SOC 2 Trust Services Criteria — BKB Voice readiness

Protection against unauthorised access, use or disclosure.

• CC1.xGovernance, roles, responsibilities and security policy maintenance.
• CC2.xInternal communication of policies and security responsibilities to personnel and vendors.
• CC3.xRisk identification, analysis and quarterly risk-register review.
• CC4.xMonitoring of the control environment via audit logs, metrics dashboards and quarterly reviews.
• CC5.xControl activities selected and designed to mitigate identified risks.
• CC6.1–6.8Logical access: authentication, authorisation, least-privilege, MFA, access reviews, encryption.
• CC7.1–7.5System operations: configuration management, monitoring, incident detection and response.
• CC8.1Change management: peer review, automated testing, auditable deploys.
• CC9.xRisk mitigation including vendor management and business-continuity considerations.

The system is available for operation and use as committed.

• A1.1Capacity planning against committed load (documented in the architecture review).
• A1.2Environmental protections provided by underlying managed-cloud providers (AWS / Vercel / managed Postgres).
• A1.3Tested disaster-recovery and backup procedures. Annual restore test with documented RTO/RPO.

Information designated as confidential is protected as committed.

• C1.1Confidential information identified in data classification policy.
• C1.2Disposal / deletion processes documented and executed at the end of the retention window.

System processing is complete, valid, accurate, timely and authorised.

• PI1.1Input validation on every public API route (zod).
• PI1.4Outputs and generated audio are traceable to the originating request via correlation ID.
• PI1.5Errors surfaced to the caller; internal diagnostics retained in server logs and the audit trail.

Personal information is collected, used, retained, disclosed and disposed of as committed.

• P1Notice: BKB Voice publishes a current Privacy Policy and Trust Center.
• P2Choice and consent: explicit consent for the lead-form, no dark patterns, cookies documented.
• P3Collection limited to the data needed for the stated purpose.
• P4Use, retention, and disposal aligned with documented retention windows.
• P5Data-subject access, deletion, correction and portability via /legal/privacy-request.
• P6Disclosure to third parties limited to named subprocessors with contractual safeguards.
• P7Quality: data subjects can correct inaccurate records through a DSR.
• P8Monitoring and enforcement through the audit log + internal privacy reviews.