Security Policy

adaptlive maintains a security program designed for a multi-tenant SaaS platform that processes live business phone calls, audio streams, transcripts, customer records, and CRM-connected workflows.

The program is risk-based and evolves with the product, customer requirements, procurement obligations, and the maturity of the company.

adaptlive maintains SOC 2-aligned security controls and readiness evidence. A formal Security-only SOC 2 Type 1 audit is on the roadmap as the enterprise procurement motion matures.

Our initial planned audit scope is Security-only SOC 2 Type 1 for the production SaaS, customer call data, authentication, cloud infrastructure, source control, deployment pipeline, monitoring, and critical vendors.

Do not state that adaptlive is SOC 2 certified or SOC 2 compliant unless a current report has been issued and is available under NDA.

adaptlive uses workspace-aware access controls, role-aware authorization, protected authentication cookies, administrative access restrictions, and least-privilege operational access where practical.

Customers are responsible for configuring users, roles, phone numbers, API keys, CRM connections, and integrations appropriately for their organization.

Administrative access to production systems is limited to authorized personnel with a business need and may be logged, reviewed, or revoked.

adaptlive is designed around workspace separation. Application logic and database access patterns are intended to keep each customer's call sessions, transcripts, drafts, customers, and CRM connections scoped to its authorized workspace.

Public API access is workspace-scoped through the caller's credentials. API keys should see only the workspace they were created for, and customers should use separate credentials for separate workspaces or environments.

adaptlive uses encrypted transport for data in transit where supported by the protocol and provider, including the Twilio Media Streams WebSocket and connections to speech-to-text and AI providers.

Production data is stored using managed cloud infrastructure and database services that provide encryption at rest or equivalent storage-layer protections. Call recordings are stored in object storage with access scoped to the customer workspace.

Customers should not send secrets, passwords, payment card numbers, or unrelated sensitive data through support chat, email, or free-text fields.

adaptlive uses logs, diagnostics, request identifiers, audit trails, and monitoring to troubleshoot issues, investigate suspicious activity, support compliance workflows, and maintain service reliability.

Product audit trails record events such as draft approval, CRM sync, and configuration changes — who performed an action, what changed, timestamps, IP address or session metadata, and workflow context.

Security and diagnostic logs are access-restricted and retained according to operational, legal, and customer requirements.

adaptlive uses source control, review practices, environment separation, deployment controls, dependency management, and testing appropriate for the stage and risk of the product.

Changes to production systems may be logged and deployed through controlled pipelines. Preview and development environments should not be used for production customer data unless expressly approved.

We monitor for vulnerabilities in application code, dependencies, cloud services, and critical providers using available tools and provider notices.

Risk is prioritized based on exploitability, affected systems, data sensitivity, customer impact, and availability of fixes or mitigations.

Security reports should be sent to security@adaptlive.app with enough detail to reproduce the issue. Please avoid accessing customer data, destructive testing, social engineering, spam, persistence, or service disruption.

adaptlive relies on managed hosting, database, and infrastructure providers for core availability and backup capabilities. The media gateway component is deployed with always-on machines to maintain Twilio WebSocket connectivity for the duration of every call.

Recovery objectives may vary by plan, deployment, customer agreement, and feature. Enterprise customers should confirm any specific uptime, backup, disaster recovery, or SLA commitments in a written agreement.

We investigate suspected security events, work to contain confirmed issues, preserve relevant evidence, remediate root causes where practical, and notify affected customers when legally required or when notice is otherwise appropriate.

Customer cooperation may be required to investigate incidents involving customer-configured users, credentials, CRM connections, API keys, or imported data.

Customers should use strong authentication practices, limit administrator access, promptly remove former users, protect API keys, configure roles carefully, review CRM connection scopes, monitor draft approval activity, and train users on appropriate data handling on the phone.

Customers are responsible for endpoint security, email security, connected systems, user devices, network access, and the accuracy of data imported or submitted into adaptlive.

Security questionnaires, procurement materials, vendor reviews, and enterprise security exhibits may be available under NDA or as part of an enterprise procurement process.

This public Security Policy is a summary and does not create a separate warranty, SLA, certification, or contractual control unless incorporated into a signed agreement.