Compliance & Security
Sowa Answers is built for Canadian service businesses. We handle your call data with care — persistent Canadian data residency, PIPEDA-aware practices, and practical security controls.
Last updated: June 16, 2026
01Canadian data residency
Persistent customer data is resident in Canada. Your account data, caller contact records, call transcripts, and AI summaries are stored in our database in a Canadian region (ca-central-1), and the application is hosted in Montreal (yul1). This persistent data does not leave Canada.
Real-time voice transport runs on a global edge network for low-latency call routing, and some AI sub-processors (for speech-to-text, text-to-speech, and language processing) operate in the United States. This means call audio in transit and real-time conversation data may pass through US-based infrastructure. Call audio is transcribed in real time and is not retained. The full breakdown is in our Privacy Policy (see "Where Data Is Stored").
02PIPEDA
We follow PIPEDA (Personal Information Protection and Electronic Documents Act) principles: consent, limited collection, purpose limitation, and secure retention. Our Privacy Policy describes what we collect and how we use it. You may request access, correction, or deletion of your data.
03Security
- Encryption in transit — HTTPS/TLS for all web and API traffic
- Access control — Role-based access; admin routes require authentication
- Rate limits — Contact and API endpoints are rate-limited to prevent abuse
- Secrets — No API keys or secrets in client bundles; env-based configuration
- Security headers — X-Frame-Options, HSTS, X-Content-Type-Options, and more
04Integrations & third parties
We rely on a small set of vetted sub-processors, described by function: AI conversation and speech processing for live calls, real-time voice orchestration and a telephony carrier, hosting with a Canadian-region database, payment processing, transactional email, error monitoring, and bot protection. A separate assistant powers our website chat only and does not receive call data. Each has its own security and compliance posture, and a current list of our named sub-processors is available to customers on request. The categories and what each one handles are described in our Privacy Policy. We do not sell your data to third parties.
05Healthcare & regulated industries
If you operate in healthcare or other regulated sectors, contact us to discuss data handling, BAAs, or additional compliance requirements. We can tailor our approach for your use case.
Still have questions?
Our team in London, Ontario is happy to help.