Security & Trust

Nimitai Security & Trust

Nimitai protects customer call data with TLS 1.3 in transit, AES-256 at rest, SSO with MFA, role-based access, and configurable US, EU, and India data residency. SOC 2 Type II audit is in progress, GDPR-aligned, HIPAA-configurable.

Contact security team Book a security review

How Nimitai protects your sales call data

Eight pillars covering encryption, access, residency, compliance, and incident response. Built for revenue teams selling into regulated buyers.

Data encryption

  • ·TLS 1.3 for all data in transit between client, bot, and backend services.
  • ·AES-256 encryption at rest for call recordings, transcripts, and metadata.
  • ·Encryption keys managed in AWS KMS with strict role-based access policies.

Access controls

  • ·SSO via SAML 2.0 and OIDC (Google Workspace, Microsoft Entra ID, Okta).
  • ·Mandatory multi-factor authentication for all admin accounts.
  • ·Role-based access control: admin, manager, rep, and read-only auditor roles.
  • ·Session timeout and forced re-authentication after 12 hours of inactivity.

Data residency

  • ·US region (AWS us-east-1) for North American customers.
  • ·EU region (AWS eu-west-1, Ireland) for European customers, GDPR-aligned.
  • ·India region (AWS ap-south-1, Mumbai) for APAC customers.
  • ·Customer data does not cross regions without explicit written consent.

Compliance status

  • ·SOC 2 Type II audit in progress, expected completion Q3 2026.
  • ·GDPR-aligned: Data Processing Agreement available on request.
  • ·CCPA-aware: California consumer data subject requests supported.
  • ·HIPAA-configurable for healthcare customers (BAA available on enterprise plans).

Call recording compliance

  • ·Consent-aware bot: configurable per-region disclosure for one-party and two-party consent states.
  • ·Audible disclosure with verbal consent capture in all-party-consent states (CA, FL, IL, MA, WA, and others).
  • ·Silent recording option for one-party consent regions, controlled by admin policy.
  • ·Full state-by-state breakdown in our compliance guide.

Data retention and deletion

  • ·Configurable retention window: 30, 90, 180, 365 days, or custom.
  • ·Default retention: 365 days from call date.
  • ·Customer-initiated deletion within 24 hours of request.
  • ·End-of-contract deletion: all customer data purged within 30 days unless extended retention is contractually agreed.

Subprocessors

  • ·AWS (compute, storage, KMS) — US, EU, and India regions.
  • ·OpenAI (transcription and summarization) — zero data retention API contract.
  • ·Anthropic (coaching and insight generation) — zero data retention API contract.
  • ·Full subprocessor list and update notifications available on request.

Incident response

  • ·24-hour customer notification for any confirmed security incident affecting customer data.
  • ·72-hour notification to relevant supervisory authorities under GDPR Article 33 where applicable.
  • ·Documented incident response playbook with on-call rotation.
  • ·Post-incident review report shared with affected customers within 14 days.

Call recording: built around state and country consent law

US recording law splits states into one-party and two-party consent. Eleven US states require all-party consent (California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington). The EU and UK require informed consent under GDPR and UK GDPR. India recognizes one-party consent under the IT Act subject to evolving DPDP Act guidance.

Nimitai handles this with a consent-aware bot: the disclosure flow is configurable per call region, so the bot announces itself and captures verbal consent in two-party states, and stays silent in one-party jurisdictions if admin policy allows. Full state breakdown lives in our call recording laws by state guide.

Compliance posture, stated plainly

Nimitai is GDPR-aligned and CCPA-aware today. SOC 2 Type II audit is in progress with completion expected in Q3 2026. HIPAA is supported as a configurable enterprise option, with a Business Associate Agreement (BAA) available for healthcare customers on the enterprise plan. We do not claim certifications we do not hold; if a procurement reviewer asks for a control we have not yet attested, we will say so and propose an alternative compensating control.

Security contact and responsible disclosure

Reach the Nimitai security team at security@nimitai.com. We acknowledge all reports within 24 hours and provide a remediation timeline within 5 business days. For DPA, SOC 2 progress reports, subprocessor lists, or penetration test summaries, email the same address with your company name and procurement context.

For pricing context on enterprise security features (SSO, SCIM, audit log export, BAA), visit our pricing page. Research underpinning the product, including the 350+ call dataset, is published in our talk-ratio study.

Email security@nimitai.com

Related resources

Call Recording Laws by StatePricing ($149/seat/month)350-Call Talk-Ratio Study