Our security and compliance program: what the badges mean

When an AI voice agent answers your phone, it's doing something your customers have historically only trusted humans to do. It's listening to their voices. It's handling payment information. It's talking to their doctor's office. It's responding to questions that, if mishandled, could damage your business or expose sensitive data.

We've built 365agents with the assumption that trust has to be earned through evidence, not claims. That's why every part of our platform — the code, the infrastructure, the people with access, and the operational processes — is measured against five independent compliance frameworks.

This article is a quick tour of what each framework is, why we pursued it, and what it means for you. Each has its own dedicated article in this collection for the full story.

The five frameworks we operate under

•SOC 2 Type II — the gold standard for how a SaaS company protects customer data over time

•HIPAA — the U.S. federal standard for protecting personal health information

•PCI DSS SAQ D — the Payment Card Industry standard for handling credit card data

•ISO/IEC 42001 — the first international standard specifically for responsible AI management

•USDP — our framework for complying with the patchwork of U.S. state privacy laws (CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, and every new state law that passes)

Why we pursued all five

Most SaaS platforms stop at SOC 2 and call it a day. We didn't, for three reasons.

Our customers serve every regulated industry. Healthcare practices, financial services firms, law offices, property managers, home services, dental clinics, and veterinary offices all use 365agents to handle calls and texts. Each industry has different requirements. Rather than build one-off answers for each, we chose to certify against every framework that could apply.

Voice AI creates new risks. Our agents are generating speech in real time based on training data and customer inputs. That creates risks around bias, hallucination, unauthorized disclosure, and automated decision-making that traditional SaaS compliance frameworks weren't built for. ISO 42001 is the framework that directly addresses those risks, and we're among the earliest adopters in the voice AI category.

The U.S. privacy landscape is fragmenting fast. A customer in Texas has different rights than one in California, who has different rights than one in Virginia. USDP lets us give your customers consistent privacy protections regardless of which state they're in — and it lets you stay compliant across your entire customer base without hiring a compliance team.

What this means for you as a customer

•You can safely take payment information, health information, and sensitive personal data through your AI voice agent without building your own compliance program

•You can sign a Business Associate Agreement (BAA) if you're a healthcare-adjacent business, enabling HIPAA-covered use cases

•You can answer your own customers' "is this vendor secure?" questions with real documentation, not marketing claims

•You can stay ahead of state-by-state privacy law changes — we update our controls when a new state passes a law, and you inherit the protection automatically

•You can satisfy procurement and security review requests from enterprise customers by pointing to our Trust Center

How we maintain our compliance over time

Compliance isn't something you pass once and forget. Every one of these frameworks requires ongoing monitoring, annual audits, and continuous evidence collection. We use a dedicated compliance automation platform to monitor more than 200 controls across our environment every day. When a control drifts out of compliance — even for a few minutes — our security team gets an alert and we remediate before an auditor or a customer would ever see it.

Our audits are performed by independent third-party assessors, not by us. You can request the reports directly — see the Requesting our attestations and reports section below.

Requesting our attestations and reports

Our Trust Center at trust.365agents.com is the single source of truth for our security posture. There, you can:

•Download our SOC 2 Type II report (after accepting a mutual NDA — standard for all SaaS vendors)

•Download our ISO 42001 certificate

•Review our PCI Attestation of Compliance

•Request a signed BAA for HIPAA-covered workloads

•View our real-time control monitoring dashboard

•Submit security questionnaires directly to our compliance team

If you're going through a security review for an enterprise deal, point your reviewer to our Trust Center and we'll handle the rest. Most security questionnaires can be answered in under 24 hours because the evidence is already assembled there.

Questions?

Read the individual articles in this collection for the details on each framework. If you have questions that aren't answered there, or if you need a custom security review, email [email protected] and a member of our compliance team will respond within one business day.