Westeq IncBook a call
Trust Center · Vanta · SOC 2 · HIPAA · GDPR

Security that scales with you.

Vanta-monitored controls, SOC 2 / HIPAA / GDPR alignment, and optional AI accent neutralization on voice. Raw US PII never leaves AWS us-east-1 — tokenized at the US edge, the agents behind your pod only ever see the redacted view.

0
Raw PII crossings
100%
Sessions recorded
12 mo
Audit retention
us-east-1
Data residency
The pipeline

Every ticket, call, and chat follows the same path.

No exceptions. No back-channels. No shadow access. The diagram below is exactly what runs in production.

01

US Customer

TLS 1.3 in transit

Tickets and calls originate from the end customer and travel encrypted to our US ingress.

02

US Edge — Redaction Layer

AWS us-east-1

PII is tokenized before it leaves the United States. Credit cards → tokens. SSNs → masked. Names & addresses → pseudonymized.

03

Encrypted Tunnel

Mutual TLS · IP-allowlisted

Only the redacted ticket payload crosses the border. No raw PII ever leaves US infrastructure.

04

Medellín Agent

Locked endpoint · session recorded

Agents see a redacted view only. No local storage, no USB, no print. Every action is audited.

Customer ticket (US ingress)
  • name: Sarah Whitman
  • email: s.whitman@acme.com
  • card: 4242 4242 4242 9821
  • ssn: 412-55-7790
  • addr: 142 Hudson St, NYC
Agent view (Medellín)
Redacted
  • name: Customer #80214
  • email: ••••••@acme.com
  • card: tok_1Q••••9821
  • ssn: •••-••-••••
  • addr: NYC, NY (zip 10013)
Compliance posture

No badges we haven't earned.

We list what's active, what's in progress, and what's on request — never a blue checkmark we can't back up with paperwork.

Operational

Vanta-monitored controls

Continuous control monitoring via Vanta — security, availability, and confidentiality evidence collected automatically, 24/7.

Live trust report available on request
In progress

SOC 2 Type II

Annual third-party audit covering security, availability, and confidentiality. Type I report available now under NDA.

Q3 2026 · Vanta-managed
Operational

HIPAA-aligned workflows

PHI is redacted on US infrastructure before any cross-border processing. We sign BAAs for healthcare clients.

BAA executable in 5 business days
Operational

GDPR data residency

EU customer data can be pinned to AWS eu-west-1. Cross-border transfers governed by SCCs and DPAs.

EU-pinned region available
In progress

PCI-DSS scope reduction

Card data is tokenized at the US edge before any agent sees it. Your PCI footprint shrinks from 'full PAN' to 'token reference'.

AOC available on request
Operational

SSO + MFA

Bring your IdP — Okta, Entra, Google. MFA enforced on every account. Quarterly access reviews, signed off in writing.

SAML 2.0 / OIDC
Operational

The eight controls that keep humans accountable.

Controls aren't theoretical here — every one below is enforced by tooling, not policy. If it's not enforced, it's not on the list.

Locked endpoints

No USB, no print, no local storage. Mac/Windows MDM-managed.

Continuous screen recording

Every agent station recorded. 12-month retention. Searchable on demand.

MFA everywhere

Every internal tool, every client login. Phishing-resistant where supported.

Role-based access

Agents see redacted ticket views only. Least-privilege enforced by default.

mTLS tunnels

All cross-border traffic over mutual-TLS, IP-allowlisted, certificate-pinned.

Quarterly access reviews

Joiners-movers-leavers documented. Sign-off by US account manager.

Annual pen test

Independent third-party. Executive summary shareable under NDA.

Background-checked agents

Criminal + employment verification. Signed NDA before keyboard access.

Incident response

If something goes wrong, here's exactly what happens.

Written, drilled quarterly, and shareable with your security team in advance — not after the fact.

01
0–15 min

Detect

SIEM alert + on-call paged. Ticket opened, severity assigned.

02
15–60 min

Contain

Affected access revoked, sessions killed, evidence preserved.

03
≤24 hr

Notify

Customer notification with scope, timeline, and known impact.

04
≤72 hr

Remediate

Root-cause fix shipped. Postmortem drafted.

05
≤30 days

Report

Written postmortem + control changes delivered to affected customers.

Audit pack

The documents your security team will ask for.

Half of these are downloadable today. The rest are one signed NDA away.

  • DPA (Data Processing Agreement)
    Pre-signed · downloadable
  • SCCs (EU Standard Contractual Clauses)
    Pre-signed · downloadable
  • BAA (HIPAA Business Associate Agreement)
    On request · 5 business days
  • SOC 2 Type I report
    Under NDA · request access
  • Penetration test executive summary
    Under NDA · request access
  • Sub-processor list
    Public · always current
Sub-processors

Every vendor that touches your data.

Listed, with purpose and region. Always current.

Vendor
Purpose
Region
AWS
US ingress, redaction layer, storage
us-east-1
Cloudflare
Edge DDoS + WAF
Global
Datadog
Logs + APM (no PII)
us1
Okta
Workforce SSO + MFA
US
1Password
Secrets management
US
Audit pack

Want the full audit pack?

DPA, SCCs, SOC 2 Type I, and pen-test summary — sent in one email after a 5-minute NDA.

Request access