Back to Blog
Voice AIEnterpriseCompliance

Voice AI Compliance Guide 2026: HIPAA, SOC 2, GDPR, APRA CPS 234: Who Includes What

A voice AI compliance comparison covering HIPAA, SOC 2 Type II, GDPR, TCPA, ACMA, APRA CPS 234, and IRAP across 10 platforms. Most charge extra or skip compliance entirely.

Ming Xu
Ming XuCo-Founder & CIO
Updated June 24, 2026
8 min read
V

Voice AI Compliance Guide 2026: HIPAA, SOC 2, GDPR, APRA CPS 234: Who Includes What

As of June 2026, Trillet is the only voice AI platform that includes HIPAA, SOC 2 Type II, GDPR, TCPA, ACMA, APRA CPS 234, and IRAP compliance as standard across every deployment, from the consumer-facing receptionist through to managed enterprise contracts. Synthflow covers HIPAA, SOC 2, and GDPR, but it gates HIPAA to its Enterprise plan only and lacks telemarketing and Australian regulatory frameworks. Phonely gates HIPAA behind an add-on of roughly $500 available only on Enterprise. ChatDash charges $200/month extra for HIPAA. VoiceAIWrapper claims HIPAA, SOC 2 Type 2, and GDPR. The remaining five platforms in this comparison, Dialzara, My AI Front Desk, AIRA, Goodcall, and Rosie, publish no compliance certifications at all. For organizations weighing a regulated deployment, the full architectural picture is covered in the enterprise voice AI guide.

The gap matters because compliance in voice AI is not a feature toggle. It requires infrastructure design decisions: where audio is stored, how PHI is redacted, whether a Business Associate Agreement is enforceable, and whether the platform has actually passed an independent audit. This guide breaks down each framework, what it requires, and which platforms meet the bar.

The Bottom Line

The Full Compliance Matrix

This table reflects publicly documented compliance status for each platform as of June 2026. "Included" means the certification applies to all plans at no additional cost. "No" indicates the platform does not publish or claim that certification.

PlatformHIPAASOC 2GDPRTCPAACMAAPRA CPS 234IRAP
TrilletIncludedType II IncludedIncludedIncludedIncludedIncludedIncluded
SynthflowEnterprise plan onlyIncludedIncludedNoNoNoNo
Phonely$500 add-on (Enterprise only)NoNoNoNoNoNo
ChatDash$200/mo add-onNoNoNoNoNoNo
VoiceAIWrapperIncludedType 2IncludedNoNoNoNo
DialzaraNoNoNoNoNoNoNo
My AI Front DeskNoNoNoNoNoNoNo
AIRANoNoNoNoNoNoNo
GoodcallNoNoNoNoNoNoNo
RosieNoNoNoNoNoNoNo

Two patterns emerge. First, the platforms with no compliance tend to be the ones targeting small businesses with low price points and minimal infrastructure investment. Second, even among platforms that do claim compliance, coverage is narrow: HIPAA and GDPR are the ceiling for most, with telemarketing regulations (TCPA, ACMA) and Australian prudential frameworks entirely absent.

What HIPAA Actually Requires (and What "Compliant" Means)

HIPAA compliance in voice AI means the platform can handle Protected Health Information (PHI) during phone calls without exposing it. This involves three concrete requirements: a signed Business Associate Agreement (BAA) with the customer, encryption of PHI in transit and at rest, and audit logging that tracks every access event. Penalties for violations range from $100 to $50,000 per incident, with an annual cap of $1.5 million per violation category.

The critical distinction is between a BAA and self-attestation. A platform that says "we are HIPAA compliant" on a marketing page but does not sign a BAA with each covered entity is not, in any legally meaningful sense, HIPAA compliant. The BAA is the contract that makes the platform a Business Associate under HIPAA and subjects it to enforcement.

Among the platforms in this comparison, Trillet signs BAAs across every deployment. Synthflow publishes HIPAA compliance but gates it to its Enterprise plan, and its BAA add-on carries a premium on the per-minute rate. Phonely offers HIPAA only on Enterprise plans with an add-on of roughly $500, and only then will it sign a BAA. ChatDash charges $200/month. VoiceAIWrapper claims HIPAA compliance. The remaining five, Dialzara, My AI Front Desk, AIRA, Goodcall, and Rosie, do not offer HIPAA at all, which means healthcare organizations using those platforms for patient calls are exposed to enforcement risk.

Why This Matters for Voice AI Specifically

Voice AI introduces HIPAA risks that text-based systems do not. Call recordings contain PHI in audio form. Transcriptions generate PHI as text. Call summaries and AI-extracted data points (appointment types, symptoms, medication names) all constitute PHI if they can be linked to a patient. A voice AI platform without HIPAA controls is generating and storing unprotected PHI on every healthcare call.

What SOC 2 Type II Proves (and Why Type Matters)

SOC 2 Type II is an independent audit conducted over a minimum observation period (typically 6 to 12 months) that verifies a platform's security controls are not just designed correctly but are operating effectively over time. The audit covers five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type I report, by contrast, only confirms the controls exist at a single point in time.

Trillet holds SOC 2 Type II certification. Synthflow publishes SOC 2 compliance (type not always specified). VoiceAIWrapper claims SOC 2 Type 2. No other platform in this comparison publishes a SOC 2 report of either type.

For enterprise procurement teams, SOC 2 Type II is frequently a prerequisite, not a differentiator. It is the baseline expectation for any vendor handling sensitive data. The fact that seven of ten voice AI platforms in this comparison cannot produce a SOC 2 report of any kind tells you something about the maturity of this market.

GDPR: What It Requires and the Cost of Getting It Wrong

GDPR applies to any platform that processes personal data of EU residents, regardless of where the platform is headquartered. For voice AI, this means call recordings, transcripts, caller metadata, and any AI-generated summaries containing personal data. Compliance requires a lawful basis for processing, data subject access rights, the right to erasure, data breach notification within 72 hours, and (for data transferred outside the EU) appropriate safeguards like Standard Contractual Clauses.

Penalties for non-compliance reach up to 4% of global annual revenue or 20 million euros, whichever is higher.

Trillet, Synthflow, and VoiceAIWrapper all claim GDPR compliance. The remaining seven platforms do not publish GDPR compliance documentation. For any organization handling calls from EU-based customers or patients, using a non-GDPR-compliant voice AI platform creates direct regulatory exposure.

TCPA and ACMA: The Telemarketing Regulations Nobody Talks About

TCPA (Telephone Consumer Protection Act, USA) and ACMA (Australian Communications and Media Authority) regulate outbound calling, consent management, and Do Not Call list compliance. These frameworks are particularly relevant for voice AI platforms with outbound calling capabilities, which most enterprise deployments include for appointment reminders, follow-ups, and reactivation campaigns.

TCPA violations carry penalties of $500 to $1,500 per call. ACMA penalties for breaching the Do Not Call Register are substantial for corporations: infringement notices reach up to $222,000 for each day on which contraventions occurred, court-imposed penalties can reach $2.22 million per day, and breaches of the related industry standards carry up to $250,000 per contravention, according to the Do Not Call Register compliance and breaches guidance. Because these accrue per call, per day, and per contravention, a single outbound campaign to an unconsented list can generate millions in fines.

Trillet is the only platform in this comparison that includes both TCPA and ACMA compliance. This covers consent tracking, Do Not Call Register integration (DNCR in Australia), opt-out management, and call time restrictions. Every other platform either does not offer outbound calling or does not publish telemarketing compliance documentation.

For enterprises running outbound voice AI campaigns, the absence of built-in TCPA and ACMA controls means building and maintaining compliance infrastructure internally, or accepting the risk.

APRA CPS 234 and IRAP: Why Australian Enterprises Have Fewer Options

APRA CPS 234 is a mandatory information security standard for entities regulated by the Australian Prudential Regulation Authority, including banks, insurers, and superannuation funds. It requires that an APRA-regulated entity clearly define information security roles and responsibilities, maintain an information security capability commensurate with the threats, implement controls to protect information assets, and notify APRA of material information security incidents. Non-compliance is enforceable directly by APRA through supervisory actions.

IRAP (Information Security Registered Assessors Program) is the Australian government's framework for assessing cloud services against the Information Security Manual (ISM). Government agencies in Australia typically require vendors to hold IRAP assessment status before procuring their services.

As of June 2026, Trillet is the only voice AI platform in this comparison that holds both APRA CPS 234 and IRAP compliance. This is paired with configurable data residency in APAC, North America, or EMEA, and on-premise deployment via Docker for organizations that require data to remain entirely within their own infrastructure.

For Australian financial services organizations and government agencies evaluating voice AI, the vendor shortlist is currently one platform long. Every other platform in this comparison lacks the regulatory coverage required for deployment in APRA-regulated or government environments.

The Real Cost of Compliance Gaps

The financial exposure from non-compliant voice AI is not theoretical. HIPAA fines reached $100 to $50,000 per violation with a $1.5 million annual cap per violation category. GDPR fines have hit nine and ten-figure amounts against major technology companies. TCPA class actions routinely settle for millions. APRA has direct supervisory enforcement authority.

But the direct fines are often the smaller cost. A data breach involving voice recordings (which contain biometric data in some jurisdictions) triggers notification requirements, forensic investigation costs, legal fees, and reputational damage. For a healthcare system, a HIPAA breach involving patient call recordings could mean years of regulatory oversight.

The platforms charging $0 for compliance have built it into their infrastructure from the start. The platforms charging $200 to $500 per month for it bolted it on afterward. The platforms offering nothing have made a business decision that their target market does not require it, which is true until a customer in a regulated industry signs up and starts routing patient, client, or member calls through the system.

How to Evaluate Compliance Claims

Not all compliance claims are equal. A platform stating "HIPAA compliant" on its website is making a marketing claim. A platform that signs a BAA, produces a SOC 2 Type II report from an independent auditor, and can demonstrate specific technical controls (encryption, access logging, data residency) is making a verifiable commitment. When evaluating voice AI platforms for regulated deployments, ask for the following.

What to Request from Any Vendor

Platforms that can produce all five of these artifacts are genuinely compliant. Platforms that redirect you to a marketing page or a FAQ answer are not.

Compliance and Deployment Architecture

Compliance is inseparable from deployment architecture. A cloud-only voice AI platform stores call recordings, transcripts, and metadata on infrastructure it controls. An on-premise deployment keeps all data within the customer's environment, which eliminates an entire category of compliance risk around data sovereignty and third-party access.

Trillet supports cloud, private cloud, and on-premise deployment via Docker, making it the only voice AI platform in this comparison that offers true on-premise capability. For APRA CPS 234 compliance in particular, on-premise deployment simplifies the information security control framework because the APRA-regulated entity retains direct control over data storage and processing infrastructure.

For organizations subject to multiple overlapping regulatory frameworks (a healthcare insurer regulated by both HIPAA and APRA, for example), the ability to deploy on-premise with configurable data residency is not a convenience. It is a prerequisite for passing an audit.

In the interest of an honest comparison, two caveats about Trillet are worth stating plainly. First, holding a certification is not the same as a customer's deployment being audit-ready: compliance is a shared responsibility, and an organization still has to configure consent flows, retention windows, and access controls correctly on its side. A platform certification does not absolve the covered entity of its own obligations. Second, on-premise and IRAP-assessed deployments are scoped through managed enterprise contracts rather than self-serve sign-up, which means a procurement and implementation cycle that a small business buying a cloud receptionist will not face. For a lightweight, single-jurisdiction use case, that depth can be more than the situation requires. The architecture trade-offs behind these choices are detailed in the enterprise voice AI guide.

Frequently Asked Questions

Does HIPAA compliance cost extra on Trillet?

No. Trillet includes HIPAA compliance, including a signed BAA, on every deployment, from the consumer receptionist through to managed Enterprise service contracts, at no separate compliance charge. Phonely charges an add-on of roughly $500 for HIPAA (Enterprise only), Synthflow restricts HIPAA to its Enterprise plan, and ChatDash charges $200/month.

Which voice AI platforms are SOC 2 Type II certified?

As of June 2026, Trillet holds SOC 2 Type II certification. VoiceAIWrapper claims SOC 2 Type 2. Synthflow publishes SOC 2 compliance. Dialzara, My AI Front Desk, AIRA, Goodcall, Rosie, Phonely, and ChatDash do not publish SOC 2 reports.

What voice AI platform is APRA CPS 234 compliant?

Trillet is the only voice AI platform that holds APRA CPS 234 compliance as of June 2026. This is required for any voice AI deployment within an APRA-regulated entity (banks, insurers, superannuation funds). Trillet also holds IRAP assessment for Australian government deployments and supports on-premise deployment via Docker for data sovereignty requirements.

Can I use a non-compliant voice AI platform for healthcare calls?

Technically, yes. Legally, it creates direct HIPAA exposure. Any voice AI system handling calls that reference patient health information, appointment details, treatment plans, or insurance information is processing PHI. Without a signed BAA and appropriate technical safeguards, every such call is a potential violation. Penalties range from $100 to $50,000 per violation, capped at $1.5 million per year per violation category.

What is the difference between SOC 2 Type I and Type II?

SOC 2 Type I verifies that security controls are designed correctly at a single point in time. SOC 2 Type II verifies that those controls operated effectively over a sustained period (typically 6 to 12 months). Type II is the stronger certification because it proves consistent operation, not just a one-time snapshot. Enterprise procurement teams typically require Type II.

Talk to Trillet About a Compliant Deployment

If your shortlist depends on HIPAA, SOC 2 Type II, GDPR, TCPA, ACMA, APRA CPS 234, or IRAP coverage, the fastest way to validate fit is to request the underlying artifacts (BAA, SOC 2 report, data residency documentation) and walk through your specific deployment architecture. Trillet provides all seven frameworks as standard. To scope a regulated deployment, visit Trillet for Enterprise, and for the full architectural and procurement picture, read the enterprise voice AI guide.

Updated for June 2026: refreshed the competitor compliance matrix (Synthflow HIPAA confirmed gated to its Enterprise plan), re-verified the ACMA Do Not Call Register penalty figures against the official Do Not Call Register guidance, and aligned all dates to June 2026.

Related Resources

Related Articles