Compliance + Redaction

Compliance, engineered.

Named-entity redaction at ingest in 800 to 1200 ms. Real-time compliance alerts during the live call in 380 ms. Vertical-specialist MoE Operators trained in a 4,000-agent live contact center. Reference documentation for compliance officers, CISOs, and risk reviewers.

See a demo Review audit documentation

Section 1

Redaction

PCI, PHI, PII removed at ingest before any model reads the data.

Section 2

Real-time alerts

380 ms dispatch to email, SMS, Teams, Slack, or voice during the live call.

Section 3

Vertical specialists

Compliance reviewers trained on the regulations your agents work under.

Section 4

Architecture

How data flows. What's deleted, what's retained, where it's processed.

What QEval^® redacts and how customers configure it.

QEval^® uses Named Entity Recognition trained on millions of conversations to identify sensitive entities in three categories: PCI, PHI, and PII. Configuration is per program. Five PCI entities are required and locked. PII entities are recommended by default. Optional PII and PHI entities are opt-in. Customers choose what to mask before deployment.

Required 05

PCI entities. Always on.

Locked. No edits permitted.

Bank AccountCredit CardCVVBank RoutingCard Expiration

PCI DSS 3.2.1 Level 1. Hosted environment third-party certified. No exploitable information retained in audit testing.

Recommended 04

PII entities. On by default.

Customer may opt out per entity.

DOBDriver's LicensePasswordSSN

International equivalents covered: Australian TFN, Belgian NISS, British NIN, Canadian SIN, Dutch BSN, French INSEE, Indian Aadhaar, Mexican NSS.

Optional PII 33

Custom PII catalog.

Off by default. Customer opts in.

Account NumberAgeDateEmailHealthcare IDIP AddressLocationNamePassportPhoneUsernameVehicle ID+21 more

Includes location subclasses (city, state, country, ZIP, coordinate, address), gender / sexuality, marital status, occupation, religion, political affiliation, money, time, URL.

Optional PHI 07

Custom PHI catalog.

Off by default. Customer opts in.

Blood TypeConditionDoseDrugInjuryMedical ProcessStatistics

For healthcare and life-sciences programs. Used in combination with HIPAA Business Associate Agreement.

The redaction pipeline

Four stages. Watch a transcript redact in place.

Live, auto-advancing. The sample transcript redacts as the stages advance. Original media is deleted at stage three. Only the redacted transcript reaches the MoE.

Redaction pipeline

Sample transcript. Healthcare BPO. Call 7712.

Streaming

Transcript view

Stage 1 / Raw ingest

AgentGood morning, this is Marcus Reeves with Pinnacle Health. Can I verify your full name and date of birth? CustomerIt's Sarah Mitchell, born 04/12/1978. AgentI see your address as 412 Maple Street, Austin, Texas 78704. Still correct? CustomerYes. My card is 4532-1234-5678-9012, expires 09/27. AgentLast four of the SSN on file: 123-45-6789? CustomerThat's right.

Voice or chat arrives. Stored temporarily on an IP-restricted Etech server.

Interaction streams in over OAuth 2.0 from any connected CCaaS. Audio is encrypted at rest (AES-256) and held only long enough to ingest. No model has read the data at this point.

EncryptionAES-256 / TLS 1.2+

CloudAWS / Azure / GCP

EndpointsIP-restricted

NER tags PCI, PHI, and PII entities at ingest, in 800 to 1200 ms.

Named Entity Recognition tags every entity selected in the customer's configuration. Non-sensitive numbers (ordinals, percentages, prices, times) are preserved so analytics still work. The flagged version is staged; unredacted data remains walled off from any model.

Latency800-1200 ms

MethodNER, trained on millions

PreservedOrdinals, prices, times

Redaction applied. Original media deleted upon successful ingestion.

Sensitive tokens become redaction markers in transcripts; numbers are masked with symbols in text and replaced with silence in audio. Per the contractual data flow, media is deleted upon successful ingestion before the next interaction is processed. Only the redacted version is retained.

Original media deleted

Original retentionZero

Redacted retentionAudit trail only

PCI DSS 3.2.1Level 1 certified

Redacted transcript reaches the MoE. Every classification traces to an expert.

The proprietary closed-source Mixture-of-Experts routes each scorecard item to its specialized expert. No third-party foundation model is in the loop, for training or inference. Every classification ships with the expert that scored it, the transcript span, the confidence score, and the timestamp.

CollectionsFDCPA

HealthcareHIPAA

FinancialTILA / GLBA

InsuranceNAIC / CMS

Foundation modelsNone in path

Audit completeness100%

Classification accuracy94%+ SLA

Auto-advances every 3 seconds. Original deleted at stage 3.

Redaction surfaces

Where redaction happens. Four surfaces.

Voice audio

Sensitive numbers are replaced with silence. Non-sensitive numbers (ordinals, prices, durations) are preserved so analytics still work.

Mechanism: Audio masking

Text transcripts

Detected entities are replaced with tokenized redaction markers in text streams. Chat, email, and SMS handled the same way.

Mechanism: Token replacement

On-screen / desktop

Screen capture redaction prevents sensitive data from being recoverable through screenshots of the agent desktop during live calls.

Mechanism: Screen masking

In-flight, real-time

Live detection runs alongside post-call cleaning. Both archived audio and active interactions are covered by the same NER pipeline.

Mechanism: Streaming detection

Real-time alerts while the call is still happening.

When the compliance MoE expert detects a critical violation mid-call, the alert dispatches in 380 ms to the channels each customer configures. Choose any combination: email, SMS, Microsoft Teams, Slack, or outbound voice call to a supervisor.

Critical compliance violation flagged

380ms

Dispatch

From flag to first channel

SMTP / Webhook

SMS

Twilio / Direct

Teams

Graph API

Slack

Webhook

Voice call

Outbound

Critical compliance triggers

Configurable per program. Each trigger maps to one or more channels.

Disclosure missPII mishandlingUnauthorized adviceHarmful outputMini-Miranda missedRecording consentEscalation failureAI hallucinationCease-and-desist

Compliance scoring engine

One MoE per vertical. One documented violation taxonomy.

Compliance scoring is not generalist work. The MoE routes each scorecard item to the expert sub-model trained on that vertical's regulations. Twelve purpose-trained compliance experts, one violation taxonomy across all of them.

Twelve vertical compliance experts.

Each expert sub-model is tuned to a vertical's named regulations. Disclosure language, advice unauthorized for the agent's role, PII mishandling, identity-verification gaps. Calibration variance under 2% against the live operation's confirmed violation register.

CollectionsFDCPA / Reg F

HealthcareHIPAA / HITECH

FinancialTILA / GLBA / FCRA

InsuranceNAIC / CMS MA

TelecomTCPA / DNC

RetailFTC TSR / CCPA

Energy / UtilitiesState PUC / FERC

AutomotiveFTC Dealer / F&I

GovernmentFedRAMP / CJIS

BPOSOC 2 / multi-vertical

Travel + HospitalityPCI / ADA

EducationFERPA / COPPA

Eight documented violation codes.

Every flagged event maps to a named category. No miscellaneous bucket.

disclosure_missRequired statement not delivered

pii_mishandlingPII captured or repeated

unauthorized_adviceOut-of-role guidance

harmful_outputAggressive or threatening

recording_consentNotification missed

identity_verificationKYC step missed

escalation_failureTrigger not actioned

retention_violationStorage or DSR issue

Compliance specialists trained on the regulations your agents actually face.

QEval^® is operated by ETS Labs, the engineering arm of Etech Global Services, which runs a 4,000-agent live contact center across financial services, healthcare, collections, insurance, and telecom. Compliance reviewers come from live operating programs, not consulting engagements. They review violations alongside the automated scoring as an ongoing second layer.

Why this matters

Software companies study the regulations. Operators live with them.

Among the QA software vendors in the category, ETS Labs is the only one that simultaneously operates a live regulated contact center at scale. The compliance team's expertise is from actually handling Mini-Miranda misses, HIPAA edge cases, CMS scripted disclosures, and TCPA exposure on real calls.

4,000+

Live agents in operation

Collections

Mini-Miranda delivery, validation notice, 7-7-7 cadence, harassment standards.

FDCPAReg FNY DCWPTX Ch 392CA Rosenthal

Healthcare

Minimum-necessary PHI, Right of Access, BAA scope, telehealth consent.

HIPAAHITECHState telehealthCMS

Financial services

APR disclosures, GLBA NPI handling, Reg E electronic transfer rights, FCRA adverse action.

TILA / Reg ZGLBAReg EFCRANYDFS 500

Insurance

NAIC suitability, Medicare Advantage scripted disclosures, 10-year recording retention, state replacement notices.

NAICCMS MAState suitabilityFCA (UK)

Telecom

TCPA consent, DNC registry scrubs, AI-voice disclosure (UT, CA, TX), state mini-TCPA stricter than federal.

TCPAFCC DNCUT SB 226CA AB 2905State mini-TCPA

Retail / outbound

FTC TSR 30-second opener, click-to-cancel honoring, state telemarketing registrations, CCPA opt-out.

FTC TSRTCPACCPAState telemarketing

Energy + Utilities

State PUC disclosure rules, door-to-door and inbound enrollment scripts, deregulated-market rate confirmations, slamming and cramming prohibitions.

State PUCFERCAnti-slammingTPV

Automotive

FTC Dealer Rule disclosures, F&I product offers, APR and add-on confirmations, Reg M lease disclosures, Cox-grade scorecards.

FTC DealerReg MReg ZState F&I

Government

Citizen-services script adherence, FedRAMP-aligned handling, CJIS criminal-justice data restrictions, IRS Pub 1075 tax-information rules.

FedRAMPCJISIRS Pub 1075State procurement

BPO / outsourcing

Multi-vertical compliance under a single roof. Client-specific scorecards layered over the vertical baselines. SOC 2 and ISO 27001 evidence flow.

SOC 2ISO 27001Client-specificMulti-vertical

Travel + Hospitality

Cardholder data at booking, ADA accessibility on guest interactions, state-specific booking and cancellation rules, EU 261 disclosures.

PCI DSSADAEU 261State booking

Education

FERPA student-record handling, COPPA for under-13 callers, Title IV admissions and financial-aid scripts, Department of Education ED gainful-employment disclosures.

FERPACOPPATitle IVED gainful-emp

How data moves through the platform.

End-to-end data flow from source to outputs. Authentication is OAuth 2.0. Temporary audio storage is on an IP-restricted Etech-owned server, encrypted at AES-256. Media is deleted upon successful ingestion. Only the redacted version reaches the MoE.

Source

Contact Center Platform

Voice, chat, email, SMS. OAuth 2.0 token via POST /auth/token.

01 / Temp store

Etech Server

IP-restricted. AES-256 at rest. No public endpoints.

02 / Ingest

NER Redaction

800-1200 ms. PCI / PHI / PII tagged. Original media deleted on ingest.

03 / Process

MoE Speech

STT, classifications, summarization, intent. Closed-source. No third-party LLM.

04 / Outputs

Scorecards + Audit

JSON to Q&A row data. Scorecards, dashboards, audit trail.

HostingAWS / Azure / GCP (soon)

EncryptionAES-256 / TLS 1.2+

AuthOAuth 2.0 / Bearer

NetworkWAF + LB + RBAC

Certification posture

The compliance posture in one page. The audit pack in the Trust Center.

Eight named certifications, each scope-stated. The Trust Center hosts the full audit documentation under NDA: SOC 2 reports, pen-test results, sub-processor lists, BAA templates, redaction methodology, encryption attestations. Everything a CISO needs to close a vendor risk review without a follow-up call.

SOC 2 Type II

Full platform. Annual third-party audit. AICPA SOC audited.

ISO 27001

Information security management. The full ISMS, not a sub-scope.

ISO 42001

First mover

AI management system. The fastest credible path to EU AI Act conformance.

PCI DSS 3.2.1

Level 1 service provider. Hosted environment third-party certified.

HIPAA

Healthcare-ready. BAA available. PHI under the same NER redaction sequence.

GDPR

EU compliant. Administrative data deletion controls and certification process.

CCPA / CPRA

California compliant. Aligned with the active US state privacy laws.

NER at ingest

800 to 1200 ms. Before any LLM processing. Original deleted on ingest.

Trust Center

SOC 2 reports, pen tests, sub-processor list, audit documentation.

Hosted at trust.etslabs.ai under NDA. Everything a CISO or compliance officer needs to close a vendor risk review.

Open the Trust Center

Six Layers of Intelligence

Compliance scoring is Layer 1. The audit-trail discipline scales to Layer 6.

The redaction architecture and audit-completeness that make Layer 1 defensible are the same architecture that makes Layer 6 (Strategic Intelligence) auditable across a human and AI workforce.

L1 / Quality + Compliance L2L3L4L5 L6 / Strategic See the full framework

Reference questions

What a compliance officer needs to know.

What happens to the original recording after redaction?

Per the contractual data flow, media is deleted upon successful ingestion before the next interaction is processed. Only the redacted transcript is retained by the MoE pipeline and the audit log. There is no recoverable source file kept after the redaction stage completes.

Does customer data reach OpenAI, Anthropic, Google, or AWS Bedrock?

No. QEval^® runs on a proprietary closed-source Mixture-of-Experts model operated by ETS Labs. No third-party foundation model is in the data path at any stage, for training or for inference. No third-party foundation model is in the data path at any stage — for training or inference — so customer data never enters an external training loop.

How does custom redaction configuration work?

Five PCI entities are required and locked. Four PII entities are recommended (on by default; opt-out per entity). Thirty-three optional PII entities and seven optional PHI entities are off by default and the customer opts in. The selections are made before deployment and confirmed with the implementation project manager.

What does the 380 ms alert latency cover?

It measures the time from the compliance MoE expert flagging a critical violation during a live interaction to the first configured channel receiving the alert. Configured channels include email, SMS, Microsoft Teams, Slack, and outbound voice call to a supervisor. Customers select any combination, and trigger rules are configurable per program.

What does the vertical compliance specialist layer actually do?

ETS Labs operates a 4,000-agent contact center across financial services, healthcare, collections, insurance, and telecom. Compliance specialists drawn from those live operating programs review flagged events and tune scoring rules against the regulations agents actually face on real calls. This runs alongside the automated scoring as an ongoing review layer, not a one-time consulting engagement.

Is automated redaction guaranteed to be 100% accurate?

No automated redaction engine is. Accuracy depends on transcription quality, which depends on audio quality, accent, speech rate, and background noise. QEval^® ships transcription optimization, calibration during deployment, and a human-in-the-loop review posture as the answer. A third-party audit at scale found no exploitable information was retained after the redaction process. Audit documentation is available in the Trust Center under NDA.

Is QEval® ready for the August 2, 2026 EU AI Act deadline?

Yes. ISO 42001 (AI management system) is held; QEval^® is among the first QA-category platforms to surface it. Customer-facing emotion recognition is not used, keeping QEval^® clear of the EU AI Act's prohibited-AI tier. The Trust Center hosts the conformance documentation under NDA.

For the risk and legal stakeholder

Score a live call against your compliance.

Bring your scorecards, your compliance rules, your vertical regulations. QEval^® scores a live call against them, ships audit documentation to your CISO, and pilots toward ROI in 120 days, contractually.

See a demo Open the Trust Center

Contractual commitments

Four numbers no peer publishes.

94%+

Accuracy SLA

Written into the master agreement

30 days

Deployment

Money-back guarantee

60 days

Exit clause

Cancel with notice, no penalty

120 days

ROI window

Documented against your KPIs, contractually