Security, privacy and compliance

Our compliance framework

At Convai, trust isn’t just a principle - it’s a practice. Our commitment to security, privacy, and compliance is deeply embedded in how we build, deliver and support our solutions. As a part of Probe Group, Convai operates within a robust security governance framework, backed by international standards like ISO27001 and regular SOC 2 Type II audits.

Our strategy treats ‘Security’ as a ‘Quality Function’, ensuring:

Integration across product and operations

Root cause analysis for vulnerabilities

Proactive risk management

Cross-functional collaboration on all changes and deployments

Certifications
Convai operates under the ISO27001 certification held by Probe Group, which governs our systems, infrastructure and staff. Our internal practices align with this certification to ensure security is systematic, monitored and continually improved

ISO:27001 Information Security Management

Attestations
We undergo an annual SOC 2 Type II audit and GDPR attestation, scoped specifically for our SaaS product, Oration, to demonstrate our dedication to security controls and data protection in global markets.

SOC 2 TYPE IISecurity, Availability and Confidentiality

GDPRGeneral Data Protection Regulation

Security isn’t an afterthought. From the initial design to deployment, every Oration feature incorporates secure development practices. Our team follows a robust ‘Development Lifecycle’ that includes secure coding standards, threat modelling based on data flows, staff training, penetration testing and regular code reviews. These steps ensure risks are identified and mitigated before development begins.

Critical third-party service providers are subject to annual privacy and security risk assessments to ensure they meet Convai’s standards for data protection and service resiliency.

Privacy

At Convai, privacy is built into every layer of our platform; from product design to day-to-day operations. We take a proactive, principles-based approach to privacy.

We apply ‘Privacy by Design’ to ensure compliance with global privacy laws and enforce rigorous data lifecycle management. This involves conducting Data Privacy Impact Assessments (DPIAs) before launching features involving personal or sensitive data, ensuring we identify and mitigate privacy risks appropriately before any processing takes place.

We adhere to a clear Record of Processing Activities (ROPA) to support GDPR Article 30 compliance, detailing what personal data is processed, where it’s stored, how long we retain it and our contractual and legal obligations around handling it.

Convai’s products, including Oration, are designed with privacy in mind and operate under a strong governance framework that covers both security controls and ethical data use.

AI governance and responsible innovation

Convai is committed to deploying artificial intelligence in a safe, ethical and transparent way. As an AI provider, we integrate a range of third-party AI capabilities within our Oration platform to deliver intelligent, voice-enabled customer experiences.

Our AI Governance Framework is informed by regulations such as the EU AI Act and the ISO42001 standard, and guided by the Probe Group’s AI Principles of security, transparency, fairness and accountability.

Our approach includes:

Building AI models into our data flow and threat modelling them against the latest OWASP AI threat guidance.

Assessing AI features for potential data protection impacts and ensuring they are configured to minimise personal data collection and usage.

Performing annual third-party reviews on AI vendors to examine security, ethical and compliance considerations.

Incident response and security events

Convai operates under Probe Group’s Enterprise Incident Response Plan, which ensures a well-maintained and proactive Incident Response approach is always taken. This includes a structured response process and transparent communication in line with regulatory obligations like GDPR’s 72-hour rule.

In addition, Convai maintains its own Incident Response runbooks, tailored to the unique aspects of our Oration product and supporting services.

We treat every incident as an opportunity to improve and apply root cause analysis, update controls and enhance our practices with every lesson learned.

Business continuity and disaster recovery

At Convai, we prepare for the unexpected so our customers never have to worry. Our Business Continuity and Disaster Recovery (DR) strategies are purpose-built to maintain availability, resilience and confidence.

Convai operates under Probe Group’s Enterprise Business Continuity Plan, which includes crisis management and continuity for common services. In addition, Convai maintains its own Business Continuity Plan tailored to the unique aspects of our Oration product and supporting services.

Convai uses Amazon Web Services (AWS) to deliver scalable, secure and resilient infrastructure. As part of our DR strategy, we use AWS-native backup tools to support DR efforts. We also perform independent backup of key building blocks, which are validated through regular testing as part of our SOC 2 Type II audit obligations.

In case of a major failure, these building blocks allow us to rebuild the Oration environment while maintaining configuration integrity and minimising downtime.

In case of a major failure, these building blocks allow us to rebuild the Oration environment while maintaining configuration integrity and minimising downtime.