Security at OutroCX

At a Glance

Infrastructure & Hosting

OutroCX is hosted on enterprise-grade managed cloud infrastructure operated by leading cloud providers. Our infrastructure stack is built on services that maintain SOC 2 Type II, ISO 27001, and additional compliance attestations, providing a secure foundation across compute, storage, networking, and database layers.

Customer data resides primarily in United States cloud regions. Sub-processors operating outside the U.S. are limited to the categories described in our Privacy Statement and are bound by appropriate data transfer mechanisms.

Tenant isolation. OutroCX uses a multi-tenant architecture with strict logical isolation enforced at the database layer through row-level security. Every query for customer data is automatically scoped to the requesting customer’s tenant — there is no application path that allows one customer to access another customer’s data.

Dedicated single-tenant infrastructure is available for qualifying enterprise customers. If you require dedicated infrastructure for compliance, regulatory, or risk-management reasons, please contact support@outrocx.com to discuss your requirements.

Encryption

In transit. All data transmitted between users, the OutroCX platform, and connected services is encrypted using TLS 1.2 or higher. This includes browser sessions, API calls, file uploads, and webhook deliveries. Older protocols (SSL, TLS 1.0, TLS 1.1) are disabled at the load balancer.

At rest. All customer data is encrypted at rest using AES-256, including:

• Call recordings and audio files in object storage
• Transcripts and QA evaluation results in the database
• Agent profiles, performance records, and coaching notes
• Knowledge base content, training materials, and configuration data
• Backup snapshots and replication targets

Encryption keys are managed by our cloud infrastructure provider’s key management service and rotated according to industry best practices.

Access Controls

Inside the platform. OutroCX enforces role-based access controls across every module. Customer administrators define who can access which programs, agents, recordings, and configuration tools. Standard roles include Admin, Manager, Trainer, Supervisor, QA Evaluator, and Agent — each with distinct permissions appropriate to their function.

Authentication. All platform users authenticate through secure credentials. Multi-factor authentication (MFA) is available for all users and recommended for all administrators. MFA adds a second verification step at login — typically a one-time code from an authenticator app — so that a compromised password alone cannot grant access to an account.

Internal access. OutroCX personnel access to production systems is limited to a small number of authorized engineers operating under the principle of least privilege. All production access is logged, requires multi-factor authentication, and is reviewed regularly. We do not access customer data except as required to deliver support, troubleshoot issues, or maintain platform health — and only with appropriate authorization.

Audit logging. Administrative actions, configuration changes, user access events, and data export operations are logged and retained for review. Customers can access their organization’s audit logs to support internal compliance and security workflows.

PII Redaction in AI Processing

A core function of OutroCX is the AI-powered analysis of call recordings — transcription, scoring, coaching, and content generation. Before any call data leaves our processing environment for AI analysis, it passes through a multi-layer PII redaction pipeline designed to detect and remove sensitive personal information.

The pipeline operates in two layers:

Layer 1 — Model-based detection. A specialized AI model identifies and replaces sensitive entities including credit card numbers, CVV codes, card expiration dates, bank routing and account numbers, Social Security Numbers, driver’s license numbers, passport numbers, dates of birth, phone numbers, email addresses, and other personally identifying information. The model is prompted with explicit redaction rules and replaces detected entities with neutral placeholder labels.

Layer 2 — Regex backstop. A pattern-based scrubber runs after the model layer to catch any residual PII that may have escaped detection — including digit sequences matching common credit card, SSN, routing number, phone, and email patterns.

Redacted transcripts are what get written to the database, sent to downstream AI processing for QA scoring, and stored long-term. Raw, unredacted PII is never persisted in our database.

When PII is detected during a call, an audit event is logged so administrators can monitor redaction activity across their programs.

AI Sub-Processors & Data Boundaries

OutroCX uses third-party AI providers for transcription, language model inference, text-to-speech, and other AI-powered platform functions. These providers operate as sub-processors under contractual obligations consistent with our Privacy Statement.

We do not train AI models on customer data. This applies to:

• AI models we operate ourselves
• AI models operated by our sub-processors

Our AI sub-processors operate under enterprise API agreements that explicitly prohibit the use of customer data to train, improve, or fine-tune their general-purpose models. Customer data sent for AI processing is used solely to return a result for that specific request and is not retained by sub-processors beyond what is required to deliver the service.

A current list of sub-processors is available on request from support@outrocx.com.

Application Security

Secure development. OutroCX engineering follows secure software development practices, including peer code review for all production changes, dependency vulnerability scanning, and separation of development, staging, and production environments.

Vulnerability management. Production dependencies are monitored for known vulnerabilities. Critical and high-severity vulnerabilities are prioritized for remediation within timeframes appropriate to their risk.

Secrets management. API keys, database credentials, and service tokens are stored in encrypted secret management systems and never committed to source code. Credentials used to access customer-configured ingestion sources (such as cloud storage buckets) are encrypted at rest using a dedicated vault service and retrieved at runtime.

Change management. Production deployments follow a controlled release process with automated testing, staging validation, and rollback capability for every change.

Monitoring & Incident Response

Monitoring. Production systems are continuously monitored for availability, performance, and security events. Anomalies trigger alerts to the on-call engineering team for investigation.

Incident response. OutroCX maintains a documented incident response process covering detection, containment, eradication, recovery, and post-incident review. Security incidents are categorized by severity, and each category has defined response timelines and escalation paths.

Breach notification. In the event of a confirmed data breach affecting customer data, OutroCX will notify the affected customer within 72 hours of discovery and cooperate fully in any required regulatory reporting.

Business Continuity & Backups

Backups. Customer data is backed up continuously through automated database replication and snapshot mechanisms provided by our cloud infrastructure. Point-in-time recovery is available within standard retention windows.

Disaster recovery. Production systems are designed to recover from infrastructure failures with minimal disruption. Critical services are deployed in resilient configurations to support availability across infrastructure events.

Data export. Customers can export their data at any time through the platform. Upon termination of service, data is available for export for 30 days following the final billing date, after which it may be permanently deleted in accordance with our Privacy Statement.

Compliance & Standards

OutroCX is designed and operated in alignment with the SOC 2 Trust Services Criteria for security, availability, and confidentiality. Our controls are modeled against this framework across infrastructure, access management, change management, encryption, monitoring, and incident response.

We do not currently hold a SOC 2 certification. Formal certification is a planned milestone as we scale. Customers requiring a formal attestation are encouraged to discuss requirements during procurement — we work with enterprise customers on compliance documentation, security questionnaires, and supplemental agreements as needed.

OutroCX is not a certified processor under PCI-DSS, HIPAA, or other industry-specific regulatory frameworks. Customers operating in regulated environments are responsible for ensuring their use of OutroCX aligns with their own compliance obligations. Platform features may support customer-led compliance workflows, but OutroCX does not certify compliance outcomes.

Responsible Disclosure

If you believe you have discovered a security vulnerability in OutroCX, we want to hear from you. Please report findings to support@outrocx.com with as much detail as possible, including:

• A description of the vulnerability and its potential impact
• Steps to reproduce
• Any supporting materials (proof-of-concept, screenshots, logs)

We commit to acknowledging legitimate reports within 5 business days and working with researchers to understand and remediate confirmed issues. Please give us a reasonable opportunity to address the issue before public disclosure.

We ask that researchers do not access, modify, or destroy customer data, do not perform testing that could degrade service for other users, and do not engage in social engineering or physical attacks.

Contact

For security questions, sub-processor lists, security questionnaires, dedicated infrastructure inquiries, or vulnerability reports, contact us at: support@outrocx.com