Sage Voice is built for two readers of this page: the enterprise security team approving the procurement, and the strategic-acquirer due-diligence team running technical and compliance diligence on a future acquisition. Honest posture: pre-audit today, with continuous controls monitoring through Drata, Vanta, or Secureframe.
By Addie Conner · Last reviewed 2026-06-05.
The Sage Voice thesis is a 24-36 month enterprise-wedge with strategic-acquisition exit shape — see the homepage kill-shot. Trust posture matters for two audiences: enterprise procurement (the buyer security team) and acquirer due diligence (Progressive, Allstate, Verisk, Guidewire, Salesforce Insurance Cloud, Cresta, Sierra). The SOC 2 readiness program, BAA chain, encryption posture, vendor list, and incident disclosure cadence are all built so that either audience finds what it needs without surprises.
What this page cannot promise: a current SOC 2 Type II report (the observation window starts on the first qualifying enterprise tenant), FedRAMP authorization (control-mapping path only, not authorized status), or HITRUST certification (out of scope for MVP). Acquirer diligence will surface these gaps; we surface them here first.
| Trust Services Criterion | Status (2026-06-05) | Control evidence |
|---|---|---|
| Security (CC) | in progress | Access reviews, encryption-at-rest, HMAC audit log, vulnerability scanning |
| Availability (A) | in progress | Cloudflare Workers redundancy + Logpush + uptime SLA documented |
| Processing Integrity (PI) | in progress | Hash-chained audit log, input validation, deterministic prompt rendering |
| Confidentiality (C) | in progress | Per-tenant isolation in Durable Objects + R2 + KV; PHI redaction |
| Privacy (P) | scoped on request | State privacy law overlays (CCPA, CPA, VCDPA, etc.); DSR pathway |
| Type II observation window | not started | Starts on first enterprise customer; 9–12 month report cadence |
Continuous monitoring via Drata, Vanta, or Secureframe — tenant-selectable. Auditor of record selected from Insight Assurance, A-LIGN, Coalfire, or Schellman on the first enterprise commitment.
Business Associate Agreement covering 45 CFR § 164.504(e) required provisions. Tenant signs as the covered entity; Sage Voice signs as the business associate.
Cloudflare BAA on Workers + R2 (cloudflare.com/trust-hub). OpenAI BAA on Enterprise + API (openai.com/security/business-associate-agreement). Anthropic BAA on Claude Enterprise (anthropic.com/legal). Retell and Vapi BAA availability is tenant-declared.
| Vendor | Function | BAA |
|---|---|---|
| Cloudflare | Workers, Durable Objects, R2, KV, DNS, WAF | Yes (Workers + R2) |
| OpenAI | LLM (gpt-4o realtime) | Yes (Enterprise + API) |
| Anthropic | LLM (Claude Opus, Claude Sonnet) | Yes (Claude Enterprise) |
| ElevenLabs | TTS | Tenant-declared |
| Retell | Voice orchestration | Tenant-declared |
| Vapi | Voice orchestration | Tenant-declared |
| Stripe | Billing | N/A (no PHI) |
Report security issues to security@sage-voice.com. We acknowledge within one business day and target a fix-or-mitigation timeline of seven days for critical issues.