Documentation Index
Fetch the complete documentation index at: https://docs.getsmartalex.com/llms.txt
Use this file to discover all available pages before exploring further.
Audience: compliance officer, security lead, procurement. Purpose: enough technical fact to close a procurement review or pass a vendor assessment.
Data handled by SmartAlex
During a call, three categories of data flow through our platform:- Audio: the voice stream of both caller and agent
- Transcript: the textual representation of the conversation
- Metadata: caller phone number, call duration, timestamps, tool invocations
Encryption
| State | Protection |
|---|---|
| Audio in transit between your PBX and SmartAlex | SIP over TLS (port 5061) optional. SRTP for media optional. UDP 5060 by default for most customers (network-level trust). |
| Audio in transit within SmartAlex infrastructure | Always encrypted between internal services |
| Audio at rest (call recordings) | AES-256 server-side encryption in object storage |
| Transcripts at rest | AES-256 at the database layer |
| Credentials (SIP passwords, API keys) | Encrypted in a hardware-backed secrets vault. Never logged. Never visible to support staff. |
| Customer data (contacts, campaign lists) | AES-256 at rest |
| TLS certificates | Managed by our infrastructure providers, renewed automatically, revocation monitored |
Recording retention
Call recordings are stored by default and available via the Call Logs page.| Setting | Default | Configurable |
|---|---|---|
| Recording on by default | Yes | Per agent |
| Retention period | 90 days | Per workspace, 7 to 365 days |
| Recording format | MP3, 64 kbps | No |
| Access | Workspace admins and team members with the correct role permission | Role-gated |
| Deletion on retention expiry | Automatic | No override |
| Download | Admin users only | Role-gated |
Transcript retention
Transcripts are retained for the same period as recordings. Deletion is synchronised: when a recording is purged, the associated transcript and AI-generated summary are purged too.Credential lifecycle
SIP trunk credentials (username and 24-character random password) can be rotated on demand.- Rotation: disconnect the trunk in SmartAlex, recreate with new credentials, update the PBX.
- Revocation on compromise: credentials can be invalidated within 60 seconds via support request.
- Audit trail: every credential issue/rotation/revocation event is logged.
Access control
All resources in SmartAlex are scoped to a workspace. Database-level enforcement ensures one workspace’s data never crosses into another’s, regardless of application-level bugs. Within a workspace, role-based access control gates:- Who can view call recordings and transcripts
- Who can create, edit, or delete SIP trunks and extensions
- Who can manage agent configurations
- Who can view billing information
- Who can invite new users
Audit logging
Every significant action is logged with actor, timestamp, and details:- User logins and logouts
- Credential issuance and rotation
- Agent configuration changes
- Extension additions, edits, deletions
- Call recording access
- Data export requests
- Admin-level operations
Compliance posture
SmartAlex operates under the governance framework of THERCSGROUP Pte Ltd (Singapore).| Framework | Status |
|---|---|
| POPIA (South Africa) | Aligned. Lawful basis, subject rights, data minimisation, breach notification procedures in place. |
| GDPR (EU) | Aligned. Data subject access requests handled within 30 days. Lawful basis captured per processing activity. |
| SOC 2 Type I | In progress |
| SOC 2 Type II | Roadmap |
| ISO 27001 | Roadmap |
| HIPAA | Not currently certified. Medical practice customers should verify specific workflows with their compliance team. |
| PCI DSS | Not applicable. SmartAlex does not process or store cardholder data. |
Data residency
Platform services are hosted with major cloud providers across multiple regions. Customer data is stored in the region closest to your primary use location, subject to availability. Current regions in active use:- Europe (primary for South African customers)
- North America (for US and Canadian customers)
- Asia-Pacific (for Southeast Asian and Australian customers)
Subprocessors
A current list of subprocessors (cloud, infrastructure, and tooling providers) is available to Enterprise customers under NDA. Changes to the subprocessor list are announced 30 days in advance.Incident response
In the event of a security incident affecting customer data:| Severity | Response time | Notification |
|---|---|---|
| Critical (confirmed breach) | 15 minutes to acknowledge | Affected customers notified within 72 hours |
| High (suspected breach, service degradation) | 1 hour | Affected customers notified when confirmed |
| Medium (isolated issue, no data impact) | 4 hours | Customer-visible updates on status page |
Penetration testing
Third-party penetration tests are commissioned annually. Findings are remediated within SLAs based on severity (critical: 7 days, high: 30 days, medium: 90 days). Results are available to Enterprise customers under NDA.Customer responsibilities
SmartAlex handles the platform layer. The customer is responsible for:- Keeping their own PBX patched and secure
- Managing their own staff’s access to the SmartAlex dashboard
- Configuring role-based access control correctly for their team
- Obtaining any call-recording consent required by local law
- Correctly configuring the AI agent to comply with their industry regulations (e.g., not offering medical or legal advice)
Right to erasure
Upon written request, all customer data can be purged within 30 days of contract termination. A deletion certificate is issued on completion.Contact
- Security issues:
security@getsmartalex.com - Compliance questions: your account manager
- Data subject requests:
privacy@getsmartalex.com
Next steps
Network Requirements
Ports, firewalls, encryption options.
South Africa
POPIA specifics and local context.