Audience: compliance officer, security lead, procurement. Purpose: enough technical fact to close a procurement review or pass a vendor assessment.
Data handled by SmartAlex
During a call, three categories of data flow through our platform:- Audio: the voice stream of both caller and agent
- Transcript: the textual representation of the conversation
- Metadata: caller phone number, call duration, timestamps, tool invocations
Encryption
Recording retention
Call recordings are stored by default and available via the Call Logs page.
Per-call suppression is supported. An agent can be configured to skip recording for sensitive calls (e.g., medical or financial), and the caller can be told recording is off.
Transcript retention
Transcripts are retained for the same period as recordings. Deletion is synchronised: when a recording is purged, the associated transcript and AI-generated summary are purged too.Credential lifecycle
SIP trunk credentials (username and 24-character random password) can be rotated on demand.- Rotation: disconnect the trunk in SmartAlex, recreate with new credentials, update the PBX.
- Revocation on compromise: credentials can be invalidated within 60 seconds via support request.
- Audit trail: every credential issue/rotation/revocation event is logged.
Access control
All resources in SmartAlex are scoped to a workspace. Database-level enforcement ensures one workspace’s data never crosses into another’s, regardless of application-level bugs. Within a workspace, role-based access control gates:- Who can view call recordings and transcripts
- Who can create, edit, or delete SIP trunks and extensions
- Who can manage agent configurations
- Who can view billing information
- Who can invite new users
Audit logging
Every significant action is logged with actor, timestamp, and details:- User logins and logouts
- Credential issuance and rotation
- Agent configuration changes
- Extension additions, edits, deletions
- Call recording access
- Data export requests
- Admin-level operations
Compliance posture
SmartAlex operates under the governance framework of THERCSGROUP Pte Ltd (Singapore).
If you need a compliance attestation for procurement, contact your account manager.
Data residency
Platform services are hosted with major cloud providers across multiple regions. Customer data is stored in the region closest to your primary use location, subject to availability. Current regions in active use:- Europe (primary for South African customers)
- North America (for US and Canadian customers)
- Asia-Pacific (for Southeast Asian and Australian customers)
Subprocessors
A current list of subprocessors (cloud, infrastructure, and tooling providers) is available to Enterprise customers under NDA. Changes to the subprocessor list are announced 30 days in advance.Incident response
In the event of a security incident affecting customer data:
The incident response team is on-call 24/7. Escalation path goes through the CTO.
Penetration testing
Third-party penetration tests are commissioned annually. Findings are remediated within SLAs based on severity (critical: 7 days, high: 30 days, medium: 90 days). Results are available to Enterprise customers under NDA.Customer responsibilities
SmartAlex handles the platform layer. The customer is responsible for:- Keeping their own PBX patched and secure
- Managing their own staff’s access to the SmartAlex dashboard
- Configuring role-based access control correctly for their team
- Obtaining any call-recording consent required by local law
- Correctly configuring the AI agent to comply with their industry regulations (e.g., not offering medical or legal advice)
Right to erasure
Upon written request, all customer data can be purged within 30 days of contract termination. A deletion certificate is issued on completion.Contact
- Security issues:
security@getsmartalex.com - Compliance questions: your account manager
- Data subject requests:
privacy@getsmartalex.com
Next steps
Network Requirements
Ports, firewalls, encryption options.
South Africa
POPIA specifics and local context.

