Move cursor | Click to ripple
SECURITY

Where your conversation data goes after scoring.

What happens to your data at each stage, which frameworks govern each stage, who else processes the data, and where to get the audit documents your security team needs.

9
Frameworks
SOC 2 Type II, ISO 27001, ISO 42001, PCI DSS, HIPAA, GDPR, CCPA, NIST 800-53, PII Redaction
0
Third-party model dependencies
Proprietary MoE, built and operated by ETS Labs
94%+
Accuracy SLA
Written into the master agreement
326M
Classifications every 5 minutes
At 94%+ accuracy across all dimensions
CERTIFICATIONS

The frameworks your auditor will ask about.

What each framework actually covers, and what scope it applies to within QEval®.

SOC 2 Type II
SOC 2 Type II
Full platform
Continuous controls audit covering security, availability, and confidentiality. Type II means the audit covers operating effectiveness over time, not a single snapshot.
ISO 27001:2022
ISO 27001:2022
Information security management
International standard for information security management systems (ISMS). Covers risk assessment, access controls, incident response, and business continuity planning.
ISO 42001
ISO 42001
AI management system
The certifiable standard for AI governance (published 2023). Covers model transparency, bias monitoring, human oversight, and responsible AI deployment. Most QA vendors have not yet certified.
PCI DSS Level 1
PCI DSS Level 1
Redaction pipeline
The highest level of PCI compliance, including SAQ D and SP. Specifically covers the redaction pipeline where payment card data is stripped before any model processing.
HIPAA
HIPAA
Healthcare-ready
Healthcare data handling compliance. Protected Health Information (PHI) is redacted at ingest via Named Entity Recognition. BAA available for covered entities.
GDPR
GDPR
EU data protection
Full General Data Protection Regulation compliance. Data subject access requests, right to erasure, data portability, and lawful basis documentation supported.
CCPA
CCPA
California consumer privacy
California Consumer Privacy Act compliance. Consumer data rights, opt-out mechanisms, and data sale restrictions enforced at the platform level.
NIST 800-53
NIST 800-53
Federal control alignment
Aligned to the NIST SP 800-53 control catalog used by US federal agencies and FedRAMP-authorized vendors. Covers access control, audit and accountability, configuration management, and incident response.
PII Redaction at Ingest
PII Redaction at Ingest
Pre-model redaction
Named Entity Recognition strips PII and PHI from every interaction before any model processing begins. No unredacted personal data reaches the MoE classification engine.
DATA FLOW

What happens to a conversation, stage by stage.

Six stages from ingestion to audit trail. Each stage maps to the framework that governs it.

Stage 1
Interaction Ingestion
Call, chat, or email enters QEval®
SOC 2 Type II
Stage 2
NER Redaction
PII and PHI stripped before any model sees it
PCI DSS + HIPAA
Stage 3
MoE Classification
Routes to expert sub-models per scorecard item
ISO 42001
Stage 4
Expert Scoring
Compliance, empathy, resolution, brand voice
ISO 27001
Stage 5
Scorecard Delivery
Results to dashboard, API, or webhook
GDPR + CCPA
Stage 6
Audit Trail
Every decision traceable to expert + transcript span
SOC 2 + ISO 27001
Interaction Ingestion
Conversations arrive from 80+ CCaaS and enterprise integrations via the Universal Connector. Voice calls, chat transcripts, email threads, and AI agent interactions all enter through the same ingestion layer. No data touches any model at this stage. The ingestion layer validates format, assigns a unique interaction ID, and logs receipt for the audit trail.
ARCHITECTURE

What runs the model, and who owns it.

QEval® is not a wrapper on OpenAI, Anthropic, or any third-party foundation model. ETS Labs built the model, trains it, and operates it. Your data does not leave the QEval® boundary.

Classification Engine

Maps each item on a customer's scorecard to the correct expert pathway within the MoE model. A 47-item scorecard with compliance gates, empathy indicators, resolution markers, and brand voice rules routes each item to the right expert. This enables 326 million classifications every 5 minutes at 94%+ accuracy.

Vocabulary Library

A proprietary lexicon tuned to contact center language across 35+ languages and 80+ CCaaS integrations. Hold procedures, transfer protocols, disclosure requirements, and de-escalation patterns. Domain fluency that general-purpose LLMs frequently misclassify.

Expert Sub-Models

Specialized experts for each scoring dimension. Compliance language goes to a compliance expert. Empathy detection goes to an empathy expert. Brand voice adherence goes to a brand voice expert. Each expert is purpose-trained on contact center interaction data.

Customer data isolation

No cross-customer data sharing. No third-party API calls to foundation model providers.

Model ownership

ETS Labs owns, trains, and operates the MoE model. No dependency on external model providers.

Pre-model redaction

PII and PHI redacted via NER before any model processing. Redaction at ingest, not after scoring.

EU AI ACT

What the EU AI Act requires of contact center QA.

Full enforcement begins August 2, 2026. Penalties for prohibited practices reach up to €35 million or 7% of global annual turnover; high-risk system violations carry penalties up to €15 million or 3%. Contact centers using AI for quality management, emotion analysis, or customer interaction scoring face new compliance requirements including mandatory conformity assessments and fundamental rights impact assessments for high-risk systems.

Regulatory context, not QEval® legal advice
Banned

Employee emotion recognition (Article 5(1)(f))

Workplace emotion recognition is prohibited under the EU AI Act. Systems that infer employee emotions from biometric data in the workplace are banned outright, with narrow exceptions for safety and medical use.

High-risk

Customer emotion AI (Annex III)

AI systems that analyze customer emotions are classified as high-risk. They require conformity assessments, human oversight documentation, technical documentation of training data, and ongoing monitoring.

Required

Chatbot disclosure (Article 50)

Customers must be informed when they are interacting with an AI system. AI agents deployed in customer-facing channels require clear disclosure at the start of the interaction.

QEval® position

Architecture aligned to requirements

ISO 42001 certified (AI management systems). Proprietary model with no third-party training loop. Pre-model PII/PHI redaction via NER. Full audit trail tracing every classification decision to the specific expert sub-model and transcript span that triggered it.

DATA RESIDENCY

Where your data lives. How it is protected.

Encryption at rest

AES-256 encryption for all stored data. Customer interaction data, scorecards, audit logs, and model outputs are encrypted at rest with keys managed per customer.

Encryption in transit

TLS 1.2+ for all data in transit. Every API call, webhook delivery, dashboard request, and integration sync is encrypted end to end.

Per-customer data isolation

Customer data is logically isolated at the infrastructure level. No cross-customer data access, no shared model training across accounts, no commingled storage.

Data residency regions

Data residency available in US regions. For EU and other regional requirements, contact sales to discuss deployment options and region-specific compliance documentation.

REDACTION

What gets redacted, and when.

PII and PHI are stripped before the model sees the interaction. The order matters, so it is documented here.

01

Interaction arrives

A call recording, chat transcript, or email enters QEval® through the Universal Connector. The raw interaction is logged for audit purposes. No model has seen it yet.

02

Named Entity Recognition strips PII and PHI

Social security numbers, credit card numbers, dates of birth, account numbers, names, addresses, phone numbers, medical record numbers, and other personally identifiable information are detected and redacted. The NER layer runs before the MoE model, not alongside it.

03

Redacted interaction enters the MoE model

Only the redacted version of the interaction reaches the classification engine and expert sub-models. The model scores compliance, empathy, resolution, and brand voice on text that contains zero personal data.

No unredacted data reaches the model. No exceptions.

TRUST CENTER
Continuously monitored by Vanta

The documents your security team needs.

Vanta-hosted Trust Center with continuous evidence collection across 70+ controls in five categories. Audit reports, ISO certificates, and policies sit behind an access request. Approval is typically same business day.

Infrastructure

14
  • Encryption key access restricted
  • Unique account authentication enforced
  • Production data encrypted at rest
  • Network segmentation enforced

Organizational

12
  • Anti-malware technology utilized
  • Employee background checks performed
  • Security awareness training annual
  • Acceptable use policy enforced

Product

5
  • Control self-assessments conducted
  • Data transmission encrypted
  • Vulnerability monitoring active

Internal Procedures

36
  • Continuity and DR plans established
  • Continuity and DR plans tested
  • Configuration management active

Data & Privacy

3
  • Data retention procedures established
  • Data classification policy enforced
  • Customer data deleted upon leaving

Audit documents

Documents below are gated. Verified prospects and customers are typically approved the same business day.

  • SOC 2 Type II reportGated
  • SOC 3 report (2025)Gated
  • ISO 27001 certificateGated
  • Penetration test reportGated
  • Information Security PolicyGated
  • Incident Response PlanGated
  • Business Continuity PlanGated
  • QEval® Architecture overviewGated
Open the Trust Center Request access

Specific question?

Submit a question through the Trust Center and a member of the security team responds directly. This is how procurement, infosec, and legal teams usually get RFP, DPA, and BAA answers.

  • Typical response< 1 business day
  • Common requestsRFP, DPA, BAA
  • ChannelAuthenticated
Ask a question
SUBPROCESSORS

Who else processes your data.

Three subprocessors total. Material changes are posted to the Trust Center and sent to the DPA notification address you designate at contract signing.

Cloud provider
Amazon Web Services (AWS)
Compute, storage, networking, and encrypted processing of redacted scoring data. Primary hosting region: US.
Productivity
Microsoft Entra (Office 365)
Internal document management, identity, and authentication.
Continuous compliance
Vanta
Automated control monitoring, evidence collection, Trust Center hosting.
RESPONSIBLE DISCLOSURE

Found something? Tell us.

How to report a vulnerability, what response times to expect, and how researchers are credited.

How to report

Email a written summary, reproduction steps, and supporting artifacts. Do not include real PII. Test only against your own tenant or a staged environment.

security@qeval.ai

What happens next

  • 1
    Acknowledged within 2 business days.Triage assigned. Severity scored using CVSS 3.1.
  • 2
    Reproduced within 5 business days.Critical and High findings start same-day mitigation.
  • 3
    Fixed within SLA.Critical under 7 days. High under 30 days. Medium under 90 days.
  • 4
    Credit on request.Researchers acknowledged in the security changelog when desired.
FAQ

Questions from procurement, infosec, and legal.

How is this different from vendors using OpenAI or Anthropic APIs?

Most AI QA vendors build on top of third-party foundation models via API. Your conversation data is sent to that provider for processing, and it may be used for model training unless explicitly opted out. QEval® uses a proprietary, closed-source Mixture-of-Experts model built and operated entirely by ETS Labs. Customer data never leaves QEval®'s infrastructure. No third-party API calls to foundation model providers. No training loop exposure.

Where does my data physically reside?

QEval® data is hosted in US-based infrastructure with AES-256 encryption at rest and TLS 1.2+ in transit. Per-customer data isolation ensures no cross-customer access. For EU or other region-specific residency requirements, contact sales to discuss deployment options and compliance documentation.

What happens to my data if I leave?

QEval® includes a 60-day exit clause in the master services agreement. During the exit period, your data is available for export in standard formats. After the exit period, all customer data is purged from QEval® systems per the data retention policy. No data hostage scenarios.

How do you handle the EU AI Act's emotion AI classification?

QEval® is ISO 42001 certified (AI management systems). The platform uses a proprietary model with no third-party training loop, pre-model PII/PHI redaction, and full audit trail documentation. QEval®'s sentiment analysis operates on linguistic patterns in text, not on biometric data. For specific regulatory guidance, consult your legal team. QEval®'s architecture is designed to support compliance documentation requirements.

Can we audit the model's decisions?

Yes. Every classification decision traces to the specific expert sub-model that made it and the exact transcript span that triggered it. The audit trail is continuous and immutable. Your compliance team can review any scorecard result, see which expert scored each item, and read the transcript evidence that supports the classification.

How do we get the SOC 2 report and other audit documents?

Open the QEval® Trust Center and click Request access. Verified prospects and customers are typically approved the same business day. Available documents include the SOC 2 Type II report, the 2025 SOC 3 report, the ISO 27001 certificate, the most recent penetration test report, the Information Security Policy, the Incident Response Plan, the Business Continuity Plan, and the QEval® Architecture overview. For RFPs and custom questionnaires, use the Ask a question flow in the Trust Center.

What subprocessors does QEval® use, and how do we get notified of changes?

QEval® uses three subprocessors: Amazon Web Services (AWS) for compute, storage, networking, and encrypted processing of redacted scoring data; Microsoft Entra / Office 365 for internal document management and identity; and Vanta for continuous compliance monitoring and Trust Center hosting. Material changes are announced through the Trust Center and via DPA notification email to a contact you designate at contract signing.

How do we report a security vulnerability?

Email security@qeval.ai with a written summary, reproduction steps, and any supporting artifacts. Do not include real customer PII in the report. We acknowledge within 2 business days, reproduce within 5, and fix per CVSS 3.1 severity (Critical under 7 days, High under 30, Medium under 90). Researchers are credited in the security changelog on request.

Security documentation

Get the documents. Or run a pilot.

The Trust Center is where you request the SOC 2 report, the ISO 27001 certificate, the latest pen test, and the architecture overview. A pilot is where you verify the controls against your own environment.

Open the Trust Center Start a 90 day pilot
Contractual commitments

Four numbers no peer publishes.

94%+
Accuracy SLA
Written into the master agreement
30 days
Deployment
Money-back guarantee
60 days
Exit clause
Cancel with notice, no penalty
120 days
ROI
Documented value before expansion