Security First

Security Isn't a Feature.
It's the Architecture.

Pravakta's security model starts with one non-negotiable principle: your data never leaves your infrastructure. Every other security measure builds on this foundation — not the other way around.

SOC 2 Type IIISO 27001GDPRDPDP Act 2023HIPAAZero Data Egress
Certifications

Certified Across Every
Major Compliance Standard

Pravakta's AI Voice Stack is independently audited and certified — ensuring your enterprise meets regulatory obligations by default, not by configuration.

🔒

SOC 2 Type II

Annual independent audit of security, availability, and confidentiality controls

Certified
🏛️

ISO 27001

Information security management system certified by accredited body

Certified
🇪🇺

GDPR

EU General Data Protection Regulation compliance with Data Processing Agreement available

Compliant
🇮🇳

DPDP Act 2023

India Digital Personal Data Protection Act compliance framework

Compliant
🏥

HIPAA

Health Insurance Portability and Accountability Act safeguards for healthcare deployments

Compliant
🛡️

Zero Data Egress

Contractually guaranteed zero transmission of any call data outside your infrastructure perimeter

Guaranteed
🔐

TLS 1.3+

All communications encrypted in transit using TLS 1.3 minimum. DTLS-SRTP for WebRTC voice channels

Enforced
📋

RBI / IRDAI

Compliant with RBI collection call guidelines and IRDAI customer interaction standards for BFSI

Compliant
Security Architecture

Six Principles That Make
Pravakta Genuinely Secure

Your Infrastructure, Always

Every component — ASR, LLM, TTS, analytics — runs on your AWS, Azure, GCP, or on-premise servers. No multi-tenancy. No shared compute. Every tenant is completely isolated.

Zero Data Egress

No call audio, transcripts, model weights, or customer PII ever leaves your network perimeter. Not for analytics. Not for model improvement. Not ever. Verified by independent audit.

You Hold All Keys

All API keys, secrets, and encryption keys are generated and stored in your key management system. Pravakta engineers have zero access to any credential post-deployment.

Encryption Everywhere

TLS 1.3+ for all API communication. DTLS-SRTP for WebRTC voice channels. AES-256 encryption at rest for all stored call recordings and transcripts.

Role-Based Access Control

Granular RBAC with SSO (SAML 2.0 / OIDC) integration. Audit logs for every admin action. MFA enforced on all management console access. Principle of least privilege throughout.

Penetration Tested

Annual third-party penetration testing of the full stack. Vulnerability disclosure program. CVE tracking and <72-hour critical patch SLA. Customer-facing security advisories.

Data Flow Architecture

Where Your Data Lives
and Where It Doesn't

Every step of the data flow is contained within your infrastructure boundary. The diagram on the right shows exactly what stays inside — and what is prohibited from leaving.

Call audio processed only within your network
Transcripts stored in your data warehouse
Model weights in your object storage (S3/Blob)
Analytics dashboards served from your infra
Zero outbound calls to Pravakta infrastructure
No licence check-in pings to vendor servers
🏛️
Your Infrastructure Perimeter
AWS · Azure · GCP · On-Premise
🎙️
ASR Engine
Voice input — processed locally
Contained
🧠
LLM Inference
Your model weights — zero external calls
Contained
🔊
TTS Engine
Voice synthesis on your GPU nodes
Contained
📊
Co-Pilot Analytics
Transcripts & QA in your data warehouse
Contained
🔑
Key Management
Secrets in your KMS — Pravakta has zero access
Contained
🚫 PROHIBITED ZONE
Nothing crosses this boundary to Pravakta servers. Ever.
FAQ

Security Questions Answered

Since all data — call recordings, transcripts, model weights — is stored on your infrastructure, nothing needs to be transferred back. You already own it. Your stack continues to operate normally regardless of your commercial relationship with Pravakta.
No. Call recordings are stored in your object storage (S3, Azure Blob, GCS, or NFS). Pravakta engineers hold no credentials to your environment post-deployment unless you explicitly grant temporary access for a specific support request — which requires your written authorisation.
Security patches are delivered as versioned container images pushed to your private registry. You apply them at your discretion through the management console. Critical CVEs are patched within 72 hours with customer notification. You are never forced to apply an update.
Yes. Because the stack runs on your infrastructure, your own security team or appointed third-party auditors have full access to all components, configurations, network traffic, and logs. We also provide our latest SOC 2 Type II and ISO 27001 reports under NDA.
Yes. A standard DPA is included with all Enterprise Scale and Sovereign tier contracts. The DPA covers GDPR, DPDP Act, and HIPAA requirements. Custom DPA terms are negotiable for Sovereign tier customers.
Enterprise Security Briefing

Talk to Our
Security Team

Request our SOC 2 report, penetration test summary, or a 1:1 with our CISO for your InfoSec team.

NDA PROVIDED UPON REQUEST · PEN TEST SUMMARY AVAILABLE · DEDICATED INFOSEC CONTACT