HulloDesk handles calls on behalf of your business — which means we take security, compliance, and customer protection seriously. Here is exactly how we do it.
Every standard below is active today — not aspirational.
HulloDesk has completed a SOC 2 Type II audit covering security, availability, and confidentiality. Our controls are independently verified on an ongoing basis.
Every call and SMS HulloDesk sends on your behalf is governed by TCPA rules. We maintain a live DNC blacklist, honor every STOP request instantly, and never contact numbers without consent.
HulloDesk supports your obligations as a data controller. You can export, restrict, or permanently erase any customer record on request. We publish a full subprocessor list and sign DPAs on request.
All data transmitted between your callers, HulloDesk, and your CRM is encrypted using TLS 1.3. Call recordings at rest are encrypted with AES-256.
HulloDesk maintains a real-time DNC blacklist. Any number that texts STOP is immediately added, all active sequences are cancelled, and a confirmation SMS is sent — automatically, every time.
HulloDesk never stores card data. All billing is processed by Stripe, a PCI Level 1 certified provider. Your payment information never touches our servers.
How we handle your data and your customers' data — in plain language.
HulloDesk AI agents announce themselves at the start of every call. Callers are informed they are speaking with an AI assistant and that the call may be recorded for quality and transcription purposes. You can review the exact disclosure language in your agent settings.
In line with FTC guidance and emerging state-level AI transparency laws, HulloDesk agents do not impersonate humans. The agent identifies itself as an AI at the start of the interaction. You remain in control of the agent name and personality — but AI disclosure is always on.
You own your data. Call recordings, transcripts, leads, and customer records belong to your business. HulloDesk processes them on your behalf as a data processor. If you close your account, we provide a full export and permanently delete your data within 30 days.
Call recordings are retained for 24 months and then automatically archived or purged per your plan settings. Soft-deleted records are retained for 30 days before permanent removal. OAuth tokens for connected integrations are revoked and deleted within 30 days of disconnection.
We publish a complete list of every third-party service that processes data on your behalf — including our database, AI voice, telephony, billing, and storage providers. Any new subprocessor addition is disclosed before it goes live.
In the event of a confirmed data breach affecting your business, HulloDesk will notify you within 72 hours — consistent with GDPR Article 33 obligations. We maintain an internal incident response plan tested on a quarterly basis.
The underlying stack HulloDesk is built on.
| Layer | Provider | Standard |
|---|---|---|
| Database & Auth | Supabase | SOC 2 Type II |
| AI Voice Processing | AI Voice Provider | Encrypted in transit + at rest |
| Telephony | Telephony Provider | ISO 27001, SOC 2 |
| Hosting | Vercel | SOC 2 Type II |
| Payments | Stripe | PCI Level 1 |
| Call Recording Storage | Cloudflare R2 | AES-256 encrypted |
| Data Transfer | All layers | TLS 1.3 |
Full subprocessor list: hullodesk.com/subprocessors
Everything in writing, always up to date.
To report a vulnerability, request a signed DPA, or ask about our security posture, reach out directly.
security@hullodesk.com