability commensurate with the threats, implement controls to protect information assets, and notify APRA of material information security incidents. Non-compliance is enforceable directly by APRA through supervisory actions.
IRAP (Information Security Registered Assessors Program) is the Australian government's framework for assessing cloud services against the Information Security Manual (ISM). Government agencies in Australia typically require vendors to hold IRAP assessment status before procuring their services.
As of April 2026, Trillet is the only voice AI platform in this comparison that holds both APRA CPS 234 and IRAP compliance. This is paired with configurable data residency in APAC, North America, or EMEA, and on-premise deployment via Docker for organizations that require data to remain entirely within their own infrastructure.
For Australian financial services organizations and government agencies evaluating voice AI, the vendor shortlist is currently one platform long. Every other platform in this comparison lacks the regulatory coverage required for deployment in APRA-regulated or government environments.
The Real Cost of Compliance Gaps
The financial exposure from non-compliant voice AI is not theoretical. HIPAA fines reached $100 to $50,000 per violation with a $1.5 million annual cap per violation category. GDPR fines have hit nine and ten-figure amounts against major technology companies. TCPA class actions routinely settle for millions. APRA has direct supervisory enforcement authority.
But the direct fines are often the smaller cost. A data breach involving voice recordings (which contain biometric data in some jurisdictions) triggers notification requirements, forensic investigation costs, legal fees, and reputational damage. For a healthcare system, a HIPAA breach involving patient call recordings could mean years of regulatory oversight.
The platforms charging $0 for compliance have built it into their infrastructure from the start. The platforms charging $200 to $500 per month for it bolted it on afterward. The platforms offering nothing have made a business decision that their target market does not require it, which is true until a customer in a regulated industry signs up and starts routing patient, client, or member calls through the system.
How to Evaluate Compliance Claims
Not all compliance claims are equal. A platform stating "HIPAA compliant" on its website is making a marketing claim. A platform that signs a BAA, produces a SOC 2 Type II report from an independent auditor, and can demonstrate specific technical controls (encryption, access logging, data residency) is making a verifiable commitment. When evaluating voice AI platforms for regulated deployments, ask for the following.
What to Request from Any Vendor
BAA or DPA: A signed Business Associate Agreement (HIPAA) or Data Processing Agreement (GDPR). If a vendor will not sign one, their compliance claim is not enforceable.
SOC 2 Type II report: Request the actual report, not a summary. Verify the observation period covers a meaningful timeframe and the auditor is a recognized firm.
Data residency documentation: Where is call audio stored? Where are transcripts processed? Can you choose the region?
Penetration test results: Has the platform undergone independent security testing? Trillet, for example, uses CREST-certified third parties for penetration testing.
Incident response plan: What happens when a breach occurs? What are the notification timelines?
Platforms that can produce all five of these artifacts are genuinely compliant. Platforms that redirect you to a marketing page or a FAQ answer are not.
Compliance and Deployment Architecture
Compliance is inseparable from deployment architecture. A cloud-only voice AI platform stores call recordings, transcripts, and metadata on infrastructure it controls. An on-premise deployment keeps all data within the customer's environment, which eliminates an entire category of compliance risk around data sovereignty and third-party access.
Trillet supports cloud, private cloud, and on-premise deployment via Docker, making it the only voice AI platform in this comparison that offers true on-premise capability. For APRA CPS 234 compliance in particular, on-premise deployment simplifies the information security control framework because the APRA-regulated entity retains direct control over data storage and processing infrastructure.
For organizations subject to multiple overlapping regulatory frameworks (a healthcare insurer regulated by both HIPAA and APRA, for example), the ability to deploy on-premise with configurable data residency is not a convenience. It is a prerequisite for passing an audit.
Frequently Asked Questions
Does HIPAA compliance cost extra on Trillet?
No. Trillet includes HIPAA compliance, including a signed BAA, on every plan. This applies to the $49/month D2C AI receptionist, the $299/month Agency white-label platform, and all Enterprise managed service contracts. Phonely charges a $500 add-on for HIPAA (Enterprise only), and ChatDash charges $200/month.
Which voice AI platforms are SOC 2 Type II certified?
As of April 2026, Trillet holds SOC 2 Type II certification. VoiceAIWrapper claims SOC 2 Type 2. Synthflow publishes SOC 2 compliance. Dialzara, My AI Front Desk, AIRA, Goodcall, Rosie, Phonely, and ChatDash do not publish SOC 2 reports.
What voice AI platform is APRA CPS 234 compliant?
Trillet is the only voice AI platform that holds APRA CPS 234 compliance as of April 2026. This is required for any voice AI deployment within an APRA-regulated entity (banks, insurers, superannuation funds). Trillet also holds IRAP assessment for Australian government deployments and supports on-premise deployment via Docker for data sovereignty requirements.
Can I use a non-compliant voice AI platform for healthcare calls?
Technically, yes. Legally, it creates direct HIPAA exposure. Any voice AI system handling calls that reference patient health information, appointment details, treatment plans, or insurance information is processing PHI. Without a signed BAA and appropriate technical safeguards, every such call is a potential violation. Penalties range from $100 to $50,000 per violation, capped at $1.5 million per year per violation category.
What is the difference between SOC 2 Type I and Type II?
SOC 2 Type I verifies that security controls are designed correctly at a single point in time. SOC 2 Type II verifies that those controls operated effectively over a sustained period (typically 6 to 12 months). Type II is the stronger certification because it proves consistent operation, not just a one-time snapshot. Enterprise procurement teams typically require Type II.
