Where is customer data stored?

Primary data residency is in Johannesburg, South Africa, with an encrypted EU mirror for disaster recovery. Customers on the enterprise tier can pin data residency to a single region; recording archives are co-located with the primary region by default.

How long are call recordings retained?

Default retention is 90 days for recordings and 365 days for call-detail records. Both windows are configurable per-tenant — extend up to seven years for regulated industries or shorten to seven days for minimum-footprint deployments.

Can we export audit logs to our SIEM?

Yes. Audit logs are exportable as CSV on demand and stream in near real time via webhook or a dedicated S3 bucket. Common destinations are Splunk, Datadog, Sumo Logic and self-hosted ELK; the schema is documented and stable across releases.

What is the TKOS incident-response process?

Sev-1 incidents page the on-call tier-3 engineer in under one minute. Customer comms begin within 15 minutes of detection, a written incident report is delivered within two business days, and a root-cause analysis ships within five. Security incidents follow the same SLA with the addition of forensic preservation.

Security & compliance

Security and compliance built into the network.

TKOS runs a carrier-grade voice and messaging stack with HIPAA BAA on request, POPIA compliance overseen from Johannesburg, STIR/SHAKEN attestation on US-bound traffic, and AES-256 at rest with TLS 1.3 in transit. The controls below are the ones our healthcare and financial-services partners audit before signing.

Get A Free Trial See Pricing

Compliance pillars

The frameworks we map controls to.

Four independently audited regimes, one stack. Our healthcare clients rely on the HIPAA BAA, our SA enterprise customers anchor on POPIA, and US-bound traffic is signed against the FCC STIR/SHAKEN framework.

HIPAA-ready

Business Associate Agreement on request. Patient-data-grade voice and messaging for healthcare partners and the platforms that serve them.

BAA available

POPIA-compliant

Data minimisation, lawful basis, breach reporting and subject-access workflows mapped to South Africa's POPI Act and overseen from our Johannesburg HQ.

ICASA-licensed

STIR/SHAKEN attested

Carrier-signed full A-level attestation on US-bound traffic. Calls without proper attestation are flagged by US carriers — yours arrive verified.

Attestation A

ISO 27001 in progress

Information-security management system being formalised against ISO 27001. Controls already operate against the same Annex A baseline — certification scheduled.

In progress

Encryption

AES-256 · TLS 1.3

AT RESTIN TRANSIT

Encrypted by default, end-to-end.

Every byte that touches the TKOS network is encrypted in transit and at rest. Customers on the enterprise contact-center tier can bring their own KMS keys so the cleartext never leaves their boundary — TKOS holds the ciphertext, you hold the keys.

AES-256 at rest
Recordings, voicemails, CDRs, audit logs — every storage tier.
TLS 1.3 in transit
SIPS + SRTP for media; HTTPS with HSTS for the control plane.
Customer-managed keys
Bring-your-own KMS on enterprise tier with key rotation hooks.

Access & audit

Identity, permissions, and an immutable trail.

The same controls your security team would build internally — already wired into the platform. RBAC scopes the surface, SSO centralises identity, and every action — from a receptionist call route change to a DID re-assignment — ends up in an audit log your auditors can pull in CSV or push to your SIEM.

Layer 1

Role-based access control

Granular permissions across phone, contact-centre, billing and DID inventory. Roles inherit from groups, groups from policies, and every change is audited.

Layer 2

SSO / SAML 2.0

SAML 2.0 with Okta, Azure AD, Google Workspace and any compliant IdP. SCIM provisioning, just-in-time user creation, and enforced MFA at the IdP layer.

Layer 3

Audit trail export

Every admin action and call event lands in an append-only audit log, exportable as CSV or streamed via webhook to your SIEM for long-term retention.

Data residency

Where your data actually lives.

Johannesburg primary · EU mirror.

All customer data lands first in our Johannesburg primary region, the same site that hosts the NOC. An encrypted Europe mirror provides disaster recovery and serves cross-border partners that need an EU-resident copy on file. Enterprise customers can pin residency to a single region at contract signing.

Primary: Johannesburg, ZA
Mirror: EU (encrypted DR)
Cross-region replication
POPIA + GDPR aligned

JNB · Primary

EU · Mirror

Security FAQ

What auditors ask before they sign.

Straight answers on BAAs, residency, retention, audit log export, and incident response — the five questions every vendor review surfaces.

Yes. TKOS will sign a BAA for healthcare partners on request, covering voice, SMS, recordings and any electronic protected health information that traverses the platform. The BAA is reviewed by our compliance team and returned countersigned within two business days.

Get A Free Trial

Voice you can actually audit.

Move to the platform that signs the BAA, attests every US call, and hands you the audit log on day one — without a six-month security review.

Get A Free Trial See Pricing

HIPAA BAA on requestPOPIA-compliantSTIR/SHAKENAES-256

Encrypted by default, end-to-end.

AES-256 at rest

Recordings, voicemails, CDRs, audit logs — every storage tier.

TLS 1.3 in transit

SIPS + SRTP for media; HTTPS with HSTS for the control plane.

Customer-managed keys

Bring-your-own KMS on enterprise tier with key rotation hooks.

Security and compliance built into the network.

The frameworks we map controls to.

HIPAA-ready

POPIA-compliant

STIR/SHAKEN attested

ISO 27001 in progress

Encrypted by default, end-to-end.

Identity, permissions, and an immutable trail.

Role-based access control

SSO / SAML 2.0

Audit trail export

Where your data actually lives.

Johannesburg primary · EU mirror.

What auditors ask before they sign.

Q1.Will TKOS sign a HIPAA Business Associate Agreement?

Q2.Where is customer data stored?

Q3.How long are call recordings retained?

Q4.Can we export audit logs to our SIEM?

Q5.What is the TKOS incident-response process?

Voice you can actually audit.

Security and compliance built into the network.

The frameworks we map controls to.

HIPAA-ready

POPIA-compliant

STIR/SHAKEN attested

ISO 27001 in progress

Encrypted by default, end-to-end.

Identity, permissions, and an immutable trail.

Role-based access control

SSO / SAML 2.0

Audit trail export

Where your data actually lives.

Johannesburg primary · EU mirror.

What auditors ask before they sign.

Q1.Will TKOS sign a HIPAA Business Associate Agreement?

Q2.Where is customer data stored?

Q3.How long are call recordings retained?

Q4.Can we export audit logs to our SIEM?

Q5.What is the TKOS incident-response process?

Voice you can actually audit.