Skip to main content
aftercalls
Request access

Security & privacy

Built for Canadian privacy law from day one.

aftercalls is a Canadian team based in Toronto. Recordings, transcripts, summaries, and account data live on Canadian cloud infrastructure. We don't sell your data, we don't train AI on your calls, and every non-owner access to a call is logged. This page is for the admins, security reviewers, and procurement teams who need to know how it works before signing.

Toronto data residency PIPEDA · Law 25 No model training Audited admin access

Where your data lives

Every recording, transcript, summary, action item, and account record is stored on Canadian cloud infrastructure in the Toronto region.

When a call finishes processing, the audio file, transcript, summary, action items, and any tags are written to a Toronto-region object store with server-side encryption at rest. Account metadata and the relational record of who has which call lives in a Toronto-region Postgres database, also encrypted at rest. All connections — agent to backend, browser to portal, backend to storage — are encrypted in transit.

Cross-border processing during transcription

During the few minutes a call is being transcribed and summarized, the audio is briefly transmitted to U.S.-based AI sub-processors under contractual no-retention and no-training obligations. They never receive your account credentials, your team metadata, or any data that links a recording back to a specific user beyond what is needed to process the audio. Once the transcript and summary are produced, the audio leaves their systems. The current sub-processor list is in our privacy policy.

What we do, what we don't

The short version of how we treat the contents of your calls.

What we do

  • Encrypt at rest and in transit
  • Store in Toronto, Canada
  • Keep audit logs of admin and non-owner access
  • Hard-delete on request, including audio in object storage
  • Disclose every sub-processor in the privacy policy
  • Sign data-processing agreements on request

What we don't

  • Sell your data — to anyone, ever
  • Train AI models on your calls or transcripts
  • Let our sub-processors train on your data either
  • Use your audio to improve our own systems
  • Share recordings with marketing or analytics tools
  • Embed third-party trackers in the desktop agent

Compliance posture

aftercalls is designed against the privacy regimes our customers operate under. We won't claim certifications we don't yet hold; what we do, we do plainly.

PIPEDA
Federal Personal Information Protection and Electronic Documents Act. Cross-border transfer disclosed.
Quebec Law 25
Loi sur la protection des renseignements personnels dans le secteur privé. Recording-notice tooling included.
BC PIPA
British Columbia Personal Information Protection Act. Same residency and disclosure model applies.
Alberta PIPA
Alberta Personal Information Protection Act. Cross-border transfer disclosed in privacy policy.

For organizations subject to GDPR or UK data-protection law, we sign Data Processing Agreements with Standard Contractual Clauses on request. For health-sector use in Canada, we honour provincial health-information acts (Saskatchewan, Manitoba, Newfoundland and Labrador, Ontario PHIPA) on a customer-by-customer basis — please talk to us before recording health-sector calls.

Access controls

Authentication, session management, and admin powers are deliberately conservative.

  • Password storage — passwords are hashed with a memory-hard, salted scheme. Plaintext passwords never leave the request handler.
  • Session model — short-lived access tokens plus rotating refresh tokens. Admins can revoke a user's sessions immediately from the team page; revocation propagates within seconds.
  • Single sign-on — Google Workspace, Microsoft Entra, and Zoho SSO are supported on request. Once enabled, password sign-in can be disabled org-wide.
  • Org isolation — every read query is scoped to the caller's organization. There is no cross-org access path, even for support staff, except through an explicit, audited support session that the customer must approve.
  • Admin access is audited — when an admin opens a call they don't own, the access is recorded in call_access_log. Owners can see who has opened their calls.

Data lifecycle

From the first time a call is captured to the day every byte is gone.

Soft delete

When a user deletes a call from the app, it moves to a 30-day recycle bin. The audio, transcript, summary, and metadata are still recoverable until the bin auto-purges.

Hard delete

After 30 days in the bin — or immediately, on admin command — the relational record is removed and the audio file in object storage is deleted. We hold no separate backup tier that retains the data after this point.

Account export and account deletion

A full account export (transcripts, summaries, action items, and audio download links) is available on request. Account deletion is also available on request and is processed within 30 days, usually the same day. Email hello@aftercalls.io.

What we collect, what we don't

We collect the minimum needed to run the service. Diagnostics never include call audio.

  • What's collected — your name, email, organization name, sign-in records, and the calls and notes you produce inside aftercalls.
  • Telemetry — the desktop agent reports anonymous crash diagnostics and update-check timestamps. It is opt-out per device. Crash diagnostics never include call audio, transcripts, or the contents of any open document.
  • What we don't collect — we do not collect your screen contents outside of call recordings you start, your keystrokes, your microphone audio outside of an active recording session, or anything from any application other than the call app you're recording.

For your security review

We're happy to fill out questionnaires and answer specific concerns directly.

  • Standard SaaS security questionnaires (CAIQ-Lite, vendor-specific) — completed on request.
  • Data Processing Agreement with Standard Contractual Clauses — signed on request.
  • Sub-processor list — published in the privacy policy and updated when it changes; we will give 30 days' notice for material additions if you ask in writing.
  • Incident response — material incidents affecting customer data are disclosed to affected customers within 72 hours of confirmation.
  • Self-hosting — available on request for organizations with regulatory requirements that go beyond Canadian residency.

Send us your questionnaire. We've answered enough of these to know the questions. The fastest path is to email it to us with a deadline; we'll come back filled-out, with citations to this page where they apply.

Common questions

Are recordings encrypted?

Yes. In transit (TLS) and at rest (server-side encryption on the object store, full-disk encryption on the database host).

Can we self-host?

On request, for customers with regulatory requirements that go beyond Canadian residency. The desktop agent is the same; the backend and object store run inside your tenancy. Talk to us.

Where can we read your DPA?

Email hello@aftercalls.io and we'll send the current draft for review and signature.

Do you have SOC 2 / ISO 27001?

Not today. We're a small team and we won't claim certifications we haven't completed. Our compliance roadmap is on the table for any customer who needs it; ask us where things stand.

What happens if aftercalls goes away?

We give 90 days' notice and a one-click export of every call record in your organization. The account-export tooling already exists and is what we'd use; you don't have to take our word for it.

Talk to us before your security review.

Send us your questionnaire, your DPA template, or just your questions. Or read more about the product if you haven't yet.

Send your questionnaire See the product →